[jira] [Commented] (DISPATCH-333) Add a chapter on policy to the Qpid Dispatch Router Book.

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/DISPATCH-333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16388118#comment-16388118
 ] 

ASF GitHub Bot commented on DISPATCH-333:
-

Github user asfgit closed the pull request at:

https://github.com/apache/qpid-dispatch/pull/255


> Add a chapter on policy to the Qpid Dispatch Router Book.
> -
>
> Key: DISPATCH-333
> URL: https://issues.apache.org/jira/browse/DISPATCH-333
> Project: Qpid Dispatch
>  Issue Type: Improvement
>  Components: Documentation
>Affects Versions: 0.7.0
>Reporter: Ganesh Murthy
>Assignee: Ben Hardesty
>Priority: Minor
>
> Add a new chapter containing details on how policy works and how to setup 
> policy to the Qpid Dispatch Router Book



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org

[jira] [Commented] (DISPATCH-333) Add a chapter on policy to the Qpid Dispatch Router Book.

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/DISPATCH-333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16384235#comment-16384235
 ] 

ASF GitHub Bot commented on DISPATCH-333:
-

Github user bhardesty commented on a diff in the pull request:

https://github.com/apache/qpid-dispatch/pull/255#discussion_r171977117
  
--- Diff: doc/new-book/configuration-security.adoc ---
@@ -412,3 +414,356 @@ listener {
 
 For more information about these attributes, see 
xref:adding_sasl_authentication_to_incoming_connection[].
 --
+
+== Authorizing Access to Messaging Resources
+
+You can restrict the number of user connections, and control access to 
AMQP messaging resources by configuring _policies_.
+
+=== Types of Policies
+
+You can configure two different types of policies: _global policies_ and 
_vhost policies_.
+
+Global policies::
+Settings for the router. A global policy defines the maximum number of 
incoming user connections for the router (across all vhost policies), and 
defines how the router should use vhost policies.
+
+Vhost policies::
+Connection and AMQP resource limits for a messaging endpoint (called an 
AMQP virtual host, or _vhost_). A vhost policy defines what a client can access 
on a messaging endpoint over a particular connection.
++
+[NOTE]
+
+A vhost is typically the name of the host to which the client connection 
is directed. For example, if a client application opens a connection to the 
`amqp://mybroker.example.com:5672/queue01` URL, the vhost would be 
`mybroker.example.com`.
+
+
+The resource limits defined in global and vhost policies are applied to 
user connections only. The limits do not affect inter-router connections or 
router connections that are outbound to waypoints.
+
+=== How {RouterName} Applies Policies
+
+When a client connects to a router, the router determines whether to 
permit the connection based on the global and vhost policies, and the following 
properties of the connection:
+
+* The host to which the connection is directed (the vhost)
+* The connection's authenticated user name
+* The host from which the client is connecting (the remote host)
+
+If the connection is permitted, then the router applies a vhost policy 
that matches the vhost to which the connection is directed. The vhost policy 
limits are enforced for the lifetime of the connection.
+
+=== Configuring Global Policies
+
+You can set the incoming connection limit for the router and define how it 
should use vhost policies by configuring a global policy.
+
+.Procedure
+
+* In the router configuration file, add a `policy` section.
++
+--
+[options="nowrap",subs="+quotes"]
+
+policy = {
+maxConnections: 1  // <1>
+enableVhostPolicy: true  // <2>
+policyDir: /etc/qpid-dispatch/policies/  // <3>
+defaultVhost: $default  // <4>
+}
+
+<1> The maximum number of concurrent client connections allowed for this 
router. This limit is always enforced, even if no other policy settings have 
been defined. The limit is applied to all incoming connections regardless of 
remote host, authenticated user, or targeted vhost. The default value is 
`65535`.
+
+<2> Enables the router to enforce the connection denials and resource 
limits defined in the configured vhost policies. The default is `false`, which 
means that the router will not enforce any vhost policies.
++
+[NOTE]
+
+Setting `enableVhostPolicy` to `false` improves the router's performance.
+
+
+<3> The absolute path to a directory that holds vhost policy definition 
files in JSON format (`*.json`). The router processes all of the vhost policies 
in each JSON file that is in this directory. For more information, see 
xref:configuring-vhost-policies-json[].
+
+<4> The name of the default vhost policy, which is applied to any 
connection for which a vhost policy has not been configured. The default is 
`$default`. If `defaultVhost` is not defined, then default vhost processing is 
disabled.
+--
+
+=== Configuring Vhost Policies
+
+You configure vhost policies to define the connection limits and AMQP 
resource limits for a messaging endpoint.
+
+A vhost policy consists of the following:
+
+* Connection limits
++
+These limits control the number of users that can be connected to the 
vhost simultaneously.
+
+* User groups
++
+A user group defines the messaging resources that the group members are 
permitted to access. Each user group defines the following:
+
+** A set of users that can connect to the vhost (the group members)
+** The remote hosts from which the group members may connect to the router 
network
+** 

[jira] [Commented] (DISPATCH-333) Add a chapter on policy to the Qpid Dispatch Router Book.

