Versions Compared

Old Version 40

changes.mady.by.user Martin Ritchie

Saved on

compared with

New Version 41

changes.mady.by.user Carl Trieloff

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
# Some groups
group admin tedted@QPID martinmartin@QPID
group user-consume martinmartin@QPID tedted@QPID
group group2 kimkim@QPID user-consume robrob@QPID
group publisher group2 \
                tomtom@QPID andrewandrew@QPID debbiedebbie@QPID

# Some rules
acl allow carltcarlt@QPID create exchange name=carl.*
acl deny robrob@QPID create queue
acl allow guestguest@QPID bind exchange name=amq.topic routingkey=stocks.ibm.#  owner=self
acl allow user-consume create queue name=tmp.*

acl allow publisher publish all durable=false
acl allow publisher create queue name=RequestQueue
acl allow consumer consume queue durable=true
acl allow fredfred@QPID create all
acl allow admin all
acl deny kimkim@QPID all
acl allow all consume queue owner=self
acl allow all bind exchange owner=self

# Last (default) rule
acl deny all all

Writing Good/Fast ACL

The file gets read top down and rule get passed based on the first match. In the following example the first rule is a dead rule. I.e. the second rule is wider than the first rule. DON'T do this, it will force extra analysis, worst case if the parser does not kill the dead rule you might get a false deny.

Code Block

allow peter@QPID create queue name=tmp <-- dead rule!!
allow peter@QPID create queue
deny all all

By default files end with

Code Block

deny all all

the mode of the ACL engine can be swapped to be allow based by putting the following at the end of the file

Code Block

allow all all

Note that 'allow' based file will be a LOT faster for message transfer. This is because the AMQP specification does not allow for creating subscribes on publish, so the ACL is executed on every message transfer. Also, ACL's rules using less properties on publish will in general be faster.

Getting ACL to Log

In order to get log messages from ACL actions use allow-log and deny-log for example

Code Block

allow-log john@QPID all all
deny-log guest@QPID all all

User Id / domains running with C++ broker

The user-id used for ACL is taken from the connection user-id. Thus in order to use ACL the broker authentication has to be setup. i.e. (if --auth no is used in combination with ACL the broker will deny everything)

The user id in the ACL file is of the form <user-id>@<domain> The Domain is configured via the SASL configuration for the broker, and the domain/realm for qpidd is set using --realm and default to 'QPID'.

To load the ACL module use, load the acl module cmd line or via the config file

Code Block

./src/qpidd --load-module src/.libs/libqpidacl.so

The ACL plugin supports two options:

Code Block

ACL Options:
  --no-enforce-acl              Do not enforce ACL
  --acl-file FILE (policy.acl)  The policy file to load from, loaded from data 
                                dir

Mapping of ACL traps to action and type

...