'[jira] [Commented] (AMQ-3791) Flexibility, concurrency, security, and compatibility issues in Cached'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       activemq-dev
Subject:    [jira] [Commented] (AMQ-3791) Flexibility, concurrency, security, and compatibility issues in Cached
From:       "Dejan Bosanac (Commented) (JIRA)" <jira () apache ! org>
Date:       2012-03-29 15:44:25
Message-ID: 1311424737.33095.1333035865751.JavaMail.tomcat () hel ! zones ! apache ! org
[Download RAW message or body]


    [ https://issues.apache.org/jira/browse/AMQ-3791?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13241321#comment-13241321 \
] 

Dejan Bosanac commented on AMQ-3791:
------------------------------------

We just need to make sure that's documented well for people using current plugins and \
want to upgrade.  
> Flexibility, concurrency, security, and compatibility issues in \
>                 CachedLDAPAuthorizationMap
> ------------------------------------------------------------------------------------------
>  
> Key: AMQ-3791
> URL: https://issues.apache.org/jira/browse/AMQ-3791
> Project: ActiveMQ
> Issue Type: Bug
> Components: Broker, Documentation
> Reporter: David Valeri
> 
> CachedLDAPAuthorizationMap provides support for dynamic AuthZ policy updates \
> without restarting the broker; however, I think there are several issues with the \
> implementation. 1) The underlying structures for storing and managing AuthZ policy \
> are not concurrent or synchronized. 2) DN manipulation using Strings is error prone \
> and the current implementation is case sensitive.  This case sensitivity leads to \
> issues with AD. 3) For synchronous updates to the AuthZ policy, the temp \
> destination policy is not reset and may retain out-of-date policy entries. 1) \
> Requires examining the usage of these structures and applying the necessary \
> protections. 2) Can be resolved with better String parsing or through applying the \
> changes in AMQ-3770 to CachedLDAPAuthorizationMap as well. 3) Can be resolved by \
> clearing the policy entry before repopulating the policy from LDAP. There are also \
> several enhancements to the configurability of the implementation that I see: 1) \
> Support user or group membership in the LDAP entry representing a permission on a \
> destination.  Allowing user DNs or group DNs here makes it easier to deal with \
> one-off policies for individual users. 2) Group membership in the LDAP entry \
> representing a permission on a destination should support use of the full DN, not \
> just the value of the member CN. 3) The based DN should be fully customizable and \
> the LDAP entry representing a permission on a destination should support use of an \
> optional prefix for uniqueness.  "cn=<PREFIX>read,ou=$,..." 4) The name of the \
> GroupPrincipal or UserPrincipal that is created from the policy in LDAP should be \
> flexible.  For instance, allow the group name or user name attribute to be \
> configured.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: \
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more \
information on JIRA, see: http://www.atlassian.com/software/jira

        


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic