qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Domen Vrankar <domen.vran...@gmail.com>
Subject [C++ broker] temporary queues and ACL ussage
Date Mon, 14 Mar 2016 12:46:01 GMT
Hi,

I'm using qpid C++ 0.34 with SSL authentication.

I have a mixture of durable and temporary queues and am trying to
limit the access with ACL.

All users have access to a single exchange for sending message but
only some users have permission to read from one or more queues
connected to that exchange.
Also each program creates its own temporary queue
(session_.createReceiver("#");) that should be used only as a reply
queue but since it is a randomly generated UUID and expected messages
have a certain reference id it's probably secured enough even if send
permissions are not limited (if I understand correctly creator of
temporary queue is the only one that is able to receive from it).

With ACL list I use:

acl allow send@QPID access exchange
acl allow send@QPID access queue
...

and everything works fine but is not very restrictive but if I try to
limit access based on name:

acl allow send@QPID access exchange name="send"
acl allow send@QPID access queue name="receive"
...

replying to temporary queues no longer works due to access permissions
not being satisfied.

Prefixing queue with a constant string and generating uuid manually
for the rest of the name works fine with:

acl allow send@QPID access exchange name="send"
acl allow send@QPID access queue name="tmp.*"
...

but this requires manual generation of queue names even though I don't
need to know them outside the application since they are intended as
direct reply queues only - address is provided in the message that
triggers a reply.

How can I represent temporary queues in ACL?
Is it OK to use temporary queues as reply queues that exist as long as
the owning application is running?
Can you somehow limit access permissions so that temporary queue can
only be accessed by the application that is replying to a received
message?

Thanks,
Domen

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org


Mime
View raw message