This is an automated email from the ASF dual-hosted git repository. orudyy pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/qpid-broker-j.git
The following commit(s) were added to refs/heads/master by this push: new fb0d8b9 QPID-8361: [Broker-J] Add description for ACL model fb0d8b9 is described below commit fb0d8b9b7981a890d31e037e9f3157b11ef44c2f Author: Alex Rudyy <oru...@apache.org> AuthorDate: Wed Oct 2 16:59:37 2019 +0100 QPID-8361: [Broker-J] Add description for ACL model --- .../src/main/markdown/architecture.md | 56 +++++++++++++++++++++ .../src/main/markdown/images/acl-legacy.gliffy | 1 + .../src/main/markdown/images/acl-legacy.png | Bin 0 -> 112592 bytes .../src/main/markdown/images/acl.gliffy | 1 + .../src/main/markdown/images/acl.png | Bin 0 -> 114058 bytes 5 files changed, 58 insertions(+) diff --git a/doc/developer-guide/src/main/markdown/architecture.md b/doc/developer-guide/src/main/markdown/architecture.md index 8c8f0db..a71a5c7 100644 --- a/doc/developer-guide/src/main/markdown/architecture.md +++ b/doc/developer-guide/src/main/markdown/architecture.md @@ -599,3 +599,59 @@ Both `Broker` and `VirtualHost` support the following inclusion rules container id and remote connection address All existing logback-based Logger implementations (for both `Broker` and `VirtualHost`) extend `AbstractLogger`. + +## ACL + +Authorization of operations performed by users is implemented in special `AccessControl` objects. +The authorization check for user operation can result in the following outcomes: + * `ALLOWED` + * `DENIED` + * `DEFERRED` + +The `DEFERRED` outcome means that `AccessControl` cannot `ALLOW` or `DENY` the operation and the check needs to be +delegated to another `AccessControl`. + +The authorization checks are implemented for the operations of following types + + * `CREATE` when any type of `ConfiguredObject` is created + * `UPDATE` when instance of `ConfiguredObject` is updated + * `DELETE` when instance of `ConfiguredObject` is deleted + * `READ` when attribute values of `ConfiguredObject` needs to be accessed + * `DISCOVER` when `ConfiguredObject` metadata (like `ConfiguredObject` hierarchy, supported attributes, + supported operations, etc) needs to be accessed + * `INVOKE_METHOD` when a method on `ConfiguredObject` needs to be executed + * `PERFORM_ACTION` used to check required permissions for the following actions: + * "connect" when new messaging connection is established + * "publish" when message is published + * "manage" when user access management interfaces + +The `AccessControl` objects lives on `Broker` or `VirtualHost` levels. The `VirtualHost` `AccessControl` can defer +authorization check to `Broker` `AccessControl`. + +The following methods are defined in `AccessControl` interface to perform the authorization checks + + * ``Result authorise(T token, Operation operation, PermissionedObject configuredObject)`` + * ``Result authorise(T token, Operation operation, PermissionedObject configuredObject, Map<String,Object> arguments)`` + +Special object of type `SecurityToken` can be passed into `authorize` methods. For example, "publish" +authorization check leverages `SecurityToken` for caching purposes. The results of "publish" authorization check are kept +in token and utilized on the following check for performance optimization. + +The class diagram below illustrates the authorization model. + +![ACL](images/acl.png) + + +The ACL rules can be defined by end-users in special `ConfiguredObjects` of type `AccessControlProvider`. +The rules are defined in terms of legacy `LegacyAccessControl` model. When authorization check is performed the entities +of new ACL models are converted into legacy ACL entities. + +The class diagram below illustrates legacy ACL model. + +![Legacy ACL](images/acl-legacy.png) + +The legacy ACL model defines a number of `LegacyOperations`, `ObjectTypes` and `Properties` . The ACL rules are written +using legacy ACL concepts. + +The User Documentation illustrates how those rules can be defined. The links to Qpid Broker-J documentation are available +under [Qpid Broker-J Component page](http://qpid.apache.org/components/broker-j/index.html) diff --git a/doc/developer-guide/src/main/markdown/images/acl-legacy.gliffy b/doc/developer-guide/src/main/markdown/images/acl-legacy.gliffy new file mode 100644 index 0000000..73075ec --- /dev/null +++ b/doc/developer-guide/src/main/markdown/images/acl-legacy.gliffy @@ -0,0 +1 @@ +{"contentType":"application/gliffy+json","version":"1.1","metadata":{"title":"untitled","revision":0,"exportBorder":false},"embeddedResources":{"index":0,"resources":[]},"stage":{"objects":[{"x":473,"y":660,"rotation":0,"id":51,"uid":"com.gliffy.shape.uml.uml_v1.default.association","width":100,"height":100,"lockAspectRatio":false,"lockShape":false,"order":51,"graphic":{"type":"Line","Line":{"strokeWidth":1,"strokeColor":"#000000","fillColor":"none","dashStyle":null,"startArrow":0,"endAr [...] \ No newline at end of file diff --git a/doc/developer-guide/src/main/markdown/images/acl-legacy.png b/doc/developer-guide/src/main/markdown/images/acl-legacy.png new file mode 100644 index 0000000..96fe4c1 Binary files /dev/null and b/doc/developer-guide/src/main/markdown/images/acl-legacy.png differ diff --git a/doc/developer-guide/src/main/markdown/images/acl.gliffy b/doc/developer-guide/src/main/markdown/images/acl.gliffy new file mode 100644 index 0000000..a930f47 --- /dev/null +++ b/doc/developer-guide/src/main/markdown/images/acl.gliffy @@ -0,0 +1 @@ +{"contentType":"application/gliffy+json","version":"1.1","metadata":{"title":"untitled","revision":0,"exportBorder":false},"embeddedResources":{"index":0,"resources":[]},"stage":{"objects":[{"x":877,"y":688,"rotation":0,"id":80,"uid":"com.gliffy.shape.uml.uml_v1.default.aggregation","width":100,"height":100,"lockAspectRatio":false,"lockShape":false,"order":53,"graphic":{"type":"Line","Line":{"strokeWidth":1,"strokeColor":"#000000","fillColor":"none","dashStyle":null,"startArrow":0,"endAr [...] \ No newline at end of file diff --git a/doc/developer-guide/src/main/markdown/images/acl.png b/doc/developer-guide/src/main/markdown/images/acl.png new file mode 100644 index 0000000..f5b1651 Binary files /dev/null and b/doc/developer-guide/src/main/markdown/images/acl.png differ --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@qpid.apache.org For additional commands, e-mail: commits-h...@qpid.apache.org