Bug 849788
Summary: | ERD 4.1.3: Acl-1000-6, Substitution symbol for the actual user name in an ACL | |||
---|---|---|---|---|
Product: | Red Hat Enterprise MRG | Reporter: | Irina Boverman <iboverma> | |
Component: | qpid-cpp | Assignee: | Chuck Rolke <crolke> | |
Status: | CLOSED ERRATA | QA Contact: | Zdenek Kraus <zkraus> | |
Severity: | high | Docs Contact: | ||
Priority: | high | |||
Version: | 2.1.2 | CC: | jross, lzhaldyb, mcressma, pematous, zkraus | |
Target Milestone: | 2.3 | Keywords: | FutureFeature | |
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | qpid-cpp-0.18-1 | Doc Type: | Enhancement | |
Doc Text: |
CAUSE:
Specifying Acl rules that allow named users to create named objects require an endless number of Acl rules.
CONSEQUENCE:
Administrators must keep adding users to the Acl file to allow the users to use the broker.
FIX:
User name substitution keywords are added to the Acl file so that a single rule may apply to all users.
Keywords are created to substitute for the user name, the domain name, or the user and the domain name together.
Keyword substitution is allowed for object names, routing key names, alternate exchange names, and queue names.
Actual user and domain names are normalized. Periods and ampersands are replaced with underscores.
RESULT:
Any single rule using a name substitution may apply to thousands of different users thus saving Acl file overhead and maintenance.
A simple set of Acl rules can give users freedom to create per user or per domain private resources by limiting the resource to contain the user's name or domain. Coincidently the same users are prevented from creating random resources as the names of what they can create is strictly controlled.
|
Story Points: | --- | |
Clone Of: | ||||
: | 852579 (view as bug list) | Environment: | ||
Last Closed: | 2013-03-06 18:51:42 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 808578, 852579 |
Description
Irina Boverman
2012-08-20 21:20:03 UTC
Could you please specify details of this functionality? 1/ How substitution is used ? like queue-name=myqueue.$USER ? 2/ What is expected behaviour for username, that contains '.' 3/ Is the substitution performed completely with @DOMAIN ? for example will rule specified with queue-name=myqueue.$USER for user1@QPID substitute to myqueue.user1@QPID ? Please see comment dated 20/Aug/12 18:59 in https://issues.apache.org/jira/browse/QPID-4230 Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: CAUSE: Specifying Acl rules that allow named users to create named objects require an endless number of Acl rules. CONSEQUENCE: Administrators must keep adding users to the Acl file to allow the users to use the broker. FIX: User name substitution keywords are added to the Acl file so that a single rule may apply to all users. Keywords are created to substitute for the user name, the domain name, or the user and the domain name together. Keyword substitution is allowed for object names, routing key names, alternate exchange names, and queue names. Actual user and domain names are normalized. Periods and ampersands are replaced with underscores. RESULT: Any single rule using a name substitution may apply to thousands of different users thus saving Acl file overhead and maintenance. A simple set of Acl rules can give users freedom to create per user or per domain private resources by limiting the resource to contain the user's name or domain. Coincidently the same users are prevented from creating random resources as the names of what they can create is strictly controlled. Tested on RHEL 6.3, RHEL 6.4, RHEL 5.8 and RHEL 5.9 on architetures i686 and x86_64 Testing packages: qpid-cpp-client-0.18-9.el5 qpid-cpp-server-0.18-9.el5 qpid-cpp-client-0.18-9.el6 qpid-cpp-server-0.18-9.el6 qpid-cpp-client-0.18-10.el6_3 qpid-cpp-server-0.18-10.el6_3 qpid-cpp-client-0.18-10.el5 qpid-cpp-server-0.18-10.el5 Feature is operational as expected -> VERIFIED. Feature was successfully retested on RHEL 5.9, 6.4 && i686, x86_64 with packages qpid-cpp-server-0.18-13 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0561.html |