Qpid
  1. Qpid
  2. QPID-4185

update example ACL example to be clearer and reduce extraneous logging from management operations

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 0.16
    • Fix Version/s: 0.19
    • Component/s: Java Broker
    • Labels:
      None

      Description

      The etc/broker_example.acl file currently contains an example of what users probably dont usually want to do with regards to logging ACL events for admin management users.

      By using ALLOW-LOG or DENY-LOG for all of the rules, this will have the result of logging a lot of extraneous info to do with individual JMX calls to retrieve attributes, get mbeaninfo, perform instanceof checks etc. Just having managemetn consoles (our own, Jconsole, etc) will produce a lot of log spam as a result when they poll for new info.

      What most users probably want typically is to allow 'read only' events by permissioning the 'ACCESS' operations using ALLOW and then seperately permission the others with ALLOW-LOG, thus removing the noise and ensuring only operations that can actually cause change are logged, e.g:

      ACL ALLOW admin ACCESS METHOD
      ACL ALLOW-LOG admin ALL METHOD
      

        Activity

        Hide
        Alex Rudyy added a comment -

        Attached a patch resolving the issue

        Show
        Alex Rudyy added a comment - Attached a patch resolving the issue
        Hide
        Alex Rudyy added a comment -

        Robbie,

        Could you please review and commit the patch?

        Show
        Alex Rudyy added a comment - Robbie, Could you please review and commit the patch?
        Hide
        Robbie Gemmell added a comment -

        Patch applied with some minor changes (left the DENY-LOG setting instead of DENY, for consistency with the default policy at the end, removed the pre-existing 'dead rule' example).

        Show
        Robbie Gemmell added a comment - Patch applied with some minor changes (left the DENY-LOG setting instead of DENY, for consistency with the default policy at the end, removed the pre-existing 'dead rule' example).

          People

          • Assignee:
            Robbie Gemmell
            Reporter:
            Alex Rudyy
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development