Qpid
  1. Qpid
  2. QPID-4230

C++ Broker could use username substitution keyword strings in Acl rules

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 0.19
    • Fix Version/s: 0.19
    • Component/s: C++ Broker
    • Labels:
      None

      Description

      Acl processing in the broker could perform username substitution into Acl rules. This would provide an easy and flexible way to constrain users.

      1. Let the literal string $

      {user} be the keyword placed into Acl files.
      2. When expanded ${user}

      will become the full authenticated userId such as 'bob@QPID'. Note that simply using 'bob' leads to issues distinguishing between 'bob@QPID' and 'bob@EXAMPLE.COM'.
      3. Username keyword substitution is performed only on object names and in routing keys.

      Acl rule file examples:

      acl allow all create exchange name=temp-$

      {user}
      acl allow all access exchange name=temp-${user}

      acl allow all bind exchange name=temp-$

      {user}
      acl allow all unbind exchange name=temp-${user}

      acl allow all delete exchange name=temp-$

      {user}
      acl allow all publish exchange name=temp-${user}

      routingkey=temp.$

      {user}

      acl allow all create queue name=temp-${user}

      acl allow all access queue name=temp-$

      {user}
      acl allow all purge queue name=temp-${user}

      acl allow all consume queue name=temp-$

      {user}
      acl allow all delete queue name=temp-${user}

      Using a rule set like this would allow all users to create a private temp- exchange and a private temp- queue bound to their user names.

        Activity

        Hide
        Chuck Rolke added a comment -

        https://reviews.apache.org/r/6645/ is the proposed implementation of this feature.

        1. This patch does not change the syntax for the Acl file. It adds keyword interpretation to the Acl file content.

        2. The substitution keywords are: "${user}", "${domain}", and "${userdomain}".

        3. User and domain names are normalized by replacing period "." and ampersand "@" with underscore "_".

        4. For user bob.user@QPID.COM the run-time substitution values would be

         Keyword       Value
         ============= =================
         ${user}       bob_user
         ${domain}     QPID_COM
         ${userdomain} bob_user_QPID_COM
        

        5. Keyword substitution is allowed for

        • Any object name: exchange, queue, link, broker, method
        • Routing keys
        • Alternate exchange name
        • Queue name

        6. For routing key lookups the ${userdomain} keyword is found before either ${user} or ${domain}.
        If the user presents a routing key lookup of "bob_user_QPID_COM" then it will match an Acl rule with ${userdomain} and not with ${user}_${domain}.

        7. Example Acl file. This example allows any user to create a private queue and exchange to which only that user may bind. The queue and exchange may have a private backup exchange and queue to which only that user may bind.

        # Create primary queue and exchange:
        #   allow predefined alternate
        #   deny  any other alternate
        #   allow no alternate
        acl allow all create  queue    name=${userdomain}-work alternate=${userdomain}-work2
        acl deny  all create  queue    name=${userdomain}-work alternate=*
        acl allow all create  queue    name=${userdomain}-work
        acl allow all create  exchange name=${userdomain}-work alternate=${userdomain}-work2
        acl deny  all create  exchange name=${userdomain}-work alternate=*
        acl allow all create  exchange name=${userdomain}-work
        # Create backup queue and exchange
        #   Deny any alternate
        acl deny  all create  queue    name=${userdomain}-work2 alternate=*
        acl allow all create  queue    name=${userdomain}-work2
        acl deny  all create  exchange name=${userdomain}-work2 alternate=*
        acl allow all create  exchange name=${userdomain}-work2
        # Bind/unbind primary exchange
        #  Use only predefined routingkey and queuename
        acl allow all bind    exchange name=${userdomain}-work routingkey=${userdomain} queuename=${userdomain}-work
        acl allow all unbind  exchange name=${userdomain}-work routingkey=${userdomain} queuename=${userdomain}-work
        # Bind/unbind backup exchange
        #  Use only predefined routingkey and queuename
        acl allow all bind    exchange name=${userdomain}-work2 routingkey=${userdomain} queuename=${userdomain}-work2
        acl allow all unbind  exchange name=${userdomain}-work2 routingkey=${userdomain} queuename=${userdomain}-work2
        # Access primary exchange
        #  Use only predefined routingkey and queuename
        acl allow all access  exchange name=${userdomain}-work routingkey=${userdomain} queuename=${userdomain}-work
        # Access backup exchange
        #  Use only predefined routingkey and queuename
        acl allow all access  exchange name=${userdomain}-work2 routingkey=${userdomain} queuename=${userdomain}-work2
        # Publish primary exchange
        #  Use only predefined routingkey
        acl allow all publish exchange name=${userdomain}-work routingkey=${userdomain}
        # Publish backup exchange
        #  Use only predefined routingkey
        acl allow all publish exchange name=${userdomain}-work2 routingkey=${userdomain}
        # deny mode
        acl deny all all
        
