[CUBRIDMAN-234] Add broker parameters for ACL per broker #545
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
airnet73
requested review from
mhoh3963,
kwonhoil,
junsklee,
kavin0718,
bagus-kim and
hiclass
as code owners
kisoo-han
reviewed
Sep 20, 2024
kisoo-han
reviewed
Sep 20, 2024
ko/admin/config.rst
Outdated
| | | +-----------------------------------------+--------+------------------------------+-----------+ | ||
| | | | REPLICA_ONLY | string | OFF | | | ||
| | | +-----------------------------------------+--------+------------------------------+-----------+ | ||
| | | | ACCESS_CONTROL_BEHAVIOR_FOR_EMPTYBROKER | string | DENY | | |
There was a problem hiding this comment.
- ACCESS_CONTROL의 타입은 bool인데 비해서 ACCSS_CONTROL_BEHAVIOR_FOR_EMPTYBROKER의 타입은 string 입니다. 'bool'이 더 정확한 타입이 아닐까 합니다.
- ACCESS_CONTROL_BEHAVIOR_FOR_EMPTYBROKER의 default 값이 DENY라면, ACCESS_CONTROL parameter를 설정하지 않은 경우 DENY가 적용되는 것으로 이해되는데요. 제 생각에는 default value가 'ACCESS_CONTROL 설정값' 이 아닐까 합니다.
- config.rst의 표에서 파라미터 이름이 길어서 전제 표를 수정하신 것 같은데, commit을 아래 처럼 했다면 리뷰가 더 쉬웠을듯 합니다.
commit1. 기존 표의 파라미터 이름의 width를 확장
commit2. 확장된 표에 ACCSS_CONTROL_BEHAVIOR_FOR_EMPTYBROKER 추가.
There was a problem hiding this comment.
string 타입을 bool 타입으로 변경하겠습니다.
There was a problem hiding this comment.
ACCESS_CONTROL_BEHAVIOR_FOR_EMPTYBROKER의 default 값이 DENY라면, ACCESS_CONTROL parameter를 설정하지 않은 경우 DENY가 적용되는 것으로 이해되는데요. 제 생각에는 default value가 'ACCESS_CONTROL 설정값' 이 아닐까 합니다.
ACCESS_CONTROL 을 ON으로 설정하더라도 ACCESS_CONTROL_BEHAVIOR_FOR_EMPTYBROKER 의 default 값은 DENY 입니다. 따라서 ACCESS_CONTROL 설정 값이 ACCESS_CONTROL_BEHAVIOR_FOR_EMPTYBROKER 의 default 값이 될 수 는 없습니다.
There was a problem hiding this comment.
- 제 의도는 ACCESS_CONTROL을 설정하지 않은 경우 입니다. 이 경우는 모든 broker가 ALLOW가 되어야 맞는데, ACCESS_CONTROL_BEHAVIOR_FOR_EMPTYBROKER를 설정하지 않으면 DENY로 된다는 의미로 해석된다는 예기 입니다.
- ACCESS_CONTROL/ACCESS_CONTROL_BEHAVIOR_FOR_EMPTYBROKER 모두 설정하지 않은 경우 사용자가 생각하는 action이 좀 애매할 수 있다는 예기입니다.
- 어딘가에 ACCESS_CONTROL_BEHAVIOR_FOR_EMPTYBROKER는 ACCESS_CONTROL parameter의 값이 ON 인 경우 유효하다는 표현이 필요하지 않을까요? 이 부분이 전제가 된다면 기본값 DENY는 정확한 표현이 됩니다.
kisoo-han
reviewed
Sep 20, 2024
kisoo-han
reviewed
Sep 20, 2024
kisoo-han
reviewed
Sep 20, 2024
kisoo-han
approved these changes
Sep 20, 2024
kwonhoil
approved these changes
Sep 20, 2024
mhoh3963
reviewed
Sep 20, 2024
ko/admin/control.rst
Outdated
| @@ -1482,7 +1483,13 @@ ip_list_file의 작성 형식은 다음과 같다. | |||
|
|
|||
| * <ip_addr>: 접근을 허용할 IP 명. 뒷자리를 \*로 입력하면 뒷자리의 모든 IP를 허용한다. | |||
|
|
|||
| **ACCESS_CONTROL** 값이 ON인 상태에서 **ACCESS_CONTROL_FILE**\이 지정되지 않으면 브로커는 localhost에서의 접속 요청만을 허용한다. | |||
| **ACCESS_CONTROL** 값이 ON 상태에서 **ACCESS_CONTROL_FILE**\에 지정되지 않으면 브로커는 localhost에서만 접속을 허용한다. | |||
| 그러나 **ACCESS_CONTROL_FILE** 에 지정되지 않은 브로커의 경우, **ACCESS_CONTROL_BEHAVIOR_FOR_EMPTYBROKER** 의 값을 ALLOW로 설정하면, 브로커는 모든 접속 요청을 허용한다. | |||
There was a problem hiding this comment.
