Versions Compared

Old Version 58

changes.mady.by.user Chuck Rolke

Saved on

compared with

New Version 59

changes.mady.by.user Chuck Rolke

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Incorporate QMF example posted to dev list by GSim

...

Code Block
# Example of ACL specifying queue size constraints
# Note: for legibility this acl line has been split into multiple lines.

acl allow bob@QPID create queue name=q6 queuemaxsizelowerlimit=500000 
                                        queuemaxsizeupperlimit=1000000
                                        queuemaxcountlowerlimit=200 
                                        queuemaxcountupperlimit=300

#
# These limits come into play when bob@QPID creates a queue as illustrated here:

    const char* address =

        "message_queue; “
        “ { create: always, “
        “   node: “
        “   { type: queue, “
        “     x-declare: ”
        “     { arguments: “
        “       { qpid.max_count:101,”
        “         qpid.max_size:1000000”
        “       }”
        “     }”
        “   }”
        “ }";
    ...
    Sender sender = session.createSender(address);

#
# When the ACL rule is processed the user, action, object, and object name all match
# and so this allow rule matches for the allow or deny decision. However, the ACL rule
# is further constrained to limit 500000 <= max_size <= 1000000 and 
# 200 <= max_count <= 300. Since the queue_option max_count is 101 then the size 
# limit is violated and the allow rule is returned with a deny decision.

...

  • Files are correctly formatted with respect to character sets, white space, continuation, and line length.
  • Permissions, Actions and Objects are correctly named.
  • Sufficient tokens are presented for each ACL rule.
  • Every line in an ACL file is validated and all invalid ACL rules are logged.
  • Any validation error is fatal and the broker is shut down.

Example

...

files

This example demonstrates usage of groups and other language syntax features.

Code Block

# Some groups
group admin ted@QPID martin@QPID
group user-consume martin@QPID ted@QPID
group group2 kim@QPID user-consume rob@QPID
group publisher group2 \
                tom@QPID andrew@QPID debbie@QPID

# Some rules
acl allow carlt@QPID create exchange name=carl.*
acl deny rob@QPID create queue
acl allow guest@QPID bind exchange name=amq.topic routingkey=stocks.ibm.#  owner=self
acl allow user-consume create queue name=tmp.*

acl allow publisher publish all durable=false
acl allow publisher create queue name=RequestQueue
acl allow consumer consume queue durable=true
acl allow fred@QPID create all
acl allow bob@QPID all queue
acl allow admin all
acl deny kim@QPID all
acl allow all consume queue owner=self
acl allow all bind exchange owner=self

# Last (default) rule
acl deny all all

This example shows the required permissions for granting QMF tool access to user username@QPID from node HOSTNAME.

Code Block

acl allow username@QPID all all name=username

acl allow username@QPID create  queue name=reply-HOSTNAME.* exclusive=true autodelete=true
acl allow username@QPID consume queue name=reply-HOSTNAME.*
acl allow username@QPID bind exchange name=amq.direct routingkey=reply-HOSTNAME.*

acl allow username@QPID create  queue name=topic-HOSTNAME.* exclusive=true autodelete=true
acl allow username@QPID consume queue name=topic-HOSTNAME.*
acl allow username@QPID bind exchange name=qpid.management routingkey=schema.#
acl allow username@QPID bind exchange name=qpid.management routingkey=console.obj.*.*.org.apache.qpid.broker.agent
acl allow username@QPID bind exchange name=qpid.management routingkey=console.event.*.*.org.apache.qpid.broker.agent

acl allow username@QPID create  queue name=qmfc-v2-HOSTNAME.* exclusive=true autodelete=true
acl allow username@QPID consume queue name=qmfc-v2-HOSTNAME.*
acl allow username@QPID bind exchange name=qmf.default.direct routingkey=qmfc-v2-HOSTNAME.*

acl allow username@QPID create  queue name=qmfc-v2-ui-HOSTNAME.* exclusive=true autodelete=true
acl allow username@QPID consume queue name=qmfc-v2-ui-HOSTNAME.*

acl allow username@QPID create  queue name=qmfc-v2-hb-HOSTNAME.* exclusive=true autodelete=true
acl allow username@QPID consume queue name=qmfc-v2-hb-HOSTNAME.*
acl allow username@QPID bind exchange name=qmf.default.topic routingkey=agent.ind.heartbeat.#

acl allow username@QPID publish exchange name=qpid.management    routingkey=broker
acl allow username@QPID publish exchange name=qmf.default.topic  routingkey=console.request.agent_locate
acl allow username@QPID publish exchange name=qmf.default.direct routingkey=broker

acl allow username@QPID access exchange name=qmf.default.direct
acl allow username@QPID access exchange name=qmf.default.topic

acl deny all all

Anchor
design
design

Design Documentation

...