activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lionel Cons <lionel.c...@cern.ch>
Subject Apollo Authorization In Practice
Date Tue, 21 Jun 2011 10:27:05 GMT
Hiram,

We discussed authorization several times and, AFAIK, what is currently in
Apollo does work and is complete (= allows fine tuning).

However, when I try to put it in practice in our environment, I end up with
a huge messy XML file.

Here is our (simple and real) use case, with only one application (app1):
 - we only use groups for authorization
 - the "admins" can do everything everywhere
 - the "monitors" can send and receive messages for all destinations
   starting with "monitor." (used to monitor the broker, using Nagios)
 - the "app1_producers" can send messages to all destinations starting
   with "app1."
 - the "app1_consumers" can receive messages from all destinations
   starting with "app1."
 - everything which is not allowed is denied

Here is the XML that I had to write to implement this use case. This is to
be included in the relevant <virtual_host> element:

    <!-- monitoring -->
    <topic id="monitor.*">
      <acl>
        <create allow="monitors"/>
        <destroy allow="monitors"/>
        <send allow="monitors"/>
        <receive allow="monitors"/>
        <create allow="admins"/>
        <destroy allow="admins"/>
        <send allow="admins"/>
        <receive allow="admins"/>
      </acl>
    </topic>
    <queue id="monitor.*">
      <acl>
        <create allow="monitors"/>
        <destroy allow="monitors"/>
        <send allow="monitors"/>
        <receive allow="monitors"/>
        <consume allow="monitors"/>
        <create allow="admins"/>
        <destroy allow="admins"/>
        <send allow="admins"/>
        <receive allow="admins"/>
        <consume allow="admins"/>
      </acl>
    </queue>
    <dsub id="monitor.*">
      <acl>
        <create allow="monitors"/>
        <destroy allow="monitors"/>
        <send allow="monitors"/>
        <receive allow="monitors"/>
        <consume allow="monitors"/>
        <create allow="admins"/>
        <destroy allow="admins"/>
        <send allow="admins"/>
        <receive allow="admins"/>
        <consume allow="admins"/>
      </acl>
    </dsub>

    <!-- application 1 clients -->
    <topic id="app1.*">
      <acl>
        <create allow="app1_producers"/>
        <create allow="app1_consumers"/>
        <destroy allow="app1_producers"/>
        <destroy allow="app1_consumers"/>
        <send allow="app1_producers"/>
        <receive allow="app1_consumers"/>
        <create allow="admins"/>
        <destroy allow="admins"/>
        <send allow="admins"/>
        <receive allow="admins"/>
      </acl>
    </topic>
    <queue id="app1.*">
      <acl>
        <create allow="app1_producers"/>
        <create allow="app1_consumers"/>
        <destroy allow="app1_producers"/>
        <destroy allow="app1_consumers"/>
        <send allow="app1_producers"/>
        <receive allow="app1_consumers"/>
        <consume allow="app1_consumers"/>
        <create allow="admins"/>
        <destroy allow="admins"/>
        <send allow="admins"/>
        <receive allow="admins"/>
        <consume allow="admins"/>
      </acl>
    </queue>
    <dsub id="app1.*">
      <acl>
        <create allow="app1_producers"/>
        <create allow="app1_consumers"/>
        <destroy allow="app1_producers"/>
        <destroy allow="app1_consumers"/>
        <send allow="app1_producers"/>
        <receive allow="app1_consumers"/>
        <consume allow="app1_consumers"/>
        <create allow="admins"/>
        <destroy allow="admins"/>
        <send allow="admins"/>
        <receive allow="admins"/>
        <consume allow="admins"/>
      </acl>
    </dsub>

    <!-- admins can do everything everywhere -->
    <topic>
      <acl>
        <create allow="admins"/>
        <destroy allow="admins"/>
        <send allow="admins"/>
        <receive allow="admins"/>
      </acl>
    </topic>
    <queue>
      <acl>
        <create allow="admins"/>
        <destroy allow="admins"/>
        <send allow="admins"/>
        <receive allow="admins"/>
        <consume allow="admins"/>
      </acl>
    </queue>
    <dsub>
      <acl>
        <create allow="admins"/>
        <destroy allow="admins"/>
        <send allow="admins"/>
        <receive allow="admins"/>
        <consume allow="admins"/>
      </acl>
    </dsub>

This probably can be compressed a bit but this represents around 100 lines
of XML. Adding another application (like app1) would add around 50 lines.

To make things worse, the non-security settings (e.g. slow_consumer_policy
for a topic) have to be inserted in the same place. This is good for the
broker (one lookup and you have all the settings for a destination) but not
for the human being that has to manage the configuration.

As discussed some time ago, another approach would be to use what firewalls
(like iptables) do: a single list of rules. Our use case could be coded with
something like (again under <virtual_host>):

  <acl>
    <allow subject="admins" action="*" object="*" id="*"/>
    <allow subject="monitors" action="*" object="*" id="monitor.*"/>
    <allow subject="app1_producers,app1_consumers" action="create,destroy" object="*" id="app1.*"/>
    <allow subject="app1_producers" action="send" object="*" id="app1.*"/>
    <allow subject="app1_consumers" action="receive,consume" object="*" id="app1.*"/>
    <!-- next line would probably be implicit -->
    <deny subject="*" action="*" object="*" id="*"/>
  </acl>

(what I called object is the resource type as queue|topic|dsub)
(each attribute="*" could be omitted)

We end up with something much smaller, without duplication (cf. the admins
line in the big XML), easier to understand and very close to the English
specification.

What do you think about this?

Cheers,

Lionel

Mime
View raw message