qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Colby <p...@colby.id.au>
Subject Re: ACL to allow QMF agents / clients
Date Thu, 31 May 2012 22:51:02 GMT
Thanks Ted,

I'll use the matahari example as a starting point then.

Though I can confirm that it is insufficient for me with Qpid 0.16... for
example, one of my QMF2 agents also requires:

acl allow agents create exchange name=qmf.default.direct

(Of course the matahari example would still work, if my agent happened to
also be a console member, but its not in my case).

Thanks again,

pc
----
http://colby.id.au


On Thu, May 31, 2012 at 1:29 AM, Ted Ross <tross@redhat.com> wrote:

> Hi Paul,
>
> This aspect of ACL is the same in 0.16 as it is in 0.14.  That matahari
> web link is very up-to-date.
>
> -Ted
>
>
> On 05/30/2012 12:09 AM, Paul Colby wrote:
>
>> Hi,
>>
>> I'm implementing an access control list (ACL) for an internal Qpid
>> cluster.
>>  Most of the ACL is nice and straight-forward.  However, I'm wondering
>> what
>> the best way is to enabled QMF agents and clients to work (we have our own
>> custom QMF agents and clients using QMF2, plus of the standard Qpid
>> tools).
>>
>> When I said "best" above, I'm meaning:
>> * minimum extraneous access (ie not giving away more access than
>> required);
>> and
>> * most maintainable (ie small number of clear, concise rules).
>>
>> I've seen the rules at
>> https://github.com/matahari/**matahari/wiki/QMF-Access-**Control-Policy<https://github.com/matahari/matahari/wiki/QMF-Access-Control-Policy>and
>> they look pretty good.  They seem to have been based on Qpid 0.12, and  I
>> vaguely recall reading plans to improve this aspect of ACL some time
>> ago...
>>
>> So, is the following the best there is, or can I do better with Qpid 0.16?
>>  (I've intentionally skipped the declaration of the agents and consoles
>> groups)
>>
>> acl allow agents bind exchange name=qmf.default.topic
>> routingkey=direct-agent.*acl allow agents bind exchange
>> name=qmf.default.topic routingkey=console.*acl allow agents publish
>> exchange name=qmf.default.topic routingkey=direct-console.*acl allow
>> agents publish exchange name=qmf.default.topic routingkey=agent.*acl
>> allow agents create linkacl allow agents create queueacl allow agents
>> create exchange name=qmf.default.topicacl allow agents access exchange
>> name=qmf.default.topicacl allow agents consume
>>
>>
>> acl allow consoles create exchange name=qmf.default.directacl allow
>> consoles access exchange name=qmf.default.directacl allow consoles
>>
>> bind exchange name=qmf.default.topic routingkey=direct-console.*acl
>> allow consoles bind exchange name=qmf.default.topic
>> routingkey=agent.*acl allow consoles publish exchange
>> name=qmf.default.topic routingkey=direct-agent.*acl allow consoles
>> publish exchange name=qmf.default.topic routingkey=console.*acl allow
>>
>> consoles publish exchange name=qmf.default.direct routingkey=brokeracl
>> allow consoles create queueacl allow consoles create exchange
>> name=qmf.default.topicacl allow consoles access exchange
>> name=qmf.default.topicacl allow consoles consume
>>
>>
>> acl deny-log all all
>>
>> Thanks! :)
>>
>> Paul
>> ----
>> http://colby.id.au
>>
>>
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.**org<users-unsubscribe@qpid.apache.org>
> For additional commands, e-mail: users-help@qpid.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message