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/DISPATCH-333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16384233#comment-16384233
 ] 

ASF GitHub Bot commented on DISPATCH-333:
-

Github user bhardesty commented on a diff in the pull request:

https://github.com/apache/qpid-dispatch/pull/255#discussion_r171977044
  
--- Diff: doc/new-book/configuration-security.adoc ---
@@ -412,3 +414,356 @@ listener {
 
 For more information about these attributes, see 
xref:adding_sasl_authentication_to_incoming_connection[].
 --
+
+== Authorizing Access to Messaging Resources
+
+You can restrict the number of user connections, and control access to 
AMQP messaging resources by configuring _policies_.
+
+=== Types of Policies
+
+You can configure two different types of policies: _global policies_ and 
_vhost policies_.
+
+Global policies::
+Settings for the router. A global policy defines the maximum number of 
incoming user connections for the router (across all vhost policies), and 
defines how the router should use vhost policies.
+
+Vhost policies::
+Connection and AMQP resource limits for a messaging endpoint (called an 
AMQP virtual host, or _vhost_). A vhost policy defines what a client can access 
on a messaging endpoint over a particular connection.
++
+[NOTE]
+
+A vhost is typically the name of the host to which the client connection 
is directed. For example, if a client application opens a connection to the 
`amqp://mybroker.example.com:5672/queue01` URL, the vhost would be 
`mybroker.example.com`.
+
+
+The resource limits defined in global and vhost policies are applied to 
user connections only. The limits do not affect inter-router connections or 
router connections that are outbound to waypoints.
+
+=== How {RouterName} Applies Policies
+
+When a client connects to a router, the router determines whether to 
permit the connection based on the global and vhost policies, and the following 
properties of the connection:
+
+* The host to which the connection is directed (the vhost)
+* The connection's authenticated user name
+* The host from which the client is connecting (the remote host)
+
+If the connection is permitted, then the router applies a vhost policy 
that matches the vhost to which the connection is directed. The vhost policy 
limits are enforced for the lifetime of the connection.
+
+=== Configuring Global Policies
+
+You can set the incoming connection limit for the router and define how it 
should use vhost policies by configuring a global policy.
+
+.Procedure
+
+* In the router configuration file, add a `policy` section.
++
+--
+[options="nowrap",subs="+quotes"]
+
+policy = {
+maxConnections: 1  // <1>
+enableVhostPolicy: true  // <2>
+policyDir: /etc/qpid-dispatch/policies/  // <3>
+defaultVhost: $default  // <4>
+}
+
+<1> The maximum number of concurrent client connections allowed for this 
router. This limit is always enforced, even if no other policy settings have 
been defined. The limit is applied to all incoming connections regardless of 
remote host, authenticated user, or targeted vhost. The default value is 
`65535`.
+
+<2> Enables the router to enforce the connection denials and resource 
limits defined in the configured vhost policies. The default is `false`, which 
means that the router will not enforce any vhost policies.
++
+[NOTE]
+
+Setting `enableVhostPolicy` to `false` improves the router's performance.
+
+
+<3> The absolute path to a directory that holds vhost policy definition 
files in JSON format (`*.json`). The router processes all of the vhost policies 
in each JSON file that is in this directory. For more information, see 
xref:configuring-vhost-policies-json[].
+
+<4> The name of the default vhost policy, which is applied to any 
connection for which a vhost policy has not been configured. The default is 
`$default`. If `defaultVhost` is not defined, then default vhost processing is 
disabled.
+--
+
+=== Configuring Vhost Policies
+
+You configure vhost policies to define the connection limits and AMQP 
resource limits for a messaging endpoint.
+
+A vhost policy consists of the following:
+
+* Connection limits
++
+These limits control the number of users that can be connected to the 
vhost simultaneously.
+
+* User groups
++
+A user group defines the messaging resources that the group members are 
permitted to access. Each user group defines the following:
+
+** A set of users that can connect to the vhost (the group members)
+** The remote hosts from which the group members may connect to the router 
network
+** 

[jira] [Commented] (DISPATCH-333) Add a chapter on policy to the Qpid Dispatch Router Book.

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/DISPATCH-333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16384232#comment-16384232
 ] 

ASF GitHub Bot commented on DISPATCH-333:
-

Github user bhardesty commented on a diff in the pull request:

https://github.com/apache/qpid-dispatch/pull/255#discussion_r171976959
  
--- Diff: doc/new-book/configuration-security.adoc ---
@@ -412,3 +414,356 @@ listener {
 
