delta/python-packages/qpid-python.git/cpp/src/qpid/broker/AclModule.h, branch QPID-6125-ProtocolRefactoring git.apache.org: qpid.git QPID-4947: C++ Broker ACL restricts hosts from which users may connect. 2014-07-15T22:54:51+00:00 Charles E. Rolke chug@apache.org 2014-07-15T22:54:51+00:00 7da35bee4c69c74281d47e37dfae08f817e5ac47 This commit adds: * Acl rule file "create connection host=hostname" support for allowing and denying connections. * AclHost class to represent a host specified in the rule file. * Global and user-specific lists of AclHost rules. Created by AclReader and consumed by AclConnectionCounter. * Address range checks and other giblets in SocketAddress: ** asString support to hide IPv6 decoration and service (port) details. ** binary comparison of network addresses. ** new firstAddress function to complement existing nextAddress. Socket addrinfo for AclHost objects is computed once only for lifetime of Acl file load. ** Posix and Windows implementations are identical. * New unit test for address comparisons. Testing a live broker is great but forcing connections to be from some arbitrary IPv4 or IPv6 address is hard. So there's a unit test for that. Further discussion about this feature is in https://reviews.apache.org/r/23322 git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@1610874 13f79535-47bb-0310-9956-ffa450edef68 
This commit adds:
* Acl rule file "create connection host=hostname" support for allowing and denying connections.
* AclHost class to represent a host specified in the rule file.
* Global and user-specific lists of AclHost rules. Created by AclReader and consumed by AclConnectionCounter.
* Address range checks and other giblets in SocketAddress:
** asString support to hide IPv6 decoration and service (port) details.
** binary comparison of network addresses.
** new firstAddress function to complement existing nextAddress. Socket addrinfo for AclHost objects is computed once only for lifetime of Acl file load.
** Posix and Windows implementations are identical.
* New unit test for address comparisons. Testing a live broker is great but forcing connections to be from some arbitrary IPv4 or IPv6 address is hard. So there's a unit test for that.

Further discussion about this feature is in https://reviews.apache.org/r/23322

git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@1610874 13f79535-47bb-0310-9956-ffa450edef68
QPID-5890: Refactor AclModule.h 2014-07-11T15:27:19+00:00 Charles E. Rolke chug@apache.org 2014-07-11T15:27:19+00:00 28d3fdc45776b1317a58c82cc9bada7050e80377 Move code from .h file into AclLexer source module. Does not change basic function structure. git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@1609728 13f79535-47bb-0310-9956-ffa450edef68 
Move code from .h file into AclLexer source module.
Does not change basic function structure.



git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@1609728 13f79535-47bb-0310-9956-ffa450edef68
QPID-5817: [C++ broker] Improve ACL authorisation of QMF methods and queries 2014-06-18T07:40:22+00:00 Pavel Moravec pmoravec@apache.org 2014-06-18T07:40:22+00:00 192742ada1386af87047662cb4a7f3d414984738 git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@1603364 13f79535-47bb-0310-9956-ffa450edef68 
git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@1603364 13f79535-47bb-0310-9956-ffa450edef68
QPID-5599: C++ Broker silently ignores --max-connections option when no ACL file is loaded 2014-03-05T02:33:46+00:00 Charles E. Rolke chug@apache.org 2014-03-05T02:33:46+00:00 a744fac5cb053ce78f878cbfce4d942be2b8a45f Simply installing a null and permissive rule file trips up the 'create link' security check. The security check from https://issues.apache.org/jira/browse/QPID-4631 reasons that if authentication is enabled and no ACL rule file is specified then interbroker links are denied. The check for 'ACL rule file is loaded' is simply the existence of the ACL object. That check is voided by always having an ACL object regardless of whether the ACL rule file was specified or not. One fix considered was adding an ACL rule "acl deny-log all create link" to the formerly null rule set when no ACL file is specified. This solution has too much complexity in several places and is too hard. The fix implemented here is a boolean flag indicating if the ACL rule set in force is specified by the user or not. Then the security check tests that the acl exists (always true) and that the rule set is specified by the user. git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@1574291 13f79535-47bb-0310-9956-ffa450edef68 
Simply installing a null and permissive rule file trips up the 'create link'
security check. The security check from 
https://issues.apache.org/jira/browse/QPID-4631 reasons that if authentication
is enabled and no ACL rule file is specified then interbroker links are 
denied. The check for 'ACL rule file is loaded' is simply the existence of
the ACL object. That check is voided by always having an ACL object regardless
of whether the ACL rule file was specified or not.

