Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Won't Fix
-
0.5
-
None
-
None
Description
It is a requirement for us to be able to enforce queue limit policies using the ACL authorisation mechanism. I therefore propose the following enhancement:
Add three new properties to the "create queue" rule: limitpolicy, maxqueuesize and maxqueuecount. The policy test can be implemented using existing code, but the numeric limits require a less-than-or-equal test. I.e. if a value for maxqueuesize is specified in the ACL file, an exception will be thrown if a value greater than this is specified in declareQueue. A value less than or equal would be acceptable. If maxqueuecount and/or maxqueuesize were omitted from the rule or specified as zero, the corresponding check would interpret the value as "unlimited".
Proposed code changes follow (prefixed with change-bar "|").
AclModule.h
.
.
.
enum Property
;
.
.
.
static inline Property getProperty(const std::string& str)
static inline std::string getPropertyStr(const Property p) {
switch (p)
return "";
}
.
.
.
// == Queues ==
propSetPtr p4(new propSet);
p4->insert(PROP_ALTERNATE); |
p4->insert(PROP_PASSIVE); |
p4->insert(PROP_DURABLE); |
p4->insert(PROP_EXCLUSIVE); |
p4->insert(PROP_AUTODELETE); |
p4->insert(PROP_LIMITPOLICY); |
p4->insert(PROP_MAXQUEUESIZE); |
p4->insert(PROP_MAXQUEUECOUNT); |
Note that currently (Qpid 0.5) this code appears to be incorrectly dereferencing p3 instead of p4.
SessionAdapter.cpp
.
.
.
void SessionAdapter::QueueHandlerImpl::declare(const string& name, const string& alternateExchange,
bool passive, bool durable, bool exclusive,
bool autoDelete, const qpid::framing::FieldTable& arguments)
{
AclModule* acl = getBroker().getAcl();
if (acl)
AclData.cpp
.
.
.
#include <boost/lexical_cast.hpp> . . . AclResult AclData::lookup(const std::string& id, const Action& action, const ObjectType& objType, const std::string& name, std::map<Property, std::string>* params) { AclResult aclresult = decisionMode; |
if (actionList[action] && actionList[action][objType]){
AclData::actObjItr itrRule = actionList[action][objType]->find(id);
if (itrRule == actionList[action][objType]->end())
itrRule = actionList[action][objType]->find("*");
if (itrRule != actionList[action][objType]->end() ) {
//loop the vector
for (ruleSetItr i=itrRule->second.begin(); i<itrRule->second.end(); i++) {
// loop the names looking for match
bool match =true;
for (propertyMapItr pMItr = i->props.begin(); (pMItr != i->props.end()) && match; pMItr++)
{
//match name is exists first
if (pMItr->first == acl::PROP_NAME){
if (!matchProp(pMItr->second, name))
}else if (params){ //match pMItr against params
propertyMapItr paramItr = params->find (pMItr->first);
if (paramItr == params->end())
else if ( pMItr->first == acl::PROP_MAXQUEUECOUNT || pMItr->first == acl::PROP_MAXQUEUESIZE ) {
if ( pMItr->first == paramItr->first )
{
| uint64_t aclMax = boost::lexical_cast<uint64_t>(pMItr->second);
| uint64_t paramMax = boost::lexical_cast<uint64_t>(paramItr->second);
| if (( aclMax ) && ( paramMax == 0 || paramMax > aclMax ))
| match = false;
| }
}else if (!matchProp(pMItr->second, paramItr->second)) { match = false; } } |