# # Licensed to the Apache Software Foundation (ASF) under one # or more contributor license agreements. See the NOTICE file # distributed with this work for additional information # regarding copyright ownership. The ASF licenses this file # to you under the Apache License, Version 2.0 (the # "License"); you may not use this file except in compliance # with the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, # software distributed under the License is distributed on an # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY # KIND, either express or implied. See the License for the # specific language governing permissions and limitations # under the License. # ### EXAMPLE ACL V2 FILE ### DEFINE GROUPS ### #Define a 'messaging-users' group with users 'client' and 'server' in it GROUP messaging-users client server ### MANAGEMENT #### # Allow everyone to perform read operations on the ServerInformation mbean # This is used for items such as querying the management API and broker release versions. ACL ALLOW-LOG ALL ACCESS METHOD component="ServerInformation" # Allow 'admin' all management operations ACL ALLOW-LOG admin ALL METHOD # Deny access to Shutdown, UserManagement, ConfigurationManagement and LoggingManagement for all other users # You could grant specific users access to these beans by adding ALLOW-LOG rules above for them ACL DENY-LOG ALL ACCESS METHOD component="Shutdown" ACL DENY-LOG ALL ACCESS METHOD component="UserManagement" ACL DENY-LOG ALL ACCESS METHOD component="ConfigurationManagement" ACL DENY-LOG ALL ACCESS METHOD component="LoggingManagement" # Allow 'guest' to view logger levels, and use getter methods on LoggingManagement # These are examples of redundant rules! The DENY-LOG rule above will be invoked # first and will deny the access to all methods of LoggingManagement for guest ACL ALLOW-LOG guest ACCESS METHOD component="LoggingManagement" name="viewEffectiveRuntimeLoggerLevels" ACL ALLOW-LOG guest ACCESS METHOD component="LoggingManagement" name="get*" # Allow everyone to perform all read operations on the mbeans not listened in the DENY-LOG rules above ACL ALLOW-LOG ALL ACCESS METHOD ### MESSAGING ### #Example permissions for request-response based messaging. #Allow 'messaging-users' group to connect to the virtualhost ACL ALLOW-LOG messaging-users ACCESS VIRTUALHOST # Client side # Allow the 'client' user to publish requests to the request queue and create, consume from, and delete temporary reply queues. ACL ALLOW-LOG client CREATE QUEUE temporary="true" ACL ALLOW-LOG client CONSUME QUEUE temporary="true" ACL ALLOW-LOG client DELETE QUEUE temporary="true" ACL ALLOW-LOG client BIND EXCHANGE name="amq.direct" temporary="true" ACL ALLOW-LOG client UNBIND EXCHANGE name="amq.direct" temporary="true" ACL ALLOW-LOG client PUBLISH EXCHANGE name="amq.direct" routingKey="example.RequestQueue" # Server side # Allow the 'server' user to create and consume from the request queue and publish a response to the temporary response queue created by # client. ACL ALLOW-LOG server CREATE QUEUE name="example.RequestQueue" ACL ALLOW-LOG server CONSUME QUEUE name="example.RequestQueue" ACL ALLOW-LOG server BIND EXCHANGE ACL ALLOW-LOG server PUBLISH EXCHANGE name="amq.direct" routingKey="TempQueue*" ### DEFAULT ### #Deny all users from performing all operations ACL DENY-LOG all all