I'll apologize in advance that I'm pretty new to QPid (and AMQP) in general, so forgive the possibly n00b questions :) I've been playing around with federation and reading through the Qpid docs as well as the Redhat MRG docs. I can only seem to get it working if I completely open up the ACL on the destination side, i.e. acl has "acl allow-log all all" When I send to the source broker, with a wide-open ACL, the message gets dumped over to the dest broker just fine. Without "acl allow-log all all" in my ACL, it gets denied. Looking at the logs on the dest broker, there doesn't seem to be an 'id' associated with the publish, even though it was authenticated on the source side. I'd have expected that the 'id' showing up on the dest broker would either be the authenticated sender ('mark' in this case) or the user used to create the federation -- cleverly named 'router' in this case. I'm using the same ACL file for both brokers and both 'mark' and 'router' have "acl allow-log all all", so they don't have any problem performing actions on either broker (just a test bed). The federation was created with a static route: # qpid-route route add router/router@localhost:5672 router/router@localhost:5671 amq.direct mykey On the source broker: 2009-feb-20 22:24:13 info ACL Allow id:mark@QPID action:publish ObjectType:exchange Name:amq.direct 2009-feb-20 22:24:13 debug Message 0x80cc400 enqueued on bridge_queue_1_ba641f59-76ef-48c2-875c-d05e6c5d2132[0x80cb538] On the dest broker (with open ACL): 2009-feb-20 22:24:05 info Inter-broker link established to localhost:5671 2009-feb-20 22:24:13 info ACL Allow id: action:publish ObjectType:exchange Name:amq.direct On the dest broker (without a wide-open ACL): 2009-feb-20 22:32:04 info Inter-broker link established to localhost:5671 2009-feb-20 22:32:20 info ACL Deny id: action:publish ObjectType:exchange Name:amq.direct 2009-feb-20 22:32:20 error Execution exception: not-allowed: cannot publish to amq.direct with routing-key mykey (qpid/broker/SemanticState.cpp:384) My question is: is that a normal consequence of federation, i.e. that credentials aren't passed around and that neither the authenticated sender nor the user used to create the static route is used as the 'id' on the dest side? If not, is there some obvious configuration option I'm missing? Thanks! And again, sorry for the possibly RTFM! --------------------------------------------------------------------- Apache Qpid - AMQP Messaging Implementation Project: http://qpid.apache.org Use/Interact: mailto:users-subscribe@qpid.apache.org