This repository was archived by the owner on Apr 15, 2026. It is now read-only.
DISPATCH-1388: Clarify policy restrictions defined by vhost objects#540
Closed
ChugR wants to merge 1 commit into
Closed
DISPATCH-1388: Clarify policy restrictions defined by vhost objects#540ChugR wants to merge 1 commit into
ChugR wants to merge 1 commit into
Conversation
State more clearly that policy restrictions are applied to client requests at network ingress only. As I read the document now it is unclear if a policy restriction defined by a vhost would be applied to a request originated at a distant point in the network. Suppose I have two vhosts, vhost1 and vhost2, and two users, Alice and Bob. Vhost policy is enabled for address "orders": |"orders" | vhost1 | vhost2 | +---------+--------+--------+ | Alice | allow | deny | | Bob | deny | allow | If Alice creates a receiver for "orders" on vhost1 and Bob creates a sender for "orders" on vhost2 then the router network will Bob's sender to send messages to Alice's receiver. This is allowed even though user Alice is denied access to that address on vhost2 and user Bob is denied access on vhost1. There are separate namespaces for users on each vhost. What user Alice does on vhost1 is unaffected by the namespace restrictions applied to vhost2. Alice's identity is not propagated to vhost2 for subsequent authorization checks.
bhardesty
approved these changes
Jul 18, 2019
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
State more clearly that policy restrictions are applied to client requests
at network ingress only.
As I read the document now it is unclear if a policy restriction defined
by a vhost would be applied to a request originated at a distant point in
the network. Suppose I have two vhosts, vhost1 and vhost2, and two users,
Alice and Bob. Vhost policy is enabled for address "orders":
|"orders" | vhost1 | vhost2 |
+---------+--------+--------+
| Alice | allow | deny |
| Bob | deny | allow |
If Alice creates a receiver for "orders" on vhost1 and Bob creates a
sender for "orders" on vhost2 then the router network will Bob's
sender to send messages to Alice's receiver. This is allowed even though
user Alice is denied access to that address on vhost2 and user Bob
is denied access on vhost1.
There are separate namespaces for users on each vhost. What user Alice
does on vhost1 is unaffected by the namespace restrictions applied to
vhost2. Alice's identity is not propagated to vhost2 for subsequent
authorization checks.