 For more information about these attributes, see 
xref:adding_sasl_authentication_to_incoming_connection[].
 --
+
+== Authorizing Access to Messaging Resources
+
+You can restrict the number of user connections, and control access to 
AMQP messaging resources by configuring _policies_.
+
+=== Types of Policies
+
+You can configure two different types of policies: _global policies_ and 
_vhost policies_.
+
+Global policies::
+Settings for the router. A global policy defines the maximum number of 
incoming user connections for the router (across all vhost policies), and 
defines how the router should use vhost policies.
+
+Vhost policies::
+Connection and AMQP resource limits for a messaging endpoint (called an 
AMQP virtual host, or _vhost_). A vhost policy defines what a client can access 
on a messaging endpoint over a particular connection.
++
+[NOTE]
+
+A vhost is typically the name of the host to which the client connection 
is directed. For example, if a client application opens a connection to the 
`amqp://mybroker.example.com:5672/queue01` URL, the vhost would be 
`mybroker.example.com`.
+
+
+The resource limits defined in global and vhost policies are applied to 
user connections only. The limits do not affect inter-router connections or 
router connections that are outbound to waypoints.
+
+=== How {RouterName} Applies Policies
+
+When a client connects to a router, the router determines whether to 
permit the connection based on the global and vhost policies, and the following 
properties of the connection:
+
+* The host to which the connection is directed (the vhost)
+* The connection's authenticated user name
+* The host from which the client is connecting (the remote host)
+
+If the connection is permitted, then the router applies a vhost policy 
that matches the vhost to which the connection is directed. The vhost policy 
limits are enforced for the lifetime of the connection.
+
+=== Configuring Global Policies
+
+You can set the incoming connection limit for the router and define how it 
should use vhost policies by configuring a global policy.
+
+.Procedure
+
+* In the router configuration file, add a `policy` section.
++
+--
+[options="nowrap",subs="+quotes"]
+
+policy = {
+maxConnections: 1  // <1>
+enableVhostPolicy: true  // <2>
+policyDir: /etc/qpid-dispatch/policies/  // <3>
+defaultVhost: $default  // <4>
+}
+
+<1> The maximum number of concurrent client connections allowed for this 
router. This limit is always enforced, even if no other policy settings have 
been defined. The limit is applied to all incoming connections regardless of 
remote host, authenticated user, or targeted vhost. The default value is 
`65535`.
--- End diff --

I updated this to specify that 65535 is both the default and the maximum.


> Add a chapter on policy to the Qpid Dispatch Router Book.
> -
>
> Key: DISPATCH-333
> URL: https://issues.apache.org/jira/browse/DISPATCH-333
> Project: Qpid Dispatch
>  Issue Type: Improvement
>  Components: Documentation
>Affects Versions: 0.7.0
>Reporter: Ganesh Murthy
>Assignee: Ben Hardesty
>Priority: Minor
>
> Add a new chapter containing details on how policy works and how to setup 
> policy to the Qpid Dispatch Router Book



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org

[jira] [Commented] (DISPATCH-333) Add a chapter on policy to the Qpid Dispatch Router Book.

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/DISPATCH-333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16383726#comment-16383726
 ] 

ASF GitHub Bot commented on DISPATCH-333:
-

Github user ChugR commented on a diff in the pull request:

https://github.com/apache/qpid-dispatch/pull/255#discussion_r171884076
  
--- Diff: doc/new-book/configuration-security.adoc ---
@@ -412,3 +414,356 @@ listener {
 
 For more information about these attributes, see 
xref:adding_sasl_authentication_to_incoming_connection[].
 --
+
+== Authorizing Access to Messaging Resources
+
+You can restrict the number of user connections, and control access to 
AMQP messaging resources by configuring _policies_.
+
+=== Types of Policies
+
+You can configure two different types of policies: _global policies_ and 
_vhost policies_.
+
+Global policies::
+Settings for the router. A global policy defines the maximum number of 
incoming user connections for the router (across all vhost policies), and 
defines how the router should use vhost policies.
+
+Vhost policies::
+Connection and AMQP resource limits for a messaging endpoint (called an 
AMQP virtual host, or _vhost_). A vhost policy defines what a client can access 
on a messaging endpoint over a particular connection.
++
+[NOTE]
+
+A vhost is typically the name of the host to which the client connection 
is directed. For example, if a client application opens a connection to the 
`amqp://mybroker.example.com:5672/queue01` URL, the vhost would be 
`mybroker.example.com`.
+
+
+The resource limits defined in global and vhost policies are applied to 
user connections only. The limits do not affect inter-router connections or 
router connections that are outbound to waypoints.
+
+=== How {RouterName} Applies Policies
+
+When a client connects to a router, the router determines whether to 
permit the connection based on the global and vhost policies, and the following 
properties of the connection:
+
+* The host to which the connection is directed (the vhost)
+* The connection's authenticated user name
+* The host from which the client is connecting (the remote host)
+
+If the connection is permitted, then the router applies a vhost policy 
that matches the vhost to which the connection is directed. The vhost policy 
limits are enforced for the lifetime of the connection.
+
+=== Configuring Global Policies
+
+You can set the incoming connection limit for the router and define how it 
should use vhost policies by configuring a global policy.
+
+.Procedure
+
+* In the router configuration file, add a `policy` section.
++
+--
+[options="nowrap",subs="+quotes"]
+
+policy = {
+maxConnections: 1  // <1>
+enableVhostPolicy: true  // <2>
+policyDir: /etc/qpid-dispatch/policies/  // <3>
+defaultVhost: $default  // <4>
+}
+
+<1> The maximum number of concurrent client connections allowed for this 
router. This limit is always enforced, even if no other policy settings have 
been defined. The limit is applied to all incoming connections regardless of 
remote host, authenticated user, or targeted vhost. The default value is 
`65535`.
+
+<2> Enables the router to enforce the connection denials and resource 
limits defined in the configured vhost policies. The default is `false`, which 
means that the router will not enforce any vhost policies.
++
+[NOTE]
+
+Setting `enableVhostPolicy` to `false` improves the router's performance.
+
+
+<3> The absolute path to a directory that holds vhost policy definition 
files in JSON format (`*.json`). The router processes all of the vhost policies 
in each JSON file that is in this directory. For more information, see 
xref:configuring-vhost-policies-json[].
+
+<4> The name of the default vhost policy, which is applied to any 
connection for which a vhost policy has not been configured. The default is 
`$default`. If `defaultVhost` is not defined, then default vhost processing is 
disabled.
+--
+
+=== Configuring Vhost Policies
+
+You configure vhost policies to define the connection limits and AMQP 
resource limits for a messaging endpoint.
+
+A vhost policy consists of the following:
+
+* Connection limits
++
+These limits control the number of users that can be connected to the 
vhost simultaneously.
+
+* User groups
++
+A user group defines the messaging resources that the group members are 
permitted to access. Each user group defines the following:
+
+** A set of users that can connect to the vhost (the group members)
+** The remote hosts from which the group members may connect to the router 
network
+** The 

