You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Java XML ACLs

This page documents version 1 of Qpid ACLs that was implemented only in the Java broker.

Specification

The XML ACL focus was to take to business style focus to access rather than the individual AMQP method level.
As a result we have the following permissions:

  • CONSUME
  • PUBLISH
  • CREATE
  • ACCESS
  • BIND
  • UNBIND
  • DELETE
  • PURGE

XML Format

User Guide (SimpleXML)

The XML ACLs have been implemented as an [ ACLPlugin | Qpid Design - ACLPlugin ] class, SimpleXML. Currently this class ios only configurable via the main broker configuration file, this means that all the ACL configuration must be included in the main configuration file.

Permission Limitations

Only the first three permissions, CONSUME, PUBLISH and CREATE have been implemented. An oversight in the original design resulted in the inability to specify negative permissions. As a result permission can only be granted to users and not taken away.

Enabling XML ACLs

To enable the ACLs the security access class in the main broker configuration needs to be updated as follows:

...
<security>
    <access>
        <class>org.apache.qpid.server.security.access.plugins.SimpleXML</class>
    </access>
...

This tells the broker that it should use the SimpleXML class to perform access control. When the broker starts up the SimpleXML class will look in the the <security> section for the required ACLs.

ACL Configuration

The ACL configuration lives inside the <access_control_list> section, inside <security>.

<security>
  <access_control_list>
    <!-- This section grants publish rights to an exchange + routing key pair -->
    <publish>...</publish>
                         
    <!-- This section grants users the ability to consume from the broker -->
    <consume>...</consume>
                            
    <!-- This section grants clients the ability to create queues and exchanges -->
    <create>...</create>
  </access_control_list>
...

This gives the basic structure for the configuration the contents of each section naturally depend on what permissions are needed.

PUBLISH Section

<publish>    
    <exchanges>
        <exchange>
            <!-- This is the name of the exchange to limit publication to. -->
            <name>...</name>
            <routing_keys>

                <!-- Allow clients to publish requests -->
                <routing_key>
                    <value>example.RequestQueue</value>
                    <users>
                        <user>client</user>
                    </users>
                </routing_key>

                <!-- Allow the processor to respond to a client on their Temporary Topic -->
                <routing_key>
                    <value>tmp_*</value>
                    <users>
                        <user>server</user>
                    </users>
                </routing_key>
                <routing_key>
                    <value>TempQueue*</value>
                    <users>
                        <user>server</user>
                    </users>
                </routing_key>
            </routing_keys>

        </exchange>
    </exchanges>
</publish>

CONSUME Section

CREATE Section

Known Issues

  • temporary flag
  • No labels