Return-Path: X-Original-To: apmail-qpid-users-archive@www.apache.org Delivered-To: apmail-qpid-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 570FF98A0 for ; Wed, 30 May 2012 04:09:35 +0000 (UTC) Received: (qmail 44405 invoked by uid 500); 30 May 2012 04:09:34 -0000 Delivered-To: apmail-qpid-users-archive@qpid.apache.org Received: (qmail 44291 invoked by uid 500); 30 May 2012 04:09:32 -0000 Mailing-List: contact users-help@qpid.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@qpid.apache.org Delivered-To: mailing list users@qpid.apache.org Received: (qmail 44232 invoked by uid 99); 30 May 2012 04:09:29 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 30 May 2012 04:09:29 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of pcolby@gmail.com designates 74.125.82.170 as permitted sender) Received: from [74.125.82.170] (HELO mail-we0-f170.google.com) (74.125.82.170) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 30 May 2012 04:09:25 +0000 Received: by werm13 with SMTP id m13so3182026wer.15 for ; Tue, 29 May 2012 21:09:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:date:x-google-sender-auth:message-id:subject :from:to:content-type; bh=yK+5tykWO/SdnfTn9PZ+5zwXPSrs+3g0uuLl7D8QyWs=; b=ZCybdbtlggIsY+bWbn34P7rDsUKY0CWX2tvb+pmYC73w9bDzhQMJMF5KiUDnWbSP6K UcLQcBJd/ygsgCzyBGtPYY3utFXCi1ti4SJUUkZj6sru1z+YaVmmYFBYUwe1XT53qEPd GVX+WQTF6QLglDKfPjV4xwvFg9nWvgZp8OkbbqxF4b5idUDR5UjkDGD9H7tkR+wnkgvA QUGA+UnpsXAM8B0azCoM9HZ/tZZ8PzI8nbQP9KmsPrtWKIVMG+7+qBFo5UnpEeF/FC3l 9HJTIq4cYLFgvjWFpbtZwrQg5NU6d3LjcwbBrhMsyygQGFhGIBv9yswZlnLrvP9eDce8 1K6g== MIME-Version: 1.0 Received: by 10.216.206.168 with SMTP id l40mr9134385weo.135.1338350943645; Tue, 29 May 2012 21:09:03 -0700 (PDT) Sender: pcolby@gmail.com Received: by 10.223.161.7 with HTTP; Tue, 29 May 2012 21:09:03 -0700 (PDT) Date: Wed, 30 May 2012 14:09:03 +1000 X-Google-Sender-Auth: XpwgVKOWRp4H7oY8xqkomlIzUE0 Message-ID: Subject: ACL to allow QMF agents / clients From: Paul Colby To: users@qpid.apache.org Content-Type: multipart/alternative; boundary=0016e6dee84794b0ce04c1391cfa X-Virus-Checked: Checked by ClamAV on apache.org --0016e6dee84794b0ce04c1391cfa Content-Type: text/plain; charset=ISO-8859-1 Hi, I'm implementing an access control list (ACL) for an internal Qpid cluster. Most of the ACL is nice and straight-forward. However, I'm wondering what the best way is to enabled QMF agents and clients to work (we have our own custom QMF agents and clients using QMF2, plus of the standard Qpid tools). When I said "best" above, I'm meaning: * minimum extraneous access (ie not giving away more access than required); and * most maintainable (ie small number of clear, concise rules). I've seen the rules at https://github.com/matahari/matahari/wiki/QMF-Access-Control-Policy and they look pretty good. They seem to have been based on Qpid 0.12, and I vaguely recall reading plans to improve this aspect of ACL some time ago... So, is the following the best there is, or can I do better with Qpid 0.16? (I've intentionally skipped the declaration of the agents and consoles groups) acl allow agents bind exchange name=qmf.default.topic routingkey=direct-agent.*acl allow agents bind exchange name=qmf.default.topic routingkey=console.*acl allow agents publish exchange name=qmf.default.topic routingkey=direct-console.*acl allow agents publish exchange name=qmf.default.topic routingkey=agent.*acl allow agents create linkacl allow agents create queueacl allow agents create exchange name=qmf.default.topicacl allow agents access exchange name=qmf.default.topicacl allow agents consume acl allow consoles create exchange name=qmf.default.directacl allow consoles access exchange name=qmf.default.directacl allow consoles bind exchange name=qmf.default.topic routingkey=direct-console.*acl allow consoles bind exchange name=qmf.default.topic routingkey=agent.*acl allow consoles publish exchange name=qmf.default.topic routingkey=direct-agent.*acl allow consoles publish exchange name=qmf.default.topic routingkey=console.*acl allow consoles publish exchange name=qmf.default.direct routingkey=brokeracl allow consoles create queueacl allow consoles create exchange name=qmf.default.topicacl allow consoles access exchange name=qmf.default.topicacl allow consoles consume acl deny-log all all Thanks! :) Paul ---- http://colby.id.au --0016e6dee84794b0ce04c1391cfa--