Versions Compared

Old Version 2

changes.mady.by.user Martin Ritchie

Saved on

compared with

New Version 3

changes.mady.by.user Martin Ritchie

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updated PUBLISH section

...

The XML ACLs have been implemented as an [ ACLPlugin | Qpid Design - ACLPlugin ] classper the ACLPlugin design, SimpleXML. Currently this class ios is only configurable via the main broker configuration file, this means that all the ACL configuration must be included in the main configuration file.

...

This tells the broker that it should use the SimpleXML class to perform access control. When the broker starts up the SimpleXML class will look in the the <security> section for the required ACLs.

ACL Configuration

Background

The configuration is described in reference to an example configuration used in a request/response application. In this example the 'client' creates a temporary queue and sends a request to a known queue which the 'server' application is processing. The 'server' then sends a response to the specified temporary queue which the 'client' can read. The ACLs have been configured such that the 'server' cannot create additional queues other than it's process queue and the 'client' is only allowed to create temporary queues.

ACCESS_CONTROL_LIST Section

The ACL configuration lives inside the <access_control_list> section, inside <security>.

No Format
...
<security>
  <access_control_list>
    <!-- This section grants publish rights to an exchange + routing key pair -->
    <publish>...</publish>
                         
    <!-- This section grants users the ability to consume from the broker -->
    <consume>...</consume>
                            
    <!-- This section grants clients the ability to create queues and exchanges -->
    <create>...</create>
  </access_control_list>
...

This gives the basic structure for the configuration the contents of each section naturally depend on what permissions are needed.

PUBLISH Section

This section allows the granting of permission for Publishers to send messages. Controls have been implemented to allow the publication of messages limited by Exchange to:

  • specified routing keys.
  • partial matching routing keys. Using * to match the end of a routing key.

Here the 'client' users is only give rights to PUBLISH messages using the key 'example.RequestQueue'.
The 'server' user is allowed to publish to 'tmp_' and 'TempQueue' keys. The reason there are two values here is due to changes in the naming of temporary queues during the example's development. However, what occurs here is that the 'server' is granted permission to publish messages to any routing key that begins with 'tmp_' or 'TempQueue', the '*' matching is only completed at the end of the key so entries such as 'Special*Key' are not allowed.

Whilst not shown here multiple <user> values can be specified in the <users> section.

Remember that the routing_key value in the Java broker is the same as the queue name (correct at release of M4) for the amq.direct exchange. For topic exchanges the routing_key is the topic name that a Publisher uses to send messages.

No Format
<publish>    
    <exchanges>
        <exchange>
            <!-- This is the name of the exchange to limit publication to. -->
            <name><name>amq...<direct</name>
            <routing_keys>

                <!-- Allow clients to publish requests -->
                <routing_key>
                    <value>example.RequestQueue</value>
                    <users>
                        <user>client</user>
                    </users>
                </routing_key>

                <!-- Allow the processor to respond to a client on their Temporary Topic -->
                <routing_key>
                    <value>tmp_*</value>
                    <users>
                        <user>server</user>
                    </users>
                </routing_key>
                <routing_key>
                    <value>TempQueue*</value>
                    <users>
                        <user>server</user>
                    </users>
                </routing_key>
            </routing_keys>

        </exchange>
    </exchanges>
</publish>

CONSUME Section

This section allows the granting of permissions to Consumers.

No Format

<!-- This section grants users the ability to consume from the broker -->
<consume>
    <queues>

        <!-- Allow the clients to consume from their temporary queues-->
        <queue>
            <temporary/>
            <users>
                <user>client</user>
            </users>
        </queue>


        <!-- Only allow the server to consume from the Request Queue-->
        <queue>
            <name>example.RequestQueue</name>
            <users>
                <user>server</user>
            </users>
        </queue>

    </queues>
</consume>

CREATE Section

No Format

<!-- This section grants clients the ability to create queues and exchanges -->
<create>
    <queues>
        <!-- Allow clients to create temporary queues-->
        <queue>
            <temporary/>
            <exchanges>
                <exchange>
                    <name>amq.direct</name>
                    <users>
                        <user>client</user>
                    </users>
                </exchange>
            </exchanges>
        </queue>
        <!-- Allow the server to create the Request Queue-->
        <queue>
            <name>example.RequestQueue</name>
            <users>
                <user>server</user>
            </users>
        </queue>

    </queues>
</create>

Known Issues

  • temporary flag