THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
| Code Block |
|---|
user = username[@domain[/realm]]
user-list = user1 user2 user3 ...
group-name-list = group1 group2 group3 ...
group <group-name> = [user-list] [group-name-list]
permission = [allow|allow-log|deny|deny-log]
action = [consume|publish|create|access|bind|unbind|delete|purge|update]
object = [virtualhost|queue|exchange|broker|link|route|method]
property = [name|durable|owner|routingkey|passive|autodelete|exclusive|type|alternate|queuename|schemapackage|schemaclass]
acl permission {<group-name>|<user-name>|"all"} {action|"all"} [object|"all"] [property=<property-value>]
|
Validation
The new ACL file format needs to perform validation on the acl rules. The validation should be performed depending on the set value:
strict-acl-validation=none
The default setting should be 'warn'
On validation of this acl the following checks would be expected:
| Code Block |
|---|
acl allow client publish routingkey=exampleQueue exchange=amq.direct
|
- The If the user 'client' cannot be found, if the authentication mechanism cannot be queried then a 'user' value should be added to the file.
- There is an exchange called 'amq.direct'
- There is a queue bound to 'exampleQueue' on 'amq.direct'
Each of these checks that fail will result in a log statement being generated.
In the case of a fatal logging the full file will be validated before the broker shuts down.
Example file:
| Code Block |
|---|
# Some Users
user ted@QPID
user martin@QPID
user kim@QPID
user rob@QPID
user tom@QPID
user andrew@QPID
user debbie@QPID
# Some groups
group admin ted@QPID martin@QPID
group user-consume martin@QPID ted@QPID
group group2 kim@QPID user-consume rob@QPID
group publisher group2 \
tom@QPID andrew@QPID debbie@QPID
# Some rules
acl allow carlt@QPID create exchange name=carl.*
acl deny rob@QPID create queue
acl allow guest@QPID bind exchange name=amq.topic routingkey=stocks.ibm.# owner=self
acl allow user-consume create queue name=tmp.*
acl allow publisher publish all durable=false
acl allow publisher create queue name=RequestQueue
acl allow consumer consume queue durable=true
acl allow fred@QPID create all
acl allow bob@QPID all queue
acl allow admin all
acl deny kim@QPID all
acl allow all consume queue owner=self
acl allow all bind exchange owner=self
# Last (default) rule
acl deny all all
|
...