qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jakub Scholz <ja...@scholz.cz>
Subject Re: ACL rules for Qpid C++ Broker
Date Fri, 10 Nov 2017 15:59:03 GMT
Hi Andreas,

The problem is that in qpidd you never publish directly to queue or read
directly from an exchange. You always publish to exchange and read from a
queue. In reality what you see as publishing directly to an queue is
sending the message to an exchange named "" (as in empty string) with a
routing key which should be the name of your queue. The same when you try
to read directly from an exchange the client acutally creates a queue and a
binding to the exchange for you. That is why the ACL rules such as "publish
queue" or "consume exchange" do not exist.

In your case ... if your group wants to publish to queue name QU1, you
should add a rule which looks something like this:
acl allow group1 publish exchange name=amq.default routingkey=QU1
where the exchange name "amq.default" will be substituted for the exchange
without name (as per https://issues.apache.org/jira/browse/QPID-4727)

To read directly from an exchange you need several ACL rights:
- to create a queue
acl allow group1 create queue name=*
- to delete a queue when you are closing the connection
acl allow group1 delete queue name=*
- to consume from the queue
acl allow group1 consume queue name=*
- to bind the exchange
acl allow group1 bind exchange name=EX1

Depending on your client you might be able to specify the queue name in
more detail. For example the qpid-receive client (using the old Qpid C++
API) would create the queue named similar to
"EX1_8f4ea08f-d211-41c0-97cf-652cd5ef9a11". But different clients might do
it differently.

Hope this helps.

Jakub


On Fri, Nov 10, 2017 at 3:46 PM, andi welchlin <andi.welchlin@gmail.com>
wrote:

> Hello everyone,
>
> I looked into ACL documentation of Qpid C++ broker (1.36.0) and tested it a
> bit.
>
>
> I would like to allow for one usergroup to write to a queue with a specific
> name, but deny it for all other users.
>
> But I saw that i can not do the following:
>
> acl allow group1 publish queue name=QU1
>
>
> I understood that the publish keyword can only be used for exchanges.
>
>
> I also would like to restrict reading from an exchange with a specific name
> and allow it only for one usergroup.
>
> But the following seems also not to be allowed:
>
> acl allow group1 consume exchange name=EX1
>
>
> "consume" is only allowed for queues.
>
>
> How can I reach these two requirements?
>
>
> Kind Regards,
> Andreas
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message