Return-Path: X-Original-To: apmail-qpid-users-archive@www.apache.org Delivered-To: apmail-qpid-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id B6C44C492 for ; Thu, 31 May 2012 22:51:29 +0000 (UTC) Received: (qmail 19409 invoked by uid 500); 31 May 2012 22:51:29 -0000 Delivered-To: apmail-qpid-users-archive@qpid.apache.org Received: (qmail 19379 invoked by uid 500); 31 May 2012 22:51:29 -0000 Mailing-List: contact users-help@qpid.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@qpid.apache.org Delivered-To: mailing list users@qpid.apache.org Received: (qmail 19371 invoked by uid 99); 31 May 2012 22:51:29 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 31 May 2012 22:51:29 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of pcolby@gmail.com designates 74.125.82.170 as permitted sender) Received: from [74.125.82.170] (HELO mail-we0-f170.google.com) (74.125.82.170) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 31 May 2012 22:51:22 +0000 Received: by werm13 with SMTP id m13so930588wer.15 for ; Thu, 31 May 2012 15:51:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; bh=HVzuFXMsBzoMvDUI4qIFis/RSm9qjBbbc9D+wRTJ0jY=; b=RkFPavORq5iiJLjgvPBnAvkCiTY8937ZgFfezWe3fEFnACkuH7/9UXDDS3OXJRnWL7 VIAhnSGpTEOGulW/KJdhNdSOfsQO+JKgt4KvqGBHpSNDx9QvN37/4BBaOj5iwxtCCtkQ wa2242s0D9f0qq/yUZMYC8WGz8PBqkHMfPA6nH8Nw4/eyLhmyoIV1dSq9a2ne6oDYr+9 w7KEkEzyHX7GdApUmm43lesoXw1I9qqTlAbiVfuwElv9S0X8AIdyoSPbKssasAdB08l4 S5flXSdPitPKFI9b8DobIHNcWt/mcL6UEYeFR0YQWgss1mDKSnY0c1nK+WDxI6CO+c3m ncQA== MIME-Version: 1.0 Received: by 10.216.193.80 with SMTP id j58mr353369wen.96.1338504662431; Thu, 31 May 2012 15:51:02 -0700 (PDT) Sender: pcolby@gmail.com Received: by 10.223.158.15 with HTTP; Thu, 31 May 2012 15:51:02 -0700 (PDT) In-Reply-To: <4FC63CD6.9060607@redhat.com> References: <4FC63CD6.9060607@redhat.com> Date: Fri, 1 Jun 2012 08:51:02 +1000 X-Google-Sender-Auth: Rr2iyJ0SZLWkwI0fHh9O_tBkH8g Message-ID: Subject: Re: ACL to allow QMF agents / clients From: Paul Colby To: users@qpid.apache.org Content-Type: multipart/alternative; boundary=0016e6db300aef36ed04c15ce64e --0016e6db300aef36ed04c15ce64e Content-Type: text/plain; charset=ISO-8859-1 Thanks Ted, I'll use the matahari example as a starting point then. Though I can confirm that it is insufficient for me with Qpid 0.16... for example, one of my QMF2 agents also requires: acl allow agents create exchange name=qmf.default.direct (Of course the matahari example would still work, if my agent happened to also be a console member, but its not in my case). Thanks again, pc ---- http://colby.id.au On Thu, May 31, 2012 at 1:29 AM, Ted Ross wrote: > Hi Paul, > > This aspect of ACL is the same in 0.16 as it is in 0.14. That matahari > web link is very up-to-date. > > -Ted > > > On 05/30/2012 12:09 AM, Paul Colby wrote: > >> Hi, >> >> I'm implementing an access control list (ACL) for an internal Qpid >> cluster. >> Most of the ACL is nice and straight-forward. However, I'm wondering >> what >> the best way is to enabled QMF agents and clients to work (we have our own >> custom QMF agents and clients using QMF2, plus of the standard Qpid >> tools). >> >> When I said "best" above, I'm meaning: >> * minimum extraneous access (ie not giving away more access than >> required); >> and >> * most maintainable (ie small number of clear, concise rules). >> >> I've seen the rules at >> https://github.com/matahari/**matahari/wiki/QMF-Access-**Control-Policyand >> they look pretty good. They seem to have been based on Qpid 0.12, and I >> vaguely recall reading plans to improve this aspect of ACL some time >> ago... >> >> So, is the following the best there is, or can I do better with Qpid 0.16? >> (I've intentionally skipped the declaration of the agents and consoles >> groups) >> >> acl allow agents bind exchange name=qmf.default.topic >> routingkey=direct-agent.*acl allow agents bind exchange >> name=qmf.default.topic routingkey=console.*acl allow agents publish >> exchange name=qmf.default.topic routingkey=direct-console.*acl allow >> agents publish exchange name=qmf.default.topic routingkey=agent.*acl >> allow agents create linkacl allow agents create queueacl allow agents >> create exchange name=qmf.default.topicacl allow agents access exchange >> name=qmf.default.topicacl allow agents consume >> >> >> acl allow consoles create exchange name=qmf.default.directacl allow >> consoles access exchange name=qmf.default.directacl allow consoles >> >> bind exchange name=qmf.default.topic routingkey=direct-console.*acl >> allow consoles bind exchange name=qmf.default.topic >> routingkey=agent.*acl allow consoles publish exchange >> name=qmf.default.topic routingkey=direct-agent.*acl allow consoles >> publish exchange name=qmf.default.topic routingkey=console.*acl allow >> >> consoles publish exchange name=qmf.default.direct routingkey=brokeracl >> allow consoles create queueacl allow consoles create exchange >> name=qmf.default.topicacl allow consoles access exchange >> name=qmf.default.topicacl allow consoles consume >> >> >> acl deny-log all all >> >> Thanks! :) >> >> Paul >> ---- >> http://colby.id.au >> >> > > ------------------------------**------------------------------**--------- > To unsubscribe, e-mail: users-unsubscribe@qpid.apache.**org > For additional commands, e-mail: users-help@qpid.apache.org > > --0016e6db300aef36ed04c15ce64e--