Author: cctrieloff
Date: Fri Aug 1 06:40:56 2008
New Revision: 681690
URL: http://svn.apache.org/viewvc?rev=681690&view=rev
Log:
- Add support for ACL on message transfer
- Performance optimizations for ACL on message transfer
Modified:
incubator/qpid/trunk/qpid/cpp/src/qpid/acl/Acl.cpp
incubator/qpid/trunk/qpid/cpp/src/qpid/acl/Acl.h
incubator/qpid/trunk/qpid/cpp/src/qpid/broker/AclModule.h
incubator/qpid/trunk/qpid/cpp/src/qpid/broker/SemanticState.cpp
incubator/qpid/trunk/qpid/cpp/src/qpid/broker/SemanticState.h
incubator/qpid/trunk/qpid/cpp/src/qpid/broker/SessionAdapter.cpp
Modified: incubator/qpid/trunk/qpid/cpp/src/qpid/acl/Acl.cpp
URL:
http://svn.apache.org/viewvc/incubator/qpid/trunk/qpid/cpp/src/qpid/acl/Acl.cpp?rev=681690&r1=681689&r2=681690&view=diff
==============================================================================
--- incubator/qpid/trunk/qpid/cpp/src/qpid/acl/Acl.cpp (original)
+++ incubator/qpid/trunk/qpid/cpp/src/qpid/acl/Acl.cpp Fri Aug 1 06:40:56 2008
@@ -34,7 +34,7 @@
using namespace std;
- Acl::Acl (AclValues& av, broker::Broker& b): aclValues(av), broker(&b)
+ Acl::Acl (AclValues& av, broker::Broker& b): aclValues(av), broker(&b),
transferAcl(false)
{
if (!readAclFile()) throw Exception("Could not read ACL file");
QPID_LOG(info, "ACL Plugin loaded");
@@ -76,6 +76,24 @@
// add real ACL check here...
AclResult aclreslt = ALLOWLOG; // hack to test, set based on real
decision.
+
+ return result(aclreslt, id, action, objType, name);
+ }
+
+ bool Acl::authorise(std::string id, acl::Action action, acl::ObjectType
objType, std::string ExchangeName, std::string /*RoutingKey*/)
+ {
+ if (aclValues.noEnforce) return true;
+
+ // add real ACL check here...
+ AclResult aclreslt = ALLOWLOG; // hack to test, set based on real
decision.
+
+
+ return result(aclreslt, id, action, objType, ExchangeName);
+ }
+
+
+ bool Acl::result(AclResult aclreslt, std::string id, acl::Action action,
acl::ObjectType objType, std::string name)
+ {
switch (aclreslt)
{
case ALLOWLOG:
@@ -89,12 +107,13 @@
QPID_LOG(info, "ACL Deny id:" << id << " action:" <<
printAction(action) << " ObjectType:" << printObjType(objType) << " Name:" <<
name);
return false;
}
-
return false;
}
-
+
bool Acl::readAclFile()
{
+ // only set transferAcl = true if a rule implies the use of ACL on
transfer, else keep false for permormance reasons.
+
return true;
}
Modified: incubator/qpid/trunk/qpid/cpp/src/qpid/acl/Acl.h
URL:
http://svn.apache.org/viewvc/incubator/qpid/trunk/qpid/cpp/src/qpid/acl/Acl.h?rev=681690&r1=681689&r2=681690&view=diff
==============================================================================
--- incubator/qpid/trunk/qpid/cpp/src/qpid/acl/Acl.h (original)
+++ incubator/qpid/trunk/qpid/cpp/src/qpid/acl/Acl.h Fri Aug 1 06:40:56 2008
@@ -48,22 +48,28 @@
class Acl : public broker::AclModule, public RefCounted
{
+private:
+ acl::AclValues aclValues;
+ broker::Broker* broker;
+ bool transferAcl;
+
+
public:
Acl (AclValues& av, broker::Broker& b);
void initialize();
- virtual bool authorise(std::string id, acl::Action action, acl::ObjectType
objType, std::string name, std::map<std::string, std::string>* params);
+ inline virtual bool doTransferAcl() {return transferAcl;};
+
// create specilied authorise methods for cases that need faster matching
as needed.
+ virtual bool authorise(std::string id, acl::Action action, acl::ObjectType
objType, std::string name, std::map<std::string, std::string>* params);
+ virtual bool authorise(std::string id, acl::Action action, acl::ObjectType
objType, std::string ExchangeName, std::string RoutingKey);
virtual ~Acl();
private:
std::string printAction(acl::Action action);
std::string printObjType(acl::ObjectType objType);
-
- acl::AclValues aclValues;
- broker::Broker* broker;
-
+ bool result(AclResult aclreslt, std::string id, acl::Action action,
acl::ObjectType objType, std::string name);
bool readAclFile();
};
Modified: incubator/qpid/trunk/qpid/cpp/src/qpid/broker/AclModule.h
URL:
http://svn.apache.org/viewvc/incubator/qpid/trunk/qpid/cpp/src/qpid/broker/AclModule.h?rev=681690&r1=681689&r2=681690&view=diff
==============================================================================
--- incubator/qpid/trunk/qpid/cpp/src/qpid/broker/AclModule.h (original)
+++ incubator/qpid/trunk/qpid/cpp/src/qpid/broker/AclModule.h Fri Aug 1
06:40:56 2008
@@ -44,7 +44,13 @@
public:
- virtual bool authorise(std::string id, acl::Action action, acl::ObjectType
objType, std::string name, std::map<std::string, std::string>* params)=0;
+ // effienty turn off ACL on message transfer.
