qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Colby <p...@colby.id.au>
Subject ACL to allow QMF agents / clients
Date Wed, 30 May 2012 04:09:03 GMT
Hi,

I'm implementing an access control list (ACL) for an internal Qpid cluster.
 Most of the ACL is nice and straight-forward.  However, I'm wondering what
the best way is to enabled QMF agents and clients to work (we have our own
custom QMF agents and clients using QMF2, plus of the standard Qpid tools).

When I said "best" above, I'm meaning:
* minimum extraneous access (ie not giving away more access than required);
and
* most maintainable (ie small number of clear, concise rules).

I've seen the rules at
https://github.com/matahari/matahari/wiki/QMF-Access-Control-Policy and
they look pretty good.  They seem to have been based on Qpid 0.12, and  I
vaguely recall reading plans to improve this aspect of ACL some time ago...

So, is the following the best there is, or can I do better with Qpid 0.16?
 (I've intentionally skipped the declaration of the agents and consoles
groups)

acl allow agents bind exchange name=qmf.default.topic
routingkey=direct-agent.*acl allow agents bind exchange
name=qmf.default.topic routingkey=console.*acl allow agents publish
exchange name=qmf.default.topic routingkey=direct-console.*acl allow
agents publish exchange name=qmf.default.topic routingkey=agent.*acl
allow agents create linkacl allow agents create queueacl allow agents
create exchange name=qmf.default.topicacl allow agents access exchange
name=qmf.default.topicacl allow agents consume

acl allow consoles create exchange name=qmf.default.directacl allow
consoles access exchange name=qmf.default.directacl allow consoles
bind exchange name=qmf.default.topic routingkey=direct-console.*acl
allow consoles bind exchange name=qmf.default.topic
routingkey=agent.*acl allow consoles publish exchange
name=qmf.default.topic routingkey=direct-agent.*acl allow consoles
publish exchange name=qmf.default.topic routingkey=console.*acl allow
consoles publish exchange name=qmf.default.direct routingkey=brokeracl
allow consoles create queueacl allow consoles create exchange
name=qmf.default.topicacl allow consoles access exchange
name=qmf.default.topicacl allow consoles consume

acl deny-log all all

Thanks! :)

Paul
----
http://colby.id.au

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message