...
QMF (Qpid Management Framework) is a general-purpose management bus built on Qpid Messaging. The Qpid C++ Broker itself is manageable through a set of QMF constructs. Access to QMF facilities may be controlled through ACL rule filesis controlled by setting restrictions on a specific set of exchanges.
Console access
QMF Consoles configure and monitor the C++ broker by manipulating QMF management data. Console access rights are required by Qpid tools to configure and manage the broker. The following rules allow console access for the group consoles:
Code Blocknoformat |
---|
group consoles c_user1@QPID c_user2@QPID acl allow consoles create exchange name=qmf.default.direct acl allow consoles access exchange name=qmf.default.direct acl allow consoles bind exchange name=qmf.default.topic routingkey=direct-console.* acl allow consoles bind exchange name=qmf.default.topic routingkey=agent.* acl allow consoles publish exchange name=qmf.default.topic routingkey=direct-agent.* acl allow consoles publish exchange name=qmf.default.topic routingkey=console.* acl allow consoles publish exchange name=qmf.default.direct routingkey=broker acl allow consoles create queue acl allow consoles create exchange name=qmf.default.topic acl allow consoles access exchange name=qmf.default.topic acl allow consoles consume acl deny all all |
Agent access
QMF Agents are applications that may be managed by QMF. The following rules allow agent access for the group agents:
Code Blocknoformat |
---|
group agents a_user1@QPID a_user2@QPID acl allow agents bind exchange name=qmf.default.topic routingkey=direct-agent.* acl allow agents bind exchange name=qmf.default.topic routingkey=console.* acl allow agents publish exchange name=qmf.default.topic routingkey=direct-console.* acl allow agents publish exchange name=qmf.default.topic routingkey=agent.* acl allow agents create link acl allow agents create queue acl allow agents create exchange name=qmf.default.topic acl allow agents access exchange name=qmf.default.topic acl allow agents consume acl deny all all |
Disabling QMF V1 Exchange
QMF V1 used a built-in exchange named qpid.managment. The following rules disable access the the qpid.management exchange:
No Format |
---|
acl deny all bind exchange name=qpid.management
acl deny all publish exchange name=qpid.management
|
Disabling access to all management methods
Another strategy for controlling access via QMF is to limit access to the management methods. In this scenario a only members of the admin group may issue changes via the management methods while all other users are denied.
No Format |
---|
acl allow admins access method
acl deny all access method
|
Note that all users are still allowed to create objects using in-band AMQP declare directives through normal messaging activity. Also, any user may bind to the QMF queues and monitor changes and events.