<div dir="ltr">Ben,<br><br>Um, does this mean that:<br><br>In rabbitmqctl, <br><br> add_realm <VHostPath> <RealmName><br> delete_realm <VHostPath> <RealmName><br> list_realms <VHostPath><br>
set_permissions <UserName> <VHostPath> <RealmName> [<Permission> ...]<br><br>will disappear?<br><br>Furthermore, does this mean that our code will have to remove all references to realms? Or are you leaving all that syntax in place but just making it a NOOP?<br>
<br>Regards,<br>Edwin<br><br><div class="gmail_quote">On Tue, Aug 5, 2008 at 10:56 AM, Ben Hood <span dir="ltr"><<a href="mailto:0x6e6562@gmail.com">0x6e6562@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Edwin, David,<br>
<div><div></div><div class="Wj3C7c"><br>
On Tue, Aug 5, 2008 at 3:20 PM, Edwin Fine<br>
<<a href="mailto:rabbitmq-discuss_efine@usa.net">rabbitmq-discuss_efine@usa.net</a>> wrote:<br>
> I get the same issue (for the same reason) using the Erlang client, namely<br>
> "Lax ticket check mode: ignoring cross-realm access for ticket 101"<br>
> I'd appreciate an explanation as to what changed between 1.3.0 and 1.4.0 to<br>
> make this happen, and a suggestion on what I need to do to get rid of the<br>
> warning.<br>
<br>
</div></div>By default, strict ticket checking is turned off, which means that<br>
Rabbit will not enforce strict realm based ACL.<br>
<br>
When this is turned off, and a client sends down an invalid ticket,<br>
this will be treated as a NOOP and merely logged.<br>
<br>
This is useful for development scenarios.<br>
<br>
Usually you would turn this on in production, in which you actually<br>
cared about this type of ACL.<br>
<br>
Having said all of this, the whole topic of realm based access control<br>
is going to disappear very soon.<br>
<br>
We have decided that because although realms are in the spec, no other<br>
AMQP broker has bothered to implement them, and hence we should follow<br>
suit.<br>
<br>
Furthermore, realms are confusing, too fine grained as an ACL concept<br>
and the cost of their maintenance is not really justified by the<br>
minimal benefits they offer.<br>
<br>
For example, in Rabbit 1.3.0, 12% of the entire code base was<br>
dedicated to realm handling.<br>
<br>
Having said all of this, and for the record, what has changed between<br>
1.3 and 1.4 is that a bug has been introduced, which we have already<br>
noted in our internal bug system.<br>
<br>
But instead of fixing this bug, because we are deleting realms anyway,<br>
we have decided to push through the realm deletion patch first<br>
(bug18994 in hg refers).<br>
<br>
We are in the late stages of QA'ing this, it will be merged into the<br>
default branch soon and upon which a new release will be made.<br>
<br>
HTH,<br>
<font color="#888888"><br>
Ben<br>
<br>
</font></blockquote></div><br><br clear="all"><br>-- <br>For every expert there is an equal and opposite expert - Arthur C. Clarke<br>
</div>