Versions Compared

Old Version 63

changes.mady.by.user Chuck Rolke

Saved on

compared with

New Version 64

changes.mady.by.user Chuck Rolke

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Mention QMF qpid.management exchange; describe denying access to methods

...

QMF (Qpid Management Framework) is a general-purpose management bus built on Qpid Messaging. The Qpid C++ Broker itself is manageable through a set of QMF constructs. Access to QMF facilities may be controlled through ACL rule filesis controlled by setting restrictions on a specific set of exchanges.

Console access

QMF Consoles configure and monitor the C++ broker by manipulating QMF management data. Console access rights are required by Qpid tools to configure and manage the broker. The following rules allow console access for the group consoles:

Code Blocknoformat
  group consoles c_user1@QPID c_user2@QPID

  acl allow consoles create  exchange name=qmf.default.direct
  acl allow consoles access  exchange name=qmf.default.direct
  acl allow consoles bind    exchange name=qmf.default.topic  routingkey=direct-console.*
  acl allow consoles bind    exchange name=qmf.default.topic  routingkey=agent.*
  acl allow consoles publish exchange name=qmf.default.topic  routingkey=direct-agent.*
  acl allow consoles publish exchange name=qmf.default.topic  routingkey=console.*
  acl allow consoles publish exchange name=qmf.default.direct routingkey=broker
  acl allow consoles create  queue
  acl allow consoles create  exchange name=qmf.default.topic
  acl allow consoles access  exchange name=qmf.default.topic
  acl allow consoles consume

  acl deny all all

Agent access

QMF Agents are applications that may be managed by QMF. The following rules allow agent access for the group agents:

Code Blocknoformat
  group agents a_user1@QPID a_user2@QPID

  acl allow agents bind    exchange name=qmf.default.topic routingkey=direct-agent.*
  acl allow agents bind    exchange name=qmf.default.topic routingkey=console.*
  acl allow agents publish exchange name=qmf.default.topic routingkey=direct-console.*
  acl allow agents publish exchange name=qmf.default.topic routingkey=agent.*
  acl allow agents create  link
  acl allow agents create  queue
  acl allow agents create  exchange name=qmf.default.topic
  acl allow agents access  exchange name=qmf.default.topic
  acl allow agents consume

  acl deny all all

Disabling QMF V1 Exchange

QMF V1 used a built-in exchange named qpid.managment. The following rules disable access the the qpid.management exchange:

No Format

  acl deny all bind    exchange name=qpid.management
  acl deny all publish exchange name=qpid.management

Disabling access to all management methods

Another strategy for controlling access via QMF is to limit access to the management methods. In this scenario a only members of the admin group may issue changes via the management methods while all other users are denied.

No Format

  acl allow admins access method
  acl deny  all    access method

Note that all users are still allowed to create objects using in-band AMQP declare directives through normal messaging activity. Also, any user may bind to the QMF queues and monitor changes and events.