activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lionel Cons <lionel.c...@cern.ch>
Subject Apollo Authorization & Inheritance
Date Tue, 21 Jun 2011 07:02:35 GMT
Hiram,

The Apollo User Manual states that:

    If a configuration resource does not have an acl element defined
    within it, then the resource allows access if the containing resource
    would allow access to the action. If the action is not defined in the
    containing resource then it allows anyone to access.

This inheritance rule looks very useful. In practice, it has limitations.

For instance, if I want to have a secured broker where sending and
receiving is denied by default, I could imagine having something like:

    <acl>
      <send deny="*"/>
      <receive deny="*"/>
    </acl>

at broker or virtual_host level. This would apply to all types of
destinations (queue, topic and dsub). Then I can allow some
destination explicitly later on.

However, this (currently) does not work because "send" or "receive" is
not allowed at broker or virtual_host level. At least, this is what
the User Manual and the XSD file tell me.

So, to achieve the same thing, I have to add something like:

    <queue>
      <acl>
        <send deny="*"/>
        <receive deny="*"/>
      </acl>
    </queue>
    <topic>
      <acl>
        <send deny="*"/>
        <receive deny="*"/>
      </acl>
    </topic>
    <dsub>
      <acl>
        <send deny="*"/>
        <receive deny="*"/>
      </acl>
    </dsub>

What do you think about extending what can be set at broker and
virtual_host level?

Cheers,

Lionel

Mime
View raw message