Service host security

For security reasons, you should not allow to put and get messages in the queues to everybody. The same concerns the process state saving. To restrict access to the queue and state services, the Flower service host provides a simple authorization mechanism.

The service host class has the following properties to specify access rights (all values are semicolon separated lists):
  • AllowSaveStateToUsers - domain users allowed to save process state.
  • AllowSaveStateToRoles - domain roles allowed to save process state.
  • AllowEnqueueToUsers - domain users allowed to enqueue to the queue service.
  • AllowEnqueueToRoles - domain roles allowed to enqueue to the queue service.
  • AllowDequeueToUsers - domain users allowed to dequeue from the queue service.
  • AllowDequeueToRoles - domain roles allowed to dequeue from the queue service.
  • AllowQueueManagementToUsers - domain users allowed to manage the queue service.
  • AllowQueueManagementToRoles - domain roles allowed to manage the queue service.

No value for a property means "allow to everyone".

The values should be set in Flower.Services.Host.config for the object 'service'.

<object id="service" type="Flower.Services.Host.Service, Flower.Services.Host">
   <property name="AllowSaveStateToUsers" 
             value="DOMAIN\username1;DOMAIN\username2" />
   <property name="AllowSaveStateToRoles" 
             value="DOMAIN\username1;DOMAIN\username2" />

   ...
</object>


Make sure credentials are transferred via the binding used by the services access to which you are going to restrict.

Last edited Oct 29, 2013 at 5:48 PM by dbratus, version 2

Comments

No comments yet.