Author: chug Date: Tue Jul 15 13:12:40 2014 New Revision: 1610681 URL: http://svn.apache.org/r1610681 Log: QPID-4947: Add keyword "all" to create connection host spec.
Modified: qpid/trunk/qpid/doc/book/src/cpp-broker/Security.xml Modified: qpid/trunk/qpid/doc/book/src/cpp-broker/Security.xml URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/doc/book/src/cpp-broker/Security.xml?rev=1610681&r1=1610680&r2=1610681&view=diff ============================================================================== --- qpid/trunk/qpid/doc/book/src/cpp-broker/Security.xml (original) +++ qpid/trunk/qpid/doc/book/src/cpp-broker/Security.xml Tue Jul 15 13:12:40 2014 @@ -500,7 +500,7 @@ property = "name" | "durable" | "routin </entry> <entry> <para> - User is attempting to read the object + Using an object </para> </entry> @@ -511,7 +511,7 @@ property = "name" | "durable" | "routin </entry> <entry> <para> - User is attempting to write a message to the exchange. + Authenticating an incoming message. </para> </entry> </row> @@ -521,7 +521,7 @@ property = "name" | "durable" | "routin </entry> <entry> <para> - User is creating the object + Creating an object. </para> </entry> </row> @@ -531,7 +531,7 @@ property = "name" | "durable" | "routin </entry> <entry> <para> - User is accessing (reading) the object + Accessing or reading an object </para> </entry> </row> @@ -541,7 +541,7 @@ property = "name" | "durable" | "routin </entry> <entry> <para> - User is associating a queue to an exchange with a routing key. + Associating a queue to an exchange with a routing key. </para> </entry> </row> @@ -551,7 +551,7 @@ property = "name" | "durable" | "routin </entry> <entry> <para> - Useris disassociating a queue from an exchange with a routing key. + Disassociating a queue from an exchange with a routing key. </para> </entry> </row> @@ -561,7 +561,7 @@ property = "name" | "durable" | "routin </entry> <entry> <para> - User is deleting the object. + Deleting an object. </para> </entry> </row> @@ -571,7 +571,7 @@ property = "name" | "durable" | "routin </entry> <entry> <para> - User is purging a queue. + Purging a queue. </para> </entry> </row> @@ -581,7 +581,7 @@ property = "name" | "durable" | "routin </entry> <entry> <para> - User is changing a broker configuration setting. + Changing a broker configuration setting. </para> </entry> </row> @@ -591,7 +591,7 @@ property = "name" | "durable" | "routin </entry> <entry> <para> - When moving messages between queues + Moving messages between queues. </para> </entry> </row> @@ -601,7 +601,7 @@ property = "name" | "durable" | "routin </entry> <entry> <para> - When redirecting messages between queues + Redirecting messages between queues </para> </entry> </row> @@ -611,7 +611,7 @@ property = "name" | "durable" | "routin </entry> <entry> <para> - When rerouting messages from a queue to an exchange + Rerouting messages from a queue to an exchange </para> </entry> </row> @@ -628,7 +628,6 @@ property = "name" | "durable" | "routin </entry> <entry> <para> - A queue </para> </entry> </row> @@ -638,7 +637,6 @@ property = "name" | "durable" | "routin </entry> <entry> <para> - An exchange </para> </entry> </row> @@ -648,7 +646,6 @@ property = "name" | "durable" | "routin </entry> <entry> <para> - The broker </para> </entry> </row> @@ -668,7 +665,7 @@ property = "name" | "durable" | "routin </entry> <entry> <para> - Management or agent or broker method + Management method </para> </entry> </row> @@ -678,7 +675,7 @@ property = "name" | "durable" | "routin </entry> <entry> <para> - Management query (of an object or whole class) + Management query of an object or class </para> </entry> </row> @@ -688,7 +685,7 @@ property = "name" | "durable" | "routin </entry> <entry> <para> - An incoming TCP/IP connection + Incoming TCP/IP connection </para> </entry> </row> @@ -1723,12 +1720,13 @@ property = "name" | "durable" | "routin <section id="sect-Messaging_User_Guide-Authorization-Specifying_ACL_Connection_Host_Limits"> <title>Connection Limits by Host Name</title> <para> - The 0.30 C++ Broker ACL module adds the ability to create allow and deny lists of the TCP/IP hosts from which users may connect. The rule accepts two forms: + The 0.30 C++ Broker ACL module adds the ability to create allow and deny lists of the TCP/IP hosts from which users may connect. The rule accepts these forms: </para> <para> <programlisting> acl allow user create connection host=host1 acl allow user create connection host=host1,host2 + acl deny user create connection host=all </programlisting> </para> <para> @@ -1738,6 +1736,9 @@ property = "name" | "durable" | "routin Using the form <command>host=host1,host2</command> specifies a range of TCP/IP addresses. With a host range each host must resolve to a single TCP/IP address and the second address must be numerically larger than the first. A connection from any host where host >= host1 and host <= host2 match the rule and the connection is allowed or denied accordingly. </para> <para> + Using the form <command>host=all</command> specifies all TCP/IP addresses. A connection from any host matches the rule and the connection is allowed or denied accordingly. + </para> + <para> Connection denial is only applied to incoming TCP/IP connections. Other socket types are not subjected to nor denied by range checks. </para> <para> @@ -1751,17 +1752,14 @@ property = "name" | "durable" | "routin acl allow admins create connection host=localhost acl allow admins create connection host=10.0.0.0,10.255.255.255 acl allow admins create connection host=192.168.0.0,192.168.255.255 + acl allow admins create connection host=[fc00::],[fc00::ff] acl allow Company1 create connection host=company1.com acl allow Company2 create connection host=company2.com - acl deny all create connection host=company1.com - acl deny all create connection host=company2.com - acl deny all create connection host=10.0.0.0,10.255.255.255 - acl deny all create connection host=192.168.0.0,192.168.255.255 - acl deny all create connection host=localhost + acl deny all create connection host=all </programlisting> </para> <para> - In this example admins may connect from localhost or from any system on the 10.0.0.0/24 and 192.168.0.0/16 subnets. Company1 users may connect only from company1.com while admins and Company2 users are blocked. Similarly Company2 users may connect only from company2.com while admins and Company1 users are blocked. + In this example admins may connect from localhost or from any system on the 10.0.0.0/24, 192.168.0.0/16, and fc00::/7 subnets. Company1 users may connect only from company1.com and Company2 users may connect only from company2.com. All other connections are denied. </para> </section> --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@qpid.apache.org For additional commands, e-mail: commits-h...@qpid.apache.org