[jira] [Commented] (DISPATCH-333) Add a chapter on policy to the Qpid Dispatch Router Book.

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/DISPATCH-333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16383720#comment-16383720
 ] 

ASF GitHub Bot commented on DISPATCH-333:
-

Github user ChugR commented on a diff in the pull request:

https://github.com/apache/qpid-dispatch/pull/255#discussion_r171883800
  
--- Diff: doc/new-book/configuration-security.adoc ---
@@ -412,3 +414,356 @@ listener {
 
 For more information about these attributes, see 
xref:adding_sasl_authentication_to_incoming_connection[].
 --
+
+== Authorizing Access to Messaging Resources
+
+You can restrict the number of user connections, and control access to 
AMQP messaging resources by configuring _policies_.
+
+=== Types of Policies
+
+You can configure two different types of policies: _global policies_ and 
_vhost policies_.
+
+Global policies::
+Settings for the router. A global policy defines the maximum number of 
incoming user connections for the router (across all vhost policies), and 
defines how the router should use vhost policies.
+
+Vhost policies::
+Connection and AMQP resource limits for a messaging endpoint (called an 
AMQP virtual host, or _vhost_). A vhost policy defines what a client can access 
on a messaging endpoint over a particular connection.
++
+[NOTE]
+
+A vhost is typically the name of the host to which the client connection 
is directed. For example, if a client application opens a connection to the 
`amqp://mybroker.example.com:5672/queue01` URL, the vhost would be 
`mybroker.example.com`.
+
+
+The resource limits defined in global and vhost policies are applied to 
user connections only. The limits do not affect inter-router connections or 
router connections that are outbound to waypoints.
+
+=== How {RouterName} Applies Policies
+
+When a client connects to a router, the router determines whether to 
permit the connection based on the global and vhost policies, and the following 
properties of the connection:
+
+* The host to which the connection is directed (the vhost)
+* The connection's authenticated user name
+* The host from which the client is connecting (the remote host)
+
+If the connection is permitted, then the router applies a vhost policy 
that matches the vhost to which the connection is directed. The vhost policy 
limits are enforced for the lifetime of the connection.
+
--- End diff --

This description is correct but it glosses over some of the structure 
within a vhost policy. In a vhost policy  maxConnections, 
maxConnectionsPerUser, maxConnectionsPerHost, and allowUnknownUser are common 
for all users. Then based on the user name the vhost policy assigns the 
remaining policy settings (vhostUserGroupSettings). Users who connect to a 
given vhost may receive different settings based on what user group the user is 
assigned.


> Add a chapter on policy to the Qpid Dispatch Router Book.
> -
>
> Key: DISPATCH-333
> URL: https://issues.apache.org/jira/browse/DISPATCH-333
> Project: Qpid Dispatch
>  Issue Type: Improvement
>  Components: Documentation
>Affects Versions: 0.7.0
>Reporter: Ganesh Murthy
>Assignee: Ben Hardesty
>Priority: Minor
>
> Add a new chapter containing details on how policy works and how to setup 
> policy to the Qpid Dispatch Router Book



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org

[jira] [Commented] (DISPATCH-333) Add a chapter on policy to the Qpid Dispatch Router Book.

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/DISPATCH-333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16383711#comment-16383711
 ] 

ASF GitHub Bot commented on DISPATCH-333:
-

Github user ChugR commented on a diff in the pull request:

https://github.com/apache/qpid-dispatch/pull/255#discussion_r171881914
  
--- Diff: doc/new-book/configuration-security.adoc ---
@@ -412,3 +414,356 @@ listener {
 