        Show
        Chuck Rolke added a comment - https://reviews.apache.org/r/6645/ is the proposed implementation of this feature. 1. This patch does not change the syntax for the Acl file. It adds keyword interpretation to the Acl file content. 2. The substitution keywords are: "${user}", "${domain}", and "${userdomain}". 3. User and domain names are normalized by replacing period "." and ampersand "@" with underscore "_". 4. For user bob.user@QPID.COM the run-time substitution values would be Keyword Value ============= ================= ${user} bob_user ${domain} QPID_COM ${userdomain} bob_user_QPID_COM 5. Keyword substitution is allowed for Any object name: exchange, queue, link, broker, method Routing keys Alternate exchange name Queue name 6. For routing key lookups the ${userdomain} keyword is found before either ${user} or ${domain}. If the user presents a routing key lookup of "bob_user_QPID_COM" then it will match an Acl rule with ${userdomain} and not with ${user}_${domain}. 7. Example Acl file. This example allows any user to create a private queue and exchange to which only that user may bind. The queue and exchange may have a private backup exchange and queue to which only that user may bind. # Create primary queue and exchange: # allow predefined alternate # deny any other alternate # allow no alternate acl allow all create queue name=${userdomain}-work alternate=${userdomain}-work2 acl deny all create queue name=${userdomain}-work alternate=* acl allow all create queue name=${userdomain}-work acl allow all create exchange name=${userdomain}-work alternate=${userdomain}-work2 acl deny all create exchange name=${userdomain}-work alternate=* acl allow all create exchange name=${userdomain}-work # Create backup queue and exchange # Deny any alternate acl deny all create queue name=${userdomain}-work2 alternate=* acl allow all create queue name=${userdomain}-work2 acl deny all create exchange name=${userdomain}-work2 alternate=* acl allow all create exchange name=${userdomain}-work2 # Bind/unbind primary exchange # Use only predefined routingkey and queuename acl allow all bind exchange name=${userdomain}-work routingkey=${userdomain} queuename=${userdomain}-work acl allow all unbind exchange name=${userdomain}-work routingkey=${userdomain} queuename=${userdomain}-work # Bind/unbind backup exchange # Use only predefined routingkey and queuename acl allow all bind exchange name=${userdomain}-work2 routingkey=${userdomain} queuename=${userdomain}-work2 acl allow all unbind exchange name=${userdomain}-work2 routingkey=${userdomain} queuename=${userdomain}-work2 # Access primary exchange # Use only predefined routingkey and queuename acl allow all access exchange name=${userdomain}-work routingkey=${userdomain} queuename=${userdomain}-work # Access backup exchange # Use only predefined routingkey and queuename acl allow all access exchange name=${userdomain}-work2 routingkey=${userdomain} queuename=${userdomain}-work2 # Publish primary exchange # Use only predefined routingkey acl allow all publish exchange name=${userdomain}-work routingkey=${userdomain} # Publish backup exchange # Use only predefined routingkey acl allow all publish exchange name=${userdomain}-work2 routingkey=${userdomain} # deny mode acl deny all all
        Hide
        Chuck Rolke added a comment -

        Fixed with checkins r1375195 and r1375583

        Show
        Chuck Rolke added a comment - Fixed with checkins r1375195 and r1375583

          People

          • Assignee:
            Chuck Rolke
            Reporter:
            Chuck Rolke
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development