Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 0.22
    • Fix Version/s: 0.23
    • Component/s: C++ Broker
    • Labels:
      None

      Description

      Though e.g. creation of queues and exchanges is governed by ACL rules, creation of connections is not and this should be rectified.

        Activity

        Justin Ross made changes -
        Status Resolved [ 5 ] Closed [ 6 ]
        Gordon Sim made changes -
        Status Open [ 1 ] Resolved [ 5 ]
        Resolution Fixed [ 1 ]
        Chuck Rolke made changes -
        Field Original Value New Value
        Comment [ The existing code has a per-IP-address ACL connection quota specified by a single value in the command line or by specification of individual users in the ACL file. The proposed new feature would add a new Action/Object pair to the ACL rule file:
        {noformat}
        acl allow create connection address=<address spec> [user=<user spec>]
        {noformat}
        Impact assessment:

        ||Design consideration||Proposed feature||
        |Threading model|multithread - ACL structures need locks|
        |Memory management|Per-IPaddress counters kept in new instance of existing structure|
        |Automated testing approach|Existing ACL test scheme could prove this feature|
        |Impact on public API|Changes ACL file syntax|
        |- Interoperability with implementations in other languages|n/a|
        |- Backwards compatibility|not backward compatible|
        |Performance implications|Insignificant|
        |Security implications|This feature is a security enhancement|
        |Platform support|n/a|
        |Logging|Logs in 'usual' ACL log format|
        |Monitoring|Count of denied connections already exists|
        |Management|no changes|

        However, how, practically, would one *specify host addresses?* If you want to allow connections from the 10.1.0.0/16 subnet the code today would force you to specify 65k lines of ACL rules and that's not very useful. It would be _easier_ coding for ACL to allow the address to be specified as:
        {noformat}
        10.1.*
        {noformat}
        and _harder_ coding to allow the address to be specified as
        {noformat}
        10.1.0.0/16
        {noformat}
        The same wildcard rule would apply to both IPv4 and IPv6 addresses.

        If a simple wildcard is OK then this feature would be relatively easy to add. ]
        Gordon Sim created issue -

          People

          • Assignee:
            Gordon Sim
            Reporter:
            Gordon Sim
          • Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development