 For more information about these attributes, see 
xref:adding_sasl_authentication_to_incoming_connection[].
 --
+
+== Authorizing Access to Messaging Resources
+
+You can restrict the number of user connections, and control access to 
AMQP messaging resources by configuring _policies_.
+
+=== Types of Policies
+
+You can configure two different types of policies: _global policies_ and 
_vhost policies_.
+
+Global policies::
+Settings for the router. A global policy defines the maximum number of 
incoming user connections for the router (across all vhost policies), and 
defines how the router should use vhost policies.
+
+Vhost policies::
+Connection and AMQP resource limits for a messaging endpoint (called an 
AMQP virtual host, or _vhost_). A vhost policy defines what a client can access 
on a messaging endpoint over a particular connection.
++
+[NOTE]
+
+A vhost is typically the name of the host to which the client connection 
is directed. For example, if a client application opens a connection to the 
`amqp://mybroker.example.com:5672/queue01` URL, the vhost would be 
`mybroker.example.com`.
+
+
+The resource limits defined in global and vhost policies are applied to 
user connections only. The limits do not affect inter-router connections or 
router connections that are outbound to waypoints.
+
+=== How {RouterName} Applies Policies
+
+When a client connects to a router, the router determines whether to 
permit the connection based on the global and vhost policies, and the following 
properties of the connection:
+
+* The host to which the connection is directed (the vhost)
+* The connection's authenticated user name
+* The host from which the client is connecting (the remote host)
+
+If the connection is permitted, then the router applies a vhost policy 
that matches the vhost to which the connection is directed. The vhost policy 
limits are enforced for the lifetime of the connection.
+
+=== Configuring Global Policies
+
+You can set the incoming connection limit for the router and define how it 
should use vhost policies by configuring a global policy.
+
+.Procedure
+
+* In the router configuration file, add a `policy` section.
++
+--
+[options="nowrap",subs="+quotes"]
+
+policy = {
+maxConnections: 1  // <1>
+enableVhostPolicy: true  // <2>
+policyDir: /etc/qpid-dispatch/policies/  // <3>
+defaultVhost: $default  // <4>
+}
+
+<1> The maximum number of concurrent client connections allowed for this 
router. This limit is always enforced, even if no other policy settings have 
been defined. The limit is applied to all incoming connections regardless of 
remote host, authenticated user, or targeted vhost. The default value is 
`65535`.
--- End diff --

maxConnections is restricted to be in the range 0..65535 inclusive. That 
said, a setting of zero works but it renders the router to be useless as no 
users or management clients can connect to it. The 65535 was chosen to be some 
limit that is probably not achievable in the real world. 


> Add a chapter on policy to the Qpid Dispatch Router Book.
> -
>
> Key: DISPATCH-333
> URL: https://issues.apache.org/jira/browse/DISPATCH-333
> Project: Qpid Dispatch
>  Issue Type: Improvement
>  Components: Documentation
>Affects Versions: 0.7.0
>Reporter: Ganesh Murthy
>Assignee: Ben Hardesty
>Priority: Minor
>
> Add a new chapter containing details on how policy works and how to setup 
> policy to the Qpid Dispatch Router Book



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org

[jira] [Commented] (DISPATCH-333) Add a chapter on policy to the Qpid Dispatch Router Book.

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/DISPATCH-333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16383176#comment-16383176
 ] 

ASF GitHub Bot commented on DISPATCH-333:
-

Github user dmuntima commented on a diff in the pull request:

https://github.com/apache/qpid-dispatch/pull/255#discussion_r171513534
  
--- Diff: doc/new-book/configuration-security.adoc ---
@@ -412,3 +414,356 @@ listener {
 
 For more information about these attributes, see 
xref:adding_sasl_authentication_to_incoming_connection[].
 --
+
+== Authorizing Access to Messaging Resources
+
+You can restrict the number of user connections, and control access to 
AMQP messaging resources by configuring _policies_.
+
+=== Types of Policies
+
+You can configure two different types of policies: _global policies_ and 
_vhost policies_.
+
+Global policies::
+Settings for the router. A global policy defines the maximum number of 
incoming user connections for the router (across all vhost policies), and 
defines how the router should use vhost policies.
+
+Vhost policies::
+Connection and AMQP resource limits for a messaging endpoint (called an 
AMQP virtual host, or _vhost_). A vhost policy defines what a client can access 
on a messaging endpoint over a particular connection.
++
+[NOTE]
+
+A vhost is typically the name of the host to which the client connection 
is directed. For example, if a client application opens a connection to the 
`amqp://mybroker.example.com:5672/queue01` URL, the vhost would be 
`mybroker.example.com`.
+
+
+The resource limits defined in global and vhost policies are applied to 
user connections only. The limits do not affect inter-router connections or 
router connections that are outbound to waypoints.
+
+=== How {RouterName} Applies Policies
+
+When a client connects to a router, the router determines whether to 
permit the connection based on the global and vhost policies, and the following 
properties of the connection:
+
+* The host to which the connection is directed (the vhost)
+* The connection's authenticated user name
+* The host from which the client is connecting (the remote host)
+
+If the connection is permitted, then the router applies a vhost policy 
that matches the vhost to which the connection is directed. The vhost policy 
limits are enforced for the lifetime of the connection.
+
+=== Configuring Global Policies
+
+You can set the incoming connection limit for the router and define how it 
should use vhost policies by configuring a global policy.
+
+.Procedure
+
+* In the router configuration file, add a `policy` section.
++
+--
+[options="nowrap",subs="+quotes"]
+
+policy = {
+maxConnections: 1  // <1>
+enableVhostPolicy: true  // <2>
+policyDir: /etc/qpid-dispatch/policies/  // <3>
+defaultVhost: $default  // <4>
+}
+
+<1> The maximum number of concurrent client connections allowed for this 
router. This limit is always enforced, even if no other policy settings have 
been defined. The limit is applied to all incoming connections regardless of 
remote host, authenticated user, or targeted vhost. The default value is 
`65535`.
+
+<2> Enables the router to enforce the connection denials and resource 
limits defined in the configured vhost policies. The default is `false`, which 
means that the router will not enforce any vhost policies.
++
+[NOTE]
+
+Setting `enableVhostPolicy` to `false` improves the router's performance.
+
+
+<3> The absolute path to a directory that holds vhost policy definition 
files in JSON format (`*.json`). The router processes all of the vhost policies 
in each JSON file that is in this directory. For more information, see 
xref:configuring-vhost-policies-json[].
+
+<4> The name of the default vhost policy, which is applied to any 
connection for which a vhost policy has not been configured. The default is 
`$default`. If `defaultVhost` is not defined, then default vhost processing is 
disabled.
+--
+
+=== Configuring Vhost Policies
+
+You configure vhost policies to define the connection limits and AMQP 
resource limits for a messaging endpoint.
+
+A vhost policy consists of the following:
+
+* Connection limits
++
+These limits control the number of users that can be connected to the 
vhost simultaneously.
+
+* User groups
++
+A user group defines the messaging resources that the group members are 
permitted to access. Each user group defines the following:
+
+** A set of users that can connect to the vhost (the group members)
+** The remote hosts from which the group members may connect to the router 
network
+** 