One fix considered was adding an ACL rule "acl deny-log all create link" to
the formerly null rule set when no ACL file is specified. This solution has
too much complexity in several places and is too hard.

The fix implemented here is a boolean flag indicating if the ACL rule set 
in force is specified by the user or not. Then the security check tests
that the acl exists (always true) and that the rule set is specified by the
user. 



git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@1574291 13f79535-47bb-0310-9956-ffa450edef68
QPID-5519: ACL property/properties for paged queues - fixed typo, added tests and documentation 2014-02-03T12:59:37+00:00 Pavel Moravec pmoravec@apache.org 2014-02-03T12:59:37+00:00 00c1d846b50589789a72849bf062088afb0497e7 git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@1563866 13f79535-47bb-0310-9956-ffa450edef68 
git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@1563866 13f79535-47bb-0310-9956-ffa450edef68
QPID-5519: ACL property/properties for paged queues 2014-02-02T14:51:12+00:00 Pavel Moravec pmoravec@apache.org 2014-02-02T14:51:12+00:00 e5d9a366048fba1a54102a65e0e3dec4c1a3e16c git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@1563628 13f79535-47bb-0310-9956-ffa450edef68 
git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@1563628 13f79535-47bb-0310-9956-ffa450edef68
QPID-4373 fix ambiguous CLI args; restore C++ broker schema property 2012-10-17T15:36:05+00:00 Charles E. Rolke chug@apache.org 2012-10-17T15:36:05+00:00 124f1897eaf696caec448394e5769fe2c0b8d82a git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@1399311 13f79535-47bb-0310-9956-ffa450edef68 
git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@1399311 13f79535-47bb-0310-9956-ffa450edef68
QPID-4142 C++ Broker connection counting. Revert r1371772 which applied only to 0.18 and is obsolete on trunk. 2012-09-07T20:24:43+00:00 Charles E. Rolke chug@apache.org 2012-09-07T20:24:43+00:00 d04cf221fb87a781600a9684c9e6b9eb9a7c6752 git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@1382155 13f79535-47bb-0310-9956-ffa450edef68 
git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@1382155 13f79535-47bb-0310-9956-ffa450edef68
QPID-4268 C++ Broker Acl support for limiting on-disk store file size and count 2012-09-07T17:22:44+00:00 Charles E. Rolke chug@apache.org 2012-09-07T17:22:44+00:00 5c31a90ccae5cc4960ea1ed3e21567c0a0b1da4f Reviewed at https://reviews.apache.org/r/6838/ git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@1382095 13f79535-47bb-0310-9956-ffa450edef68 
Reviewed at https://reviews.apache.org/r/6838/



git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@1382095 13f79535-47bb-0310-9956-ffa450edef68
QPID-2393 Limit number of queues per user. 2012-08-24T15:24:07+00:00 Charles E. Rolke chug@apache.org 2012-08-24T15:24:07+00:00 a43653215823a0d8f2e3cce4c33ff74c8762b75e Merge work from branches/qpid-2393 This scheme works for old HA as long as cluster members run with the same --max-queues-per-user setting. git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@1376961 13f79535-47bb-0310-9956-ffa450edef68 
Merge work from branches/qpid-2393
This scheme works for old HA as long as cluster members run with the same --max-queues-per-user setting.



git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@1376961 13f79535-47bb-0310-9956-ffa450edef68