...
Code Block |
---|
user = username[/domain[@realm]]
user-list = user1 user2 user3 ...
group-name-list = group1 group2 group3 ...
group <group-name> = [user-list] [group-name-list]
permission = [allow|allow-log|deny|deny-log]
action = [consume|publish|create|access|bind|unbind|delete|purge|update]
object = [virtualhost|queue|exchange|broker|link|route|method]
property = [name|durable|owner|routingkey|passive|autodelete|exclusive|type|alternate|queuename|
policytype|schemapackage|schemaclass|
queuemaxsizelowerlimit|queuemaxsizeupperlimit|
queuemaxcountlowerlimit|queuemaxcountupperlimit|
filemaxsizelowerlimit|filemaxsizeupperlimit|
filemaxcountlowerlimit|filemaxcountupperlimit]
acl permission {<group-name>|<user-name>|"all"} {action|"all"} [object|"all" [property=<property-value>]]
quota connections N {<group-name>|<user-name>|"all"} [{<group-name>|<user-name>|"all"}]
|
- ACL rules must have the following tokens in order on a single line:
- The string literal "acl"
- The permission
- The name of a single group or of an individual, or the keyword "all"
- The name of an action, or the keyword "all"
- Optionally, a single object name, or the keyword "all"
- If the object is present, then optionally one or more property name-value pairs in the form 'property=value'.
File Processing Overview
- ACL files are processed line by line from the top of the file down.
- Group membership must be established before the group name is used in an ACL rule.
Deny Mode vs. Allow Mode
- By default ACL files are in 'Deny Mode' and deny all actions by all users. That is, there is an implicit "acl deny all all" rule appended to the ACL rule list. In 'Deny Mode' any action by any actor is denied unless some other rule in the ACL file explicitly allows it.
- Administrators may change an ACL file to 'Allow Mode' by ending the ACL file with "acl allow all all". When this rule is present at then end of the ACL file then any action by any actor is allowed unless some other rule in the ACL file explictly denys it.
- C++ Brokers prior to release 0.16 had an optimization based on the Allow Mode or Deny Mode.
- In a Deny Mode ACL file all 'deny' or 'deny-log' rules are discarded.
- Similarly in an Allow Mode ACL file all 'allow' or 'allow-log' rules are discarded.
- This characteristic made specification of certain ACL rules difficult and confusing.
- C++ Brokers after release 0.16 do not optimize the rules based on Allow Mode or Deny Mode.
- All rules are kept and processed in the order specified my the ACL file.
- Allow rules may be mixed with Deny rules and if a rule is matched then an allow or deny decision is rendered.
- ACL quotas must have the following tokens in order on a single line:
- The string literal "quota"
- The string literal "connections"
- The number of allowed connections in decimal within the range 0..65530.
- The name of a single group or of an individual, or the keyword "all"
- Optionally, a list of groups, individuals, or the keyword "all"
File Processing Overview
- ACL files are processed line by line from the top of the file down.
- Group membership must be established before the group name is used in an ACL rule.
- Connection quota values are assigned to individuals and to all members of groups in the order specified in the file. Users who received multiple connection quota values use the last value assigned.
Deny Mode vs. Allow Mode
- By default ACL files are in 'Deny Mode' and deny all actions by all users. That is, there is an implicit "acl deny all all" rule appended to the ACL rule list. In 'Deny Mode' any action by any actor is denied unless some other rule in the ACL file explicitly allows it.
- Administrators may change an ACL file to 'Allow Mode' by ending the ACL file with "acl allow all all". When this rule is present at then end of the ACL file then any action by any actor is allowed unless some other rule in the ACL file explictly denys it.
- C++ Brokers prior to release 0.16 had an optimization based on the Allow Mode or Deny Mode.
- In a Deny Mode ACL file all 'deny' or 'deny-log' rules are discarded.
- Similarly in an Allow Mode ACL file all 'allow' or 'allow-log' rules are discarded.
- This characteristic made specification of certain ACL rules difficult and confusing.
- C++ Brokers after release 0.16 do not optimize the rules based on Allow Mode or Deny Mode.
- All rules are kept and processed in the order specified my the ACL file.
- Allow rules may be mixed with Deny rules and if a rule is matched then an allow or deny decision is rendered.
Code Block |
---|
# Example of C++ Broker Allow Mode |
Code Block |
# Example of C++ Broker Allow Mode processing behavior
group admins bob@QPID joe@QPID
acl allow bob@QPID create queue
acl deny admins create queue
acl allow all all
# Prior to release 0.16 bob is denied permission to create a queue because the
# 'allow bob@QPID create queue' rule in an Allow Mode file is discarded.
# Since release 0.16 bob is allowed permission to create a queue because no
# rules in the file are discarded and the first allow rule controls the decision.
|
...
Code Block |
---|
# Some groups group admin ted@QPID martin@QPID group user-consume martin@QPID ted@QPID group group2 kim@QPID user-consume rob@QPID group publisher group2 \ tom@QPID andrew@QPID debbie@QPID # SomeConnection rulesquota aclquota allow connections 3 all quota connections 10 publisher user-consume quota connections 20 admin quota connections 50 ted@QPID # Some rules acl allow carlt@QPID create exchange name=carl.* acl deny rob@QPID create queue acl allow guest@QPID bind exchange name=amq.topic routingkey=stocks.ibm.# owner=self acl allow user-consume create queue name=tmp.* acl allow publisher publish all durable=false acl allow publisher create queue name=RequestQueue acl allow consumer consume queue durable=true acl allow fred@QPID create all acl allow bob@QPID all queue acl allow admin all acl deny kim@QPID all acl allow all consume queue owner=self acl allow all bind exchange owner=self # Last (default) rule acl deny all all |
...
The user id in the ACL file is of the form <user-id>@<domain> The Domain is configured via the SASL configuration for the broker, and the domain/realm for qpidd is set using --realm and default to 'QPID'.
ACL command line options
To load the ACL module use , load the acl module cmd the --load-module directive on the command line or via the config file
...
The ACL plugin provides the following option '--acl-file'. If do the ACL file is not supplied then the broker will not enforce ACL. If an ACL file name is supplied, and the file does not exist or is invalid the broker will not start.
Code Block |
---|
ACL Options: --acl-file FILE The policy file to load from, loaded from data dir |
Quota Settings
Quota options are integrated with the ACL rule file. The ACL rule file already contains the definition of user and group names and the ACL permissions for each. The ACL rule file additionally uses the same user and group names for the specification of quotas.
Connection quota
Connection quotas work in conjunction with the command line switch '--connection-limit-per-user N' to limit users to some number of concurrent connections.
- If the command line switch '--connection-limit-per-user' is absent and there are no 'quota connections' rules in the ACL file then connection limits are not enforced.
- If the command line switch '--connection-limit-per-user' is present then it assigns an initial value for the pseudo-user 'all'.
- If the ACL file specifies a quota for pseudo user 'all' than that value is applied to all users who are otherwise unnamed in the ACL file.
- Connection quotas for users are registered in order as the rule file is processed. A user may be assigned any number of connection quota values but only the final value is retained and enforced.
- Connection quotas for groups are applied as connection quotas for each individual user in the group at the time the 'quota connections' line is processed.
- Quota values range from 0 to 65530. A value of zero (0) denies connections for that user or group.