[jira] [Commented] (DISPATCH-333) Add a chapter on policy to the Qpid Dispatch Router Book.

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/DISPATCH-333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16383177#comment-16383177
 ] 

ASF GitHub Bot commented on DISPATCH-333:
-

Github user dmuntima commented on a diff in the pull request:

https://github.com/apache/qpid-dispatch/pull/255#discussion_r171765659
  
--- Diff: doc/new-book/configuration-security.adoc ---
@@ -412,3 +414,356 @@ listener {
 
 For more information about these attributes, see 
xref:adding_sasl_authentication_to_incoming_connection[].
 --
+
+== Authorizing Access to Messaging Resources
+
+You can restrict the number of user connections, and control access to 
AMQP messaging resources by configuring _policies_.
+
+=== Types of Policies
+
+You can configure two different types of policies: _global policies_ and 
_vhost policies_.
+
+Global policies::
+Settings for the router. A global policy defines the maximum number of 
incoming user connections for the router (across all vhost policies), and 
defines how the router should use vhost policies.
+
+Vhost policies::
+Connection and AMQP resource limits for a messaging endpoint (called an 
AMQP virtual host, or _vhost_). A vhost policy defines what a client can access 
on a messaging endpoint over a particular connection.
++
+[NOTE]
+
+A vhost is typically the name of the host to which the client connection 
is directed. For example, if a client application opens a connection to the 
`amqp://mybroker.example.com:5672/queue01` URL, the vhost would be 
`mybroker.example.com`.
+
+
+The resource limits defined in global and vhost policies are applied to 
user connections only. The limits do not affect inter-router connections or 
router connections that are outbound to waypoints.
+
+=== How {RouterName} Applies Policies
+
+When a client connects to a router, the router determines whether to 
permit the connection based on the global and vhost policies, and the following 
properties of the connection:
+
+* The host to which the connection is directed (the vhost)
+* The connection's authenticated user name
+* The host from which the client is connecting (the remote host)
+
+If the connection is permitted, then the router applies a vhost policy 
that matches the vhost to which the connection is directed. The vhost policy 
limits are enforced for the lifetime of the connection.
+
+=== Configuring Global Policies
+
+You can set the incoming connection limit for the router and define how it 
should use vhost policies by configuring a global policy.
+
+.Procedure
+
+* In the router configuration file, add a `policy` section.
++
+--
+[options="nowrap",subs="+quotes"]
+
+policy = {
+maxConnections: 1  // <1>
+enableVhostPolicy: true  // <2>
+policyDir: /etc/qpid-dispatch/policies/  // <3>
+defaultVhost: $default  // <4>
+}
+
+<1> The maximum number of concurrent client connections allowed for this 
router. This limit is always enforced, even if no other policy settings have 
been defined. The limit is applied to all incoming connections regardless of 
remote host, authenticated user, or targeted vhost. The default value is 
`65535`.
+
+<2> Enables the router to enforce the connection denials and resource 
limits defined in the configured vhost policies. The default is `false`, which 
means that the router will not enforce any vhost policies.
++
+[NOTE]
+
+Setting `enableVhostPolicy` to `false` improves the router's performance.
+
+
+<3> The absolute path to a directory that holds vhost policy definition 
files in JSON format (`*.json`). The router processes all of the vhost policies 
in each JSON file that is in this directory. For more information, see 
xref:configuring-vhost-policies-json[].
+
+<4> The name of the default vhost policy, which is applied to any 
connection for which a vhost policy has not been configured. The default is 
`$default`. If `defaultVhost` is not defined, then default vhost processing is 
disabled.
+--
+
+=== Configuring Vhost Policies
+
+You configure vhost policies to define the connection limits and AMQP 
resource limits for a messaging endpoint.
+
+A vhost policy consists of the following:
+
+* Connection limits
++
+These limits control the number of users that can be connected to the 
vhost simultaneously.
+
+* User groups
++
+A user group defines the messaging resources that the group members are 
permitted to access. Each user group defines the following:
+
+** A set of users that can connect to the vhost (the group members)
+** The remote hosts from which the group members may connect to the router 
network
+** 

[jira] [Commented] (DISPATCH-333) Add a chapter on policy to the Qpid Dispatch Router Book.

