qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ted Ross <tr...@redhat.com>
Subject Re: ACL to allow QMF agents / clients
Date Wed, 30 May 2012 15:29:26 GMT
Hi Paul,

This aspect of ACL is the same in 0.16 as it is in 0.14.  That matahari 
web link is very up-to-date.

-Ted

On 05/30/2012 12:09 AM, Paul Colby wrote:
> Hi,
>
> I'm implementing an access control list (ACL) for an internal Qpid cluster.
>   Most of the ACL is nice and straight-forward.  However, I'm wondering what
> the best way is to enabled QMF agents and clients to work (we have our own
> custom QMF agents and clients using QMF2, plus of the standard Qpid tools).
>
> When I said "best" above, I'm meaning:
> * minimum extraneous access (ie not giving away more access than required);
> and
> * most maintainable (ie small number of clear, concise rules).
>
> I've seen the rules at
> https://github.com/matahari/matahari/wiki/QMF-Access-Control-Policy and
> they look pretty good.  They seem to have been based on Qpid 0.12, and  I
> vaguely recall reading plans to improve this aspect of ACL some time ago...
>
> So, is the following the best there is, or can I do better with Qpid 0.16?
>   (I've intentionally skipped the declaration of the agents and consoles
> groups)
>
> acl allow agents bind exchange name=qmf.default.topic
> routingkey=direct-agent.*acl allow agents bind exchange
> name=qmf.default.topic routingkey=console.*acl allow agents publish
> exchange name=qmf.default.topic routingkey=direct-console.*acl allow
> agents publish exchange name=qmf.default.topic routingkey=agent.*acl
> allow agents create linkacl allow agents create queueacl allow agents
> create exchange name=qmf.default.topicacl allow agents access exchange
> name=qmf.default.topicacl allow agents consume
>
> acl allow consoles create exchange name=qmf.default.directacl allow
> consoles access exchange name=qmf.default.directacl allow consoles
> bind exchange name=qmf.default.topic routingkey=direct-console.*acl
> allow consoles bind exchange name=qmf.default.topic
> routingkey=agent.*acl allow consoles publish exchange
> name=qmf.default.topic routingkey=direct-agent.*acl allow consoles
> publish exchange name=qmf.default.topic routingkey=console.*acl allow
> consoles publish exchange name=qmf.default.direct routingkey=brokeracl
> allow consoles create queueacl allow consoles create exchange
> name=qmf.default.topicacl allow consoles access exchange
> name=qmf.default.topicacl allow consoles consume
>
> acl deny-log all all
>
> Thanks! :)
>
> Paul
> ----
> http://colby.id.au
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org


Mime
View raw message