Versions Compared

Old Version 8

changes.mady.by.user Aidan Skinner

Saved on

compared with

New Version 9

changes.mady.by.user Robert Gemmell

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Permission Limitations

Only the first three four permissions, CONSUME, PUBLISH and CREATE , CREATE and ACCESS (since Qpid 0.6) have been implemented. An oversight in the original design resulted in the inability to specify negative permissions. As a result permission can only be granted to users and not taken away.

...

This tells the broker that it should use the SimpleXML class to perform access control. When the broker starts up the SimpleXML class will look in the the <security> section subsection for each virtualhost for the required ACLs.

ACL Configuration

...

The ACL configuration lives inside the <access_control_list> section, inside the <security> subsection of each virtualhost configuration.

No Format
...
<security>
  <access_control_list>
    <!-- This section grants publishvirtualhost-level rightsaccess to anthe exchangespecified +users, routinggiving
 key pair -->
    <publish>...</publish>
  giving them full permissions to all artifacts in the containing virtualhost -->
            <access>...</access>

    <!-- This section grants userspublish rights theto abilityan toexchange consume+ fromrouting thekey brokerpair -->
    <consume><publish>...</consume>publish>
                            
    <!-- This section grants clientsusers the ability to createconsume queuesfrom andthe exchangesbroker -->
    <create><consume>...</create>
  </access_control_list>
...
consume>
                            
    <!-- This section grants clients the ability to create queues and exchanges -->
    <create>...</create>
  </access_control_list>
...

This gives the basic This gives the basic structure for the configuration the contents of each section naturally depend on what permissions are needed.

...

No Format
<!-- This section grants clients the ability to create queues and exchanges -->
<create>
    <queues>
        <!-- Allow clients to create temporary queues-->
        <queue>
            <temporary/>
            <exchanges>
                <exchange>
                    <name>amq.direct</name>
                    <users>
                        <user>client</user>
                    </users>
                </exchange>
            </exchanges>
        </queue>
        <!-- Allow the server to create the Request Queue-->
        <queue>
            <name>example.RequestQueue</name>
            <users>
            <users>
                <user>server</user>
            </users>
        </queue>

    </queues>
</create>

ACCESS Section (since Qpid 0.6)

This section allows granting virtualhost-level access permissions to specific users, giving them full permissions to all artifacts within the virtualhost irrespective of any rights assigned in the CREATE, CONSUME, and PUBLISH sections outlined above. This allows granting only certain users full access to certain virtualhosts.

The <access> section contains a <users> subsection, with a list of indivual <user> elements:

No Format

<!-- This section grants virtualhost-level access to the specified users, giving
     giving them full permissions to all artifacts in the containing  <user>server</user>virtualhost -->
<access>
            </users><users>
        <<user>admin</queue>
user>
    </queues>users>
</create>access>

Durable topic subscriptions

...