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/DISPATCH-333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16381712#comment-16381712
 ] 

ASF GitHub Bot commented on DISPATCH-333:
-

Github user dmuntima commented on a diff in the pull request:

https://github.com/apache/qpid-dispatch/pull/255#discussion_r171498477
  
--- Diff: doc/new-book/configuration-security.adoc ---
@@ -412,3 +414,356 @@ listener {
 
 For more information about these attributes, see 
xref:adding_sasl_authentication_to_incoming_connection[].
 --
+
+== Authorizing Access to Messaging Resources
+
+You can restrict the number of user connections, and control access to 
AMQP messaging resources by configuring _policies_.
+
+=== Types of Policies
+
+You can configure two different types of policies: _global policies_ and 
_vhost policies_.
+
+Global policies::
+Settings for the router. A global policy defines the maximum number of 
incoming user connections for the router (across all vhost policies), and 
defines how the router should use vhost policies.
+
+Vhost policies::
+Connection and AMQP resource limits for a messaging endpoint (called an 
AMQP virtual host, or _vhost_). A vhost policy defines what a client can access 
on a messaging endpoint over a particular connection.
++
+[NOTE]
+
+A vhost is typically the name of the host to which the client connection 
is directed. For example, if a client application opens a connection to the 
`amqp://mybroker.example.com:5672/queue01` URL, the vhost would be 
`mybroker.example.com`.
+
+
+The resource limits defined in global and vhost policies are applied to 
user connections only. The limits do not affect inter-router connections or 
router connections that are outbound to waypoints.
+
+=== How {RouterName} Applies Policies
+
+When a client connects to a router, the router determines whether to 
permit the connection based on the global and vhost policies, and the following 
properties of the connection:
+
+* The host to which the connection is directed (the vhost)
+* The connection's authenticated user name
+* The host from which the client is connecting (the remote host)
+
+If the connection is permitted, then the router applies a vhost policy 
that matches the vhost to which the connection is directed. The vhost policy 
limits are enforced for the lifetime of the connection.
+
+=== Configuring Global Policies
+
+You can set the incoming connection limit for the router and define how it 
should use vhost policies by configuring a global policy.
+
+.Procedure
+
+* In the router configuration file, add a `policy` section.
++
+--
+[options="nowrap",subs="+quotes"]
+
+policy = {
+maxConnections: 1  // <1>
+enableVhostPolicy: true  // <2>
+policyDir: /etc/qpid-dispatch/policies/  // <3>
+defaultVhost: $default  // <4>
+}
+
+<1> The maximum number of concurrent client connections allowed for this 
router. This limit is always enforced, even if no other policy settings have 
been defined. The limit is applied to all incoming connections regardless of 
remote host, authenticated user, or targeted vhost. The default value is 
`65535`.
--- End diff --

If possible, please provide the minimum and maximum values for this element.


> Add a chapter on policy to the Qpid Dispatch Router Book.
> -
>
> Key: DISPATCH-333
> URL: https://issues.apache.org/jira/browse/DISPATCH-333
> Project: Qpid Dispatch
>  Issue Type: Improvement
>  Components: Documentation
>Affects Versions: 0.7.0
>Reporter: Ganesh Murthy
>Assignee: Ben Hardesty
>Priority: Minor
>
> Add a new chapter containing details on how policy works and how to setup 
> policy to the Qpid Dispatch Router Book



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org

[jira] [Commented] (DISPATCH-333) Add a chapter on policy to the Qpid Dispatch Router Book.

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/DISPATCH-333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16370633#comment-16370633
 ] 

ASF GitHub Bot commented on DISPATCH-333:
-

Github user ChugR commented on a diff in the pull request:

https://github.com/apache/qpid-dispatch/pull/255#discussion_r169471170
  
--- Diff: doc/new-book/configuration-security.adoc ---
@@ -412,3 +414,385 @@ listener {
 
