> When I have an ACL, the documentation seems to indicate that the ACL is
> parsed for each message sent. Is this the case? If I have a very long ACL
> (say a million entries), would this be a performance problem?
I would assume that you meant ACL lookup when you meant "parsed".
For completeness, let me describe how ACL works.
ACL has an abstraction which provides lookup methods to figure out if
a particular action requested by the user is authorized.
This layer also holds the ACL rules in memory which is used to
determine the above.
The important methods in this interface are
inline virtual bool doTransferAcl() {return transferAcl;}; -- which
we use as switch to avoid an ACL look up if no publish ACL is present.
The ACL lookup method used for publish ACL.
virtual bool authorise(const std::string& id, const Action& action,
const ObjectType& objType, const std::string& ExchangeName,const
std::string& RoutingKey);
The ACL lookup method used for all other ACL except publish ACL.
virtual bool authorise(const std::string& id, const Action& action,
const ObjectType& objType, const std::string& name, std::map<Property,
std::string>* params=0);
As mentioned, the above ACL abstraction has a data model which holds
the ACL rules.
These rules can be populated using any mechanism.
Currently the C++ broker ships with a file based ACL. Where the ACL
rules are described in a file.
This module parses the file and populates the data model described above.
There is also another effort to use SELinux based plugin to describe
the ACL, where the SELinux rules will be used to populate the the Qpid
ACL data model.
So in theory you could write any mechanism to populate the ACL data model.
Rajith
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:[email protected]
