THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
Code Block |
---|
user = username[@domain[/realm]] user-list = user1 user2 user3 ... group-name-list = group1 group2 group3 ... group <group-name> = [user-list] [group-name-list] permission = [allow|allow-log|deny|deny-log] action = [consume|publish|create|access|bind|unbind|delete|purge|update] object = [virtualhost|queue|exchange|broker|link|route|method] property = [name|durable|owner|routingkey|passive|autodelete|exclusive|type|alternate|queuename|schemapackage|schemaclass] acl permission {<group-name>|<user-name>|"all"} {action|"all"} [object|"all"] [property=<property-value>] |
Validation
The new ACL file format needs to perform validation on the acl rules. The validation should be performed depending on the set value:
strict-acl-validation=none
The default setting should be 'warn'
On validation of this acl the following checks would be expected:
Code Block |
---|
acl allow client publish routingkey=exampleQueue exchange=amq.direct
|
- The If the user 'client' cannot be found, if the authentication mechanism cannot be queried then a 'user' value should be added to the file.
- There is an exchange called 'amq.direct'
- There is a queue bound to 'exampleQueue' on 'amq.direct'
Each of these checks that fail will result in a log statement being generated.
In the case of a fatal logging the full file will be validated before the broker shuts down.
Example file:
Code Block |
---|
# Some Users user ted@QPID user martin@QPID user kim@QPID user rob@QPID user tom@QPID user andrew@QPID user debbie@QPID # Some groups group admin ted@QPID martin@QPID group user-consume martin@QPID ted@QPID group group2 kim@QPID user-consume rob@QPID group publisher group2 \ tom@QPID andrew@QPID debbie@QPID # Some rules acl allow carlt@QPID create exchange name=carl.* acl deny rob@QPID create queue acl allow guest@QPID bind exchange name=amq.topic routingkey=stocks.ibm.# owner=self acl allow user-consume create queue name=tmp.* acl allow publisher publish all durable=false acl allow publisher create queue name=RequestQueue acl allow consumer consume queue durable=true acl allow fred@QPID create all acl allow bob@QPID all queue acl allow admin all acl deny kim@QPID all acl allow all consume queue owner=self acl allow all bind exchange owner=self # Last (default) rule acl deny all all |
...