 For more information about these attributes, see 
xref:adding_sasl_authentication_to_incoming_connection[].
 --
+
+== Authorizing Access to Messaging Resources
+
+You can restrict the number of user connections, and control access to 
AMQP messaging resources by configuring _policies_.
+
+=== Types of Policies
+
+You can configure two different types of policies: _global policies_ and 
_vhost policies_.
+
+Global policies::
+Settings for the router. A global policy defines the maximum number of 
incoming user connections for the router (across all vhost policies), and 
defines how the router should use vhost policies.
+
+Vhost policies::
+Connection and AMQP resource limits for a messaging endpoint (called an 
AMQP virtual host, or _vhost_). A vhost policy defines what a client can access 
on a messaging endpoint over a particular connection.
++
+[NOTE]
+
+A vhost is typically the name of the host to which the client connection 
is directed. For example, if a client application opens a connection to the 
`amqp://mybroker.example.com:5672/queue01` URL, the vhost would be 
`mybroker.example.com`.
+
+
+The resource limits defined in global and vhost policies are applied to 
user connections only. The limits do not affect inter-router connections or 
router connections that are outbound to waypoints.
+
+=== How {RouterName} Applies Policies
+
+When a client connects to a router, the router determines whether to 
permit the connection based on the global and vhost policies, and the following 
properties of the connection:
+
+* The host to which the connection is directed (the vhost)
+* The connection's authenticated user name
+* The host from which the client is connecting (the remote host)
+
+If the connection is permitted, then the router applies a vhost policy 
that matches the vhost to which the connection is directed. The vhost policy 
limits are enforced for the lifetime of the connection.
+
+=== Configuring Global Policies
+
+You can set the incoming connection limit for the router and define how it 
should use vhost policies by configuring a global policy.
+
+.Procedure
+
+* In the router configuration file, add a `policy` section.
++
+--
+[options="nowrap",subs="+quotes"]
+
+policy = {
+maxConnections: _NUMBER_OF_CONNECTIONS_
+enableVhostPolicy: true | false
+policyDir: _PATH_
+defaultVhost: _VHOST_NAME_
+}
+
+
+`maxConnections`::
+The maximum number of concurrent client connections allowed for this 
router. This limit is always enforced, even if no other policy settings have 
been defined. The limit is applied to all incoming connections regardless of 
remote host, authenticated user, or targeted vhost. The default value is 
`65535`.
+
+`enableVhostPolicy`::
+Enables the router to enforce the connection denials and resource limits 
defined in the configured vhost policies. The default is `false`, which means 
that the router will not enforce any vhost policies.
++
+[NOTE]
+
+Setting `enableVhostPolicy` to `false` improves the router's performance.
+
+
+`policyDir`:: 
+The absolute path to a directory that holds vhost policy definition files 
in JSON format (`*.json`). The router processes all of the vhost policies in 
each JSON file that is in this directory. For more information, see 
xref:configuring-vhost-policies-json[].
+
+`defaultVhost`:: 
+The name of the default vhost policy, which is applied to any connection 
for which a vhost policy has not been configured. The default is `$default`. If 
`defaultVhost` is not defined, then default vhost processing is disabled.
+--
+
+=== Configuring Vhost Policies
+
+You configure vhost policies to define the connection limits and AMQP 
resource limits for a messaging endpoint.
+
+A vhost policy consists of the following:
+
+* Connection limits
++
+These limits control the number of users that can be connected to the 
vhost simultaneously.
+
+* User groups
++
+A user group defines the messaging resources that the group members are 
permitted to access. Each user group defines the following:
+
+** A set of users that can connect to the vhost (the group members)
+** The remote hosts from which the 

[jira] [Commented] (DISPATCH-333) Add a chapter on policy to the Qpid Dispatch Router Book.

[ASF GitHub Bot (JIRA)]

[ 
https://issues.apache.org/jira/browse/DISPATCH-333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16363008#comment-16363008
 ] 

ASF GitHub Bot commented on DISPATCH-333:
-

GitHub user bhardesty opened a pull request:

https://github.com/apache/qpid-dispatch/pull/255

DISPATCH-333: Create new router policies doc

@ChugR @RoddieKieley here's the updated policies doc. Please review for 
technical accuracy. Updates include:
* Add new Authorization section to Security chapter (this is the policies 
content)
* Remove old policies content
* Update policy configuration attribute descriptions

You can merge this pull request into a Git repository by running:

$ git pull https://github.com/bhardesty/qpid-dispatch dispatch-333-policies

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/qpid-dispatch/pull/255.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #255


commit 8307b0200d2a55c8289a453a997e32ba534c9bfb
Author: Ben Hardesty 
Date:   2018-01-26T22:02:29Z

Create new doc on policies:
* Add new Authorization section to Security chapter
* Remove old policies content
* Update policy configuration attribute descriptions




> Add a chapter on policy to the Qpid Dispatch Router Book.
> -
>
> Key: DISPATCH-333
> URL: https://issues.apache.org/jira/browse/DISPATCH-333
> Project: Qpid Dispatch
>  Issue Type: Improvement
>  Components: Documentation
>Affects Versions: 0.7.0
>Reporter: Ganesh Murthy
>Assignee: Ben Hardesty
>Priority: Minor
>
> Add a new chapter containing details on how policy works and how to setup 
> policy to the Qpid Dispatch Router Book



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

-
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org

[jira] [Commented] (DISPATCH-333) Add a chapter on policy to the Qpid Dispatch Router Book.

[Ben Hardesty (JIRA)]

[ 
https://issues.apache.org/jira/browse/DISPATCH-333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16323039#comment-16323039
 ] 

Ben Hardesty commented on DISPATCH-333:
---

The Policy chapter already exists, so I'll use this JIRA to update and enhance 
that content.

> Add a chapter on policy to the Qpid Dispatch Router Book.
> -
>
> Key: DISPATCH-333
> URL: https://issues.apache.org/jira/browse/DISPATCH-333
> Project: Qpid Dispatch
>  Issue Type: Improvement
>  Components: Documentation
>Affects Versions: 0.7.0
>Reporter: Ganesh Murthy
>Assignee: Ben Hardesty
>Priority: Minor
>
> Add a new chapter containing details on how policy works and how to setup 
> policy to the Qpid Dispatch Router Book



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

-
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org