Yeah should be stable. 1.7 is a bit overdue. We really should consider cutting a never version soon.
On Sat, Jul 13, 2013 at 2:59 PM, Garry Watkins <cats...@me.com> wrote: > Took a look at it, and it should work for me. Thanks for the ultra fast > resolution to the problem. > > Is the github version pretty stable for testing? When do you think 1.7 will > be released? > > Thanks again for doing this so quickly. > Garry > > On Jul 13, 2013, at 2:18 PM, Hiram Chirino <hi...@hiramchirino.com> wrote: > >> Hi Garry, >> >> This is what I came up with: >> >> Firstly you need to implement the SecurityFactory trait. For example: >> >> https://github.com/apache/activemq-apollo/blob/trunk/apollo-stomp/src/test/scala/org/apache/activemq/apollo/stomp/test/UserOwnershipSecurityFactory.scala#L29 >> >> Then you need to set the 'security_factory' attribute of the broker >> element to the name of the class you implemented it with. For example: >> https://github.com/apache/activemq-apollo/blob/trunk/apollo-stomp/src/test/resources/apollo-stomp-custom-security.xml#L18 >> >> This change is being tracked via: >> https://issues.apache.org/jira/browse/APLO-330#comment-13707807 >> >> On Fri, Jul 12, 2013 at 11:22 AM, Garry Watkins <cats...@me.com> wrote: >>> That sounds good. I was searching in the code and that is where i thought >>> I might be able to hook in. >>> >>> Why not add an authorizer attribute which is the class name of the custom >>> authorizer. >>> >>> <access_rule allow="*" action="create destroy send" >>> authorizer="MyCustomAuthorizer"/> >>> <access_rule allow="*" action="connect receive consume" >>> authorizer="MyCustomAuthorizer2"/> >>> >>> On Jul 12, 2013, at 11:01 AM, Hiram Chirino <hi...@hiramchirino.com> wrote: >>> >>>> Ok then it seems like you will need to implement a custom Authorizer. >>>> The interface of an Authorizer is quite simple. It looks like: >>>> >>>> trait Authorizer { >>>> def can(ctx:SecurityContext, action:String, >>>> resource:SecuredResource):Boolean; >>>> } >>>> >>>> Basically the ctx will have the user info including the security >>>> subject/cert info. The action is stuff like "send", and the resource >>>> will be an instance of a virtualhost, queue, topic (etc.) that the >>>> user is trying to perform the action against. The method just need >>>> return true if it's allowed. >>>> >>>> The only problem is there does not yet exist a way to configure a >>>> custom authorizer. Let me see if add support for that in the apollo >>>> configuration. >>>> >>>> >>>> On Wed, Jul 10, 2013 at 6:38 PM, Garry Watkins <cats...@me.com> wrote: >>>>> Yes, the users will be unknown at the time of connection. >>>>> >>>>> On Jul 10, 2013, at 3:00 PM, Hiram Chirino <hi...@hiramchirino.com> wrote: >>>>> >>>>>> An the user names are dynamic? You don't know them ahead of time? >>>>>> >>>>>> On Tue, Jul 9, 2013 at 4:14 PM, Garry Watkins <cats...@icloud.com> wrote: >>>>>>> I have been looking at the documentation in the security section. >>>>>>> >>>>>>> http://activemq.apache.org/apollo/documentation/user-manual.html#Security >>>>>>> >>>>>>> I need to write code that will capture allow a queue to be created with >>>>>>> the >>>>>>> same name as the user. That user may then be allowed to receive and >>>>>>> consume >>>>>>> messages. >>>>>>> >>>>>>> Any hints about where i could inject this into the code? >>>>>>> >>>>>>> Thanks >>>>>>> >>>>>>> >>>>>>> On Jul 08, 2013, at 02:06 PM, Christian Posta >>>>>>> <christian.po...@gmail.com> >>>>>>> wrote: >>>>>>> >>>>>>> Should be the distinguished name from the X509 cert: >>>>>>> >>>>>>> http://docs.oracle.com/javase/6/docs/api/javax/security/auth/x500/X500Principal.html >>>>>>> >>>>>>> >>>>>>> On Mon, Jul 8, 2013 at 1:31 PM, Garry Watkins <cats...@me.com> wrote: >>>>>>> >>>>>>> Ok, now that I know that I can do that. >>>>>>> >>>>>>> How does Apollo assign the username? What I want to do is have another >>>>>>> >>>>>>> process create a queue just for that user, and that is the only queue >>>>>>> that >>>>>>> >>>>>>> user may access. >>>>>>> >>>>>>> Thanks for the speedy response. >>>>>>> >>>>>>> On Jul 8, 2013, at 1:28 PM, Christian Posta <christian.po...@gmail.com> >>>>>>> >>>>>>> wrote: >>>>>>> >>>>>>>> Yep, try adding the following to your ssl connector: >>>>>>> >>>>>>>> >>>>>>> >>>>>>>> <connector id="default" bind="ssl://0.0.0.0:61614"> >>>>>>> >>>>>>>> >>>>>>> >>>>>>>> *<ssl client_auth="need" />* >>>>>>> >>>>>>>> >>>>>>> >>>>>>>> </connector> >>>>>>> >>>>>>>> >>>>>>> >>>>>>>> >>>>>>> >>>>>>>> On Mon, Jul 8, 2013 at 12:51 PM, Garry Watkins <cats...@me.com> wrote: >>>>>>> >>>>>>>> >>>>>>> >>>>>>>>> Is it possible to use Client Certs for Authentication/Authorization >>>>>>>>> for >>>>>>> >>>>>>>>> Apollo? >>>>>>> >>>>>>>> >>>>>>> >>>>>>>> >>>>>>> >>>>>>>> >>>>>>> >>>>>>>> >>>>>>> >>>>>>>> -- >>>>>>> >>>>>>>> *Christian Posta* >>>>>>> >>>>>>>> http://www.christianposta.com/blog >>>>>>> >>>>>>>> twitter: @christianposta >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> *Christian Posta* >>>>>>> http://www.christianposta.com/blog >>>>>>> twitter: @christianposta >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Hiram Chirino >>>>>> >>>>>> Engineering | Red Hat, Inc. >>>>>> >>>>>> hchir...@redhat.com | fusesource.com | redhat.com >>>>>> >>>>>> skype: hiramchirino | twitter: @hiramchirino >>>>>> >>>>>> blog: Hiram Chirino's Bit Mojo >>>>> >>>> >>>> >>>> >>>> -- >>>> Hiram Chirino >>>> >>>> Engineering | Red Hat, Inc. >>>> >>>> hchir...@redhat.com | fusesource.com | redhat.com >>>> >>>> skype: hiramchirino | twitter: @hiramchirino >>>> >>>> blog: Hiram Chirino's Bit Mojo >>> >> >> >> >> -- >> Hiram Chirino >> >> Engineering | Red Hat, Inc. >> >> hchir...@redhat.com | fusesource.com | redhat.com >> >> skype: hiramchirino | twitter: @hiramchirino >> >> blog: Hiram Chirino's Bit Mojo > -- Hiram Chirino Engineering | Red Hat, Inc. hchir...@redhat.com | fusesource.com | redhat.com skype: hiramchirino | twitter: @hiramchirino blog: Hiram Chirino's Bit Mojo
