...
Code Block |
---|
# Some groups group admin tedted@QPID martinmartin@QPID group user-consume martinmartin@QPID tedted@QPID group group2 kimkim@QPID user-consume robrob@QPID group publisher group2 \ tomtom@QPID andrewandrew@QPID debbiedebbie@QPID # Some rules acl allow carltcarlt@QPID create exchange name=carl.* acl deny robrob@QPID create queue acl allow guestguest@QPID bind exchange name=amq.topic routingkey=stocks.ibm.# owner=self acl allow user-consume create queue name=tmp.* acl allow publisher publish all durable=false acl allow publisher create queue name=RequestQueue acl allow consumer consume queue durable=true acl allow fredfred@QPID create all acl allow admin all acl deny kimkim@QPID all acl allow all consume queue owner=self acl allow all bind exchange owner=self # Last (default) rule acl deny all all |
Writing Good/Fast ACL
The file gets read top down and rule get passed based on the first match. In the following example the first rule is a dead rule. I.e. the second rule is wider than the first rule. DON'T do this, it will force extra analysis, worst case if the parser does not kill the dead rule you might get a false deny.
Code Block |
---|
allow peter@QPID create queue name=tmp <-- dead rule!! allow peter@QPID create queue deny all all |
By default files end with
Code Block |
---|
deny all all
|
the mode of the ACL engine can be swapped to be allow based by putting the following at the end of the file
Code Block |
---|
allow all all
|
Note that 'allow' based file will be a LOT faster for message transfer. This is because the AMQP specification does not allow for creating subscribes on publish, so the ACL is executed on every message transfer. Also, ACL's rules using less properties on publish will in general be faster.
Getting ACL to Log
In order to get log messages from ACL actions use allow-log and deny-log for example
Code Block |
---|
allow-log john@QPID all all
deny-log guest@QPID all all
|
User Id / domains running with C++ broker
The user-id used for ACL is taken from the connection user-id. Thus in order to use ACL the broker authentication has to be setup. i.e. (if --auth no is used in combination with ACL the broker will deny everything)
The user id in the ACL file is of the form <user-id>@<domain> The Domain is configured via the SASL configuration for the broker, and the domain/realm for qpidd is set using --realm and default to 'QPID'.
To load the ACL module use, load the acl module cmd line or via the config file
Code Block |
---|
./src/qpidd --load-module src/.libs/libqpidacl.so
|
The ACL plugin supports two options:
Code Block |
---|
ACL Options:
--no-enforce-acl Do not enforce ACL
--acl-file FILE (policy.acl) The policy file to load from, loaded from data
dir
|
Mapping of ACL traps to action and type
...