Suggested change
| 그러나 **ACCESS_CONTROL_FILE** 에 지정되지 않은 브로커의 경우, **ACCESS_CONTROL_BEHAVIOR_FOR_EMPTYBROKER** 의 값을 ALLOW로 설정하면, 브로커는 모든 접속 요청을 허용한다. | |
| 그러나 **ACCESS_CONTROL_FILE** 에 지정되지 않은 브로커의 경우, **ACCESS_CONTROL_BEHAVIOR_FOR_EMPTYBROKER** 의 값을 ALLOW로 설정한 브로커들에 대해서는 모든 접속 요청을 허용한다. |
mhoh3963
approved these changes
Sep 20, 2024
bagus-kim
approved these changes
Sep 23, 2024
hiclass
approved these changes
Sep 25, 2024
kisoo-han
approved these changes
Sep 26, 2024
junsklee
reviewed
Oct 2, 2024
| @@ -1462,8 +1462,8 @@ Limiting Broker Access | |||
| ---------------------- | |||
|
|
|||
| To limit the client applications accessing the broker, set to **ON** for the **ACCESS_ CONTROL** parameter in the **cubrid_broker.conf** file, and enter a name of the file in which the users and the list of databases and IP addresses allowed to access the **ACCESS_CONTROL_FILE** parameter value are written. | |||
| The default value of the **ACCESS_CONTROL** broker parameter is **OFF**. | |||
| The **ACCESS_CONTROL** and **ACCESS_CONTROL_FILE** parameters must be written under [broker] which common parameters are specified. | |||
| The default value of the **ACCESS_CONTROL** broker parameter is **OFF**. All access to brokers not listed in **ACCESS_CONTROL_FILE** is restricted. Even not listed in **ACCESS_CONTROL_FILE**, you can allow access to a specific broker by setting **ACCESS_CONTROL_BEHAVIOR_FOR_EMPTYBROKER** to **ALLOW** for that broker. | |||
There was a problem hiding this comment.
Suggested change
| The default value of the **ACCESS_CONTROL** broker parameter is **OFF**. All access to brokers not listed in **ACCESS_CONTROL_FILE** is restricted. Even not listed in **ACCESS_CONTROL_FILE**, you can allow access to a specific broker by setting **ACCESS_CONTROL_BEHAVIOR_FOR_EMPTYBROKER** to **ALLOW** for that broker. | |
| The default value of the **ACCESS_CONTROL** broker parameter is **OFF**. All access to brokers not listed in **ACCESS_CONTROL_FILE** is restricted. Even if not listed in **ACCESS_CONTROL_FILE**, you can allow access to a specific broker by setting **ACCESS_CONTROL_BEHAVIOR_FOR_EMPTYBROKER** to **ALLOW** for that broker. |
| The default value of the **ACCESS_CONTROL** broker parameter is **OFF**. | ||
| The **ACCESS_CONTROL** and **ACCESS_CONTROL_FILE** parameters must be written under [broker] which common parameters are specified. | ||
| The default value of the **ACCESS_CONTROL** broker parameter is **OFF**. All access to brokers not listed in **ACCESS_CONTROL_FILE** is restricted. Even not listed in **ACCESS_CONTROL_FILE**, you can allow access to a specific broker by setting **ACCESS_CONTROL_BEHAVIOR_FOR_EMPTYBROKER** to **ALLOW** for that broker. | ||
| The **ACCESS_CONTROL** and **ACCESS_CONTROL_FILE** parameters must be written under [broker] which common parameters are specified. On the other hand, **ACCESS_CONTROL_BEHAVIOR_FOR_EMPTYBROKER** parameter must be specified for each broker. |
There was a problem hiding this comment.
Suggested change
| The **ACCESS_CONTROL** and **ACCESS_CONTROL_FILE** parameters must be written under [broker] which common parameters are specified. On the other hand, **ACCESS_CONTROL_BEHAVIOR_FOR_EMPTYBROKER** parameter must be specified for each broker. | |
| The **ACCESS_CONTROL** and **ACCESS_CONTROL_FILE** parameters must be written under the [broker] section where common parameters are specified. On the other hand, the **ACCESS_CONTROL_BEHAVIOR_FOR_EMPTYBROKER** parameter must be specified for each broker. |
| @@ -1491,6 +1491,12 @@ The format of the ip_list_file is as follows: | |||
| * <ip_addr>: An IP address that is allowed to access the server. If the last digit of the address is specified as \*, all IP addresses in that rage are allowed to access the broker server. | |||
|
|
|||
| If a value for **ACCESS_CONTROL** is set to ON and a value for **ACCESS_CONTROL_FILE** is not specified, the broker will only allow the access requests from the localhost. | |||
| However, even **ACCESS_CONTROL_FILE** is not specified, all requests are allowed for brokers with **ACCESS_CONTROL_BEHAVIOR_FOR_EMPTYBROKER** set to **ALLOW**. | |||
There was a problem hiding this comment.
Suggested change
| However, even **ACCESS_CONTROL_FILE** is not specified, all requests are allowed for brokers with **ACCESS_CONTROL_BEHAVIOR_FOR_EMPTYBROKER** set to **ALLOW**. | |
| However, if **ACCESS_CONTROL_FILE** is not specified, all requests are allowed for brokers with **ACCESS_CONTROL_BEHAVIOR_FOR_EMPTYBROKER** set to **ALLOW**. |
| Broker access restrictions not specified in **ACCESS_CONTROL_FILE**. | ||
|
|
||
| * Allow access only from localhost. (default) | ||
| * If ACCESS_CONTROL_BEHAVIOR_FOR_EMPTYBROKER is set to ALLOW, all access is allowed. |
There was a problem hiding this comment.
Suggested change
| * If ACCESS_CONTROL_BEHAVIOR_FOR_EMPTYBROKER is set to ALLOW, all access is allowed. | |
| * If **ACCESS_CONTROL_BEHAVIOR_FOR_EMPTYBROKER** is set to **ALLOW**, all access is allowed. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
http://jira.cubrid.org/browse/CUBRIDMAN-234
Purpose
브로커 파라메터에 ACCESS_CONTROL_BEHAVIOR_FOR_EMPTYBROKER 추가 및 설명 기술함
Implementation
N/A
Remarks
N/A