This is an automated email from the ASF dual-hosted git repository.
orudyy pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/qpid-broker-j.git
The following commit(s) were added to refs/heads/master by this push:
new fb0d8b9 QPID-8361: [Broker-J] Add description for ACL model
fb0d8b9 is described below
commit fb0d8b9b7981a890d31e037e9f3157b11ef44c2f
Author: Alex Rudyy <oru...@apache.org>
AuthorDate: Wed Oct 2 16:59:37 2019 +0100
QPID-8361: [Broker-J] Add description for ACL model
---
.../src/main/markdown/architecture.md | 56 +++++++++++++++++++++
.../src/main/markdown/images/acl-legacy.gliffy | 1 +
.../src/main/markdown/images/acl-legacy.png | Bin 0 -> 112592 bytes
.../src/main/markdown/images/acl.gliffy | 1 +
.../src/main/markdown/images/acl.png | Bin 0 -> 114058 bytes
5 files changed, 58 insertions(+)
diff --git a/doc/developer-guide/src/main/markdown/architecture.md
b/doc/developer-guide/src/main/markdown/architecture.md
index 8c8f0db..a71a5c7 100644
--- a/doc/developer-guide/src/main/markdown/architecture.md
+++ b/doc/developer-guide/src/main/markdown/architecture.md
@@ -599,3 +599,59 @@ Both `Broker` and `VirtualHost` support the following
inclusion rules
container id and remote connection address
All existing logback-based Logger implementations (for both `Broker` and
`VirtualHost`) extend `AbstractLogger`.
+
+## ACL
+
+Authorization of operations performed by users is implemented in special
`AccessControl` objects.
+The authorization check for user operation can result in the following
outcomes:
+ * `ALLOWED`
+ * `DENIED`
+ * `DEFERRED`
+
+The `DEFERRED` outcome means that `AccessControl` cannot `ALLOW` or `DENY` the
operation and the check needs to be
+delegated to another `AccessControl`.
+
+The authorization checks are implemented for the operations of following types
+
+ * `CREATE` when any type of `ConfiguredObject` is created
+ * `UPDATE` when instance of `ConfiguredObject` is updated
+ * `DELETE` when instance of `ConfiguredObject` is deleted
+ * `READ` when attribute values of `ConfiguredObject` needs to be accessed
+ * `DISCOVER` when `ConfiguredObject` metadata (like `ConfiguredObject`
hierarchy, supported attributes,
+ supported operations, etc) needs to be accessed
+ * `INVOKE_METHOD` when a method on `ConfiguredObject` needs to be executed
+ * `PERFORM_ACTION` used to check required permissions for the following
actions:
+ * "connect" when new messaging connection is established
+ * "publish" when message is published
+ * "manage" when user access management interfaces
+
+The `AccessControl` objects lives on `Broker` or `VirtualHost` levels. The
`VirtualHost` `AccessControl` can defer
+authorization check to `Broker` `AccessControl`.
+
+The following methods are defined in `AccessControl` interface to perform the
authorization checks
+
+ * ``Result authorise(T token, Operation operation, PermissionedObject
configuredObject)``
+ * ``Result authorise(T token, Operation operation, PermissionedObject
configuredObject, Map<String,Object> arguments)``
+
+Special object of type `SecurityToken` can be passed into `authorize` methods.
For example, "publish"
+authorization check leverages `SecurityToken` for caching purposes. The
results of "publish" authorization check are kept
+in token and utilized on the following check for performance optimization.
+
+The class diagram below illustrates the authorization model.
+
+
+
+
+The ACL rules can be defined by end-users in special `ConfiguredObjects` of
type `AccessControlProvider`.
+The rules are defined in terms of legacy `LegacyAccessControl` model. When
authorization check is performed the entities
+of new ACL models are converted into legacy ACL entities.
+
+The class diagram below illustrates legacy ACL model.
+
+
+
+The legacy ACL model defines a number of `LegacyOperations`, `ObjectTypes` and
`Properties` . The ACL rules are written
+using legacy ACL concepts.
+
+The User Documentation illustrates how those rules can be defined. The links
to Qpid Broker-J documentation are available
+under [Qpid Broker-J Component
page](http://qpid.apache.org/components/broker-j/index.html)
diff --git a/doc/developer-guide/src/main/markdown/images/acl-legacy.gliffy
b/doc/developer-guide/src/main/markdown/images/acl-legacy.gliffy
new file mode 100644
index 0000000..73075ec
--- /dev/null
+++ b/doc/developer-guide/src/main/markdown/images/acl-legacy.gliffy
@@ -0,0 +1 @@
+{"contentType":"application/gliffy+json","version":"1.1","metadata":{"title":"untitled","revision":0,"exportBorder":false},"embeddedResources":{"index":0,"resources":[]},"stage":{"objects":[{"x":473,"y":660,"rotation":0,"id":51,"uid":"com.gliffy.shape.uml.uml_v1.default.association","width":100,"height":100,"lockAspectRatio":false,"lockShape":false,"order":51,"graphic":{"type":"Line","Line":{"strokeWidth":1,"strokeColor":"#000000","fillColor":"none","dashStyle":null,"startArrow":0,"endAr
[...]
\ No newline at end of file
diff --git a/doc/developer-guide/src/main/markdown/images/acl-legacy.png
b/doc/developer-guide/src/main/markdown/images/acl-legacy.png
new file mode 100644
index 0000000..96fe4c1
Binary files /dev/null and
b/doc/developer-guide/src/main/markdown/images/acl-legacy.png differ
diff --git a/doc/developer-guide/src/main/markdown/images/acl.gliffy
b/doc/developer-guide/src/main/markdown/images/acl.gliffy
new file mode 100644
index 0000000..a930f47
--- /dev/null
+++ b/doc/developer-guide/src/main/markdown/images/acl.gliffy
@@ -0,0 +1 @@
+{"contentType":"application/gliffy+json","version":"1.1","metadata":{"title":"untitled","revision":0,"exportBorder":false},"embeddedResources":{"index":0,"resources":[]},"stage":{"objects":[{"x":877,"y":688,"rotation":0,"id":80,"uid":"com.gliffy.shape.uml.uml_v1.default.aggregation","width":100,"height":100,"lockAspectRatio":false,"lockShape":false,"order":53,"graphic":{"type":"Line","Line":{"strokeWidth":1,"strokeColor":"#000000","fillColor":"none","dashStyle":null,"startArrow":0,"endAr
[...]
\ No newline at end of file
diff --git a/doc/developer-guide/src/main/markdown/images/acl.png
b/doc/developer-guide/src/main/markdown/images/acl.png
new file mode 100644
index 0000000..f5b1651
Binary files /dev/null and
b/doc/developer-guide/src/main/markdown/images/acl.png differ
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@qpid.apache.org
For additional commands, e-mail: commits-h...@qpid.apache.org
