Apache Qpid : andrew acl proposal
This page last changed on May 24, 2010 by ritchiem.
ACL ImplementationSee also Method Considered Harmful and Method Considered Harmful Redux for discussion on the METHOD object type and its implications. Use Cases
Plugