[rabbitmq-discuss] RabbitMQ logs, ticket check

Edwin Fine rabbitmq-discuss_efine at usa.net
Tue Aug 5 16:12:55 BST 2008


Ben,

Um, does this mean that:

In rabbitmqctl,

  add_realm    <VHostPath> <RealmName>
  delete_realm <VHostPath> <RealmName>
  list_realms  <VHostPath>
  set_permissions  <UserName> <VHostPath> <RealmName> [<Permission> ...]

will disappear?

Furthermore, does this mean that our code will have to remove all references
to realms? Or are you leaving all that syntax in place but just making it a
NOOP?

Regards,
Edwin

On Tue, Aug 5, 2008 at 10:56 AM, Ben Hood <0x6e6562 at gmail.com> wrote:

> Edwin, David,
>
> On Tue, Aug 5, 2008 at 3:20 PM, Edwin Fine
> <rabbitmq-discuss_efine at usa.net> wrote:
> > I get the same issue (for the same reason) using the Erlang client,
> namely
> > "Lax ticket check mode: ignoring cross-realm access for ticket 101"
> >  I'd appreciate an explanation as to what changed between 1.3.0 and 1.4.0
> to
> > make this happen, and a suggestion on what I need to do to get rid of the
> > warning.
>
> By default, strict ticket checking is turned off, which means that
> Rabbit will not enforce strict realm based ACL.
>
> When this is turned off, and a client sends down an invalid ticket,
> this will be treated as a NOOP and merely logged.
>
> This is useful for development scenarios.
>
> Usually you would turn this on in production, in which you actually
> cared about this type of ACL.
>
> Having said all of this, the whole topic of realm based access control
> is going to disappear very soon.
>
> We have decided that because although realms are in the spec, no other
> AMQP broker has bothered to implement them, and hence we should follow
> suit.
>
> Furthermore, realms are confusing, too fine grained as an ACL concept
> and the cost of their maintenance is not really justified by the
> minimal benefits they offer.
>
> For example, in Rabbit 1.3.0, 12% of the entire code base was
> dedicated to realm handling.
>
> Having said all of this, and for the record, what has changed between
> 1.3 and 1.4 is that a bug has been introduced, which we have already
> noted in our internal bug system.
>
> But instead of fixing this bug, because we are deleting realms anyway,
> we have decided to push through the realm deletion patch first
> (bug18994 in hg refers).
>
> We are in the late stages of QA'ing this, it will be merged into the
> default branch soon and upon which a new release will be made.
>
> HTH,
>
> Ben
>
>


-- 
For every expert there is an equal and opposite expert - Arthur C. Clarke
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20080805/3ad37602/attachment.htm 


More information about the rabbitmq-discuss mailing list