+ virtual bool doTransferAcl()=0;
+
+ virtual bool authorise(std::string id, acl::Action action, acl::ObjectType
objType, std::string name,
+ std::map<std::string, std::string>* params)=0;
+ virtual bool authorise(std::string id, acl::Action action, acl::ObjectType
objType, std::string ExchangeName,
+ std::string RoutingKey)=0;
// create specilied authorise methods for cases that need faster matching
as needed.
virtual ~AclModule() {};
Modified: incubator/qpid/trunk/qpid/cpp/src/qpid/broker/SemanticState.cpp
URL:
http://svn.apache.org/viewvc/incubator/qpid/trunk/qpid/cpp/src/qpid/broker/SemanticState.cpp?rev=681690&r1=681689&r2=681690&view=diff
==============================================================================
--- incubator/qpid/trunk/qpid/cpp/src/qpid/broker/SemanticState.cpp (original)
+++ incubator/qpid/trunk/qpid/cpp/src/qpid/broker/SemanticState.cpp Fri Aug 1
06:40:56 2008
@@ -33,6 +33,7 @@
#include "qpid/framing/MessageTransferBody.h"
#include "qpid/log/Statement.h"
#include "qpid/ptr_map.h"
+#include "AclModule.h"
#include <boost/bind.hpp>
#include <boost/format.hpp>
@@ -65,6 +66,7 @@
outputTasks(ss)
{
outstanding.reset();
+ acl = getSession().getBroker().getAcl();
}
SemanticState::~SemanticState() {
@@ -258,7 +260,7 @@
blocked(true),
windowing(true),
msgCredit(0),
- byteCredit(0) {}
+ byteCredit(0){}
OwnershipToken* SemanticState::ConsumerImpl::getSession()
{
@@ -356,6 +358,12 @@
cacheExchange = session.getBroker().getExchanges().get(exchangeName);
}
+ if (acl && acl->doTransferAcl())
+ {
+ if
(!acl->authorise(getSession().getConnection().getUserId(),acl::PUBLISH,acl::EXCHANGE,exchangeName,
msg->getRoutingKey() ))
+ throw NotAllowedException("ACL denied exhange publish request");
+ }
+
cacheExchange->route(strategy, msg->getRoutingKey(),
msg->getApplicationHeaders());
if (!strategy.delivered) {
Modified: incubator/qpid/trunk/qpid/cpp/src/qpid/broker/SemanticState.h
URL:
http://svn.apache.org/viewvc/incubator/qpid/trunk/qpid/cpp/src/qpid/broker/SemanticState.h?rev=681690&r1=681689&r2=681690&view=diff
==============================================================================
--- incubator/qpid/trunk/qpid/cpp/src/qpid/broker/SemanticState.h (original)
+++ incubator/qpid/trunk/qpid/cpp/src/qpid/broker/SemanticState.h Fri Aug 1
06:40:56 2008
@@ -38,6 +38,7 @@
#include "qpid/framing/Uuid.h"
#include "qpid/sys/AggregateOutput.h"
#include "qpid/shared_ptr.h"
+#include "AclModule.h"
#include <list>
#include <map>
@@ -117,7 +118,8 @@
framing::SequenceSet accumulatedAck;
boost::shared_ptr<Exchange> cacheExchange;
sys::AggregateOutput outputTasks;
-
+ AclModule* acl;
+
void route(boost::intrusive_ptr<Message> msg, Deliverable& strategy);
void record(const DeliveryRecord& delivery);
bool checkPrefetch(boost::intrusive_ptr<Message>& msg);
Modified: incubator/qpid/trunk/qpid/cpp/src/qpid/broker/SessionAdapter.cpp
URL:
http://svn.apache.org/viewvc/incubator/qpid/trunk/qpid/cpp/src/qpid/broker/SessionAdapter.cpp?rev=681690&r1=681689&r2=681690&view=diff
==============================================================================
--- incubator/qpid/trunk/qpid/cpp/src/qpid/broker/SessionAdapter.cpp (original)
+++ incubator/qpid/trunk/qpid/cpp/src/qpid/broker/SessionAdapter.cpp Fri Aug 1
06:40:56 2008
@@ -153,9 +153,7 @@
AclModule* acl = getBroker().getAcl();
if (acl)
{
- std::map<std::string, std::string> params;
- params.insert(make_pair("RKEY", routingKey));
- if
(!acl->authorise(getConnection().getUserId(),acl::BIND,acl::EXCHANGE,exchangeName,¶ms)
)
+ if
(!acl->authorise(getConnection().getUserId(),acl::BIND,acl::EXCHANGE,exchangeName,routingKey)
)
throw NotAllowedException("ACL denied exhange bind request");
}
