Versions Compared

Old Version 1

changes.mady.by.user Martin Ritchie

Saved on

compared with

New Version 2

changes.mady.by.user Martin Ritchie

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Work in Progress at PUBLISH section

...

Anchor
specification
specification

Specification

The XML ACL focus was to take to business style focus to access rather than the individual AMQP method level.
As a result we have the following permissions:

  • CONSUME
  • PUBLISH
  • CREATE
  • ACCESS
  • BIND
  • UNBIND
  • DELETE
  • PURGE

XML Format

Anchor
userguide
userguide

User Guide (SimpleXML)

The XML ACLs have been implemented as a security class and currently are an [ ACLPlugin | Qpid Design - ACLPlugin ] class, SimpleXML. Currently this class ios only configurable via the main broker configuration file, this means that all the ACL configuration must be included in the main configuration file.

Permission Limitations

Only the first three permissions, CONSUME, PUBLISH and CREATE have been implemented. An oversight in the original design resulted in the inability to specify negative permissions. As a result permission can only be granted to users and not taken away.

Enabling XML ACLs

To enable the ACLs the security access class in the main broker configuration needs to be updated as follows:

No Format
...
<security>
    <access>
        <class>org.apache.qpid.server.security.access.plugins.SimpleXML</class>
    </access>
...

Examples

Limitations


...

This tells the broker that it should use the SimpleXML class to perform access control. When the broker starts up the SimpleXML class will look in the the <security> section for the required ACLs.

ACL Configuration

The ACL configuration lives inside the <access_control_list> section, inside <security>.

No Format

<security>
  <access_control_list>
    <!-- This section grants publish rights to an exchange + routing key pair -->
    <publish>...</publish>
                         
    <!-- This section grants users the ability to consume from the broker -->
    <consume>...</consume>
                            
    <!-- This section grants clients the ability to create queues and exchanges -->
    <create>...</create>
  </access_control_list>
...

This gives the basic structure for the configuration the contents of each section naturally depend on what permissions are needed.

PUBLISH Section

No Format

<publish>    
    <exchanges>
        <exchange>
            <!-- This is the name of the exchange to limit publication to. -->
            <name>...</name>
            <routing_keys>

                <!-- Allow clients to publish requests -->
                <routing_key>
                    <value>example.RequestQueue</value>
                    <users>
                        <user>client</user>
                    </users>
                </routing_key>

                <!-- Allow the processor to respond to a client on their Temporary Topic -->
                <routing_key>
                    <value>tmp_*</value>
                    <users>
                        <user>server</user>
                    </users>
                </routing_key>
                <routing_key>
                    <value>TempQueue*</value>
                    <users>
                        <user>server</user>
                    </users>
                </routing_key>
            </routing_keys>

        </exchange>
    </exchanges>
</publish>

CONSUME Section

CREATE Section

Known Issues

  • temporary flag
  • temporary flag
  • negative permissions