Open sophokles73 opened 8 years ago
grs
commented
8 years ago This will only work with a very recent router from master. The last release had a bug preventing dynamic update of policy. I can create a new docker image.
Add the following to your router config:
connector {
addr:
Where
grs
commented
8 years ago I've built an image from master for trying out: gordons/qpid-dispatch:master536e4da
(Note: this does not correspond to any official release from the Apache Qpid project.)
sophokles73
commented
8 years ago @grs, this is what our current policy definition file looks like
[
["policyRuleset",
{
"applicationName": "hono",
"maxConnections": 100,
"maxConnPerUser": 20,
"maxConnPerHost": 10,
"userGroups": {
"DEFAULT_TENANT": "user1@HONO",
"anotherTenant": "user2@HONO",
"anonymous" : "anonymous"
},
"ingressHostGroups": {
"any": "*"
},
"ingressPolicies": {
"DEFAULT_TENANT": "any",
"anotherTenant": "any"
},
"connectionAllowDefault": false,
"settings": {
"DEFAULT_TENANT": {
"allowDynamicSrc": false,
"allowAnonymousSender": false,
"sources": "telemetry/DEFAULT_TENANT, telemetry/DEFAULT_TENANT/*",
"targets": "telemetry/DEFAULT_TENANT"
},
"anotherTenant": {
"allowDynamicSrc": false,
"allowAnonymousSender": false,
"sources": "telemetry/anotherTenant",
"targets": "telemetry/anotherTenant"
},
"anonymous": {
"allowDynamicSrc": false,
"allowAnonymousSender": false,
"sources": "telemetry/*",
"targets": "telemetry/*"
}
}
}
],
["policyRuleset",
{
"applicationName": "hono-internal",
"maxConnections": 10,
"maxConnPerUser": 10,
"maxConnPerHost": 10,
"userGroups": {
"anonymous" : "anonymous"
},
"ingressHostGroups": {
"any": "*"
},
"ingressPolicies": {
"anonymous": "any"
},
"connectionAllowDefault": false,
"settings": {
"anonymous": {
"allowDynamicSrc": false,
"allowAnonymousSender": false,
"sources": "telemetry/*",
"targets": "telemetry/*"
}
}
}
]
]The schema has changed since the 0.6.0 release. The details of the new schema are documented here: https://github.com/apache/qpid-dispatch/blob/master/doc/book/policy.adoc
I've pushed an update to the example policy that I think matches your policy above in the new schema. I kept the anonymous group, but this seems to bypass the restrictions for the two defined 'tenants'. I also haven't locked down the default vhost in anyway.
sophokles73
commented
8 years ago @grs,
is the changed schema already supported in Dispatch 0.6.1? If yes, would you be able to create a new Docker image for 0.6.1 so that we can adopt it in Hono?
grs
commented
8 years ago @sophokles73,
No, it is not in 0.6.1. I twill be in 0.7.0 for which a release candidate is planned for next week sometime. I'm taking a few days off, but if its out the second half of next week I can build a corresponding docker image and then update again when its actually published.
sophokles73
commented
8 years ago That would be great, Gordon :-) Thanks for the support and have a great time during your days off!
Hi, thanks for creating this prototype, Gordon. However, I am afraid that without an example qdrouter.conf we will not be able to connect our Dispatch Router(s) to this.
The policy configuration we are currently using in our standalone dispatch router also looks completely different from the structure used in
desired.js. So it unclear to me, how (what format/syntax) we would actually need to configure authorization policies. I guess we would need to change thedesired.jsfile but since it seems to use a totally different syntax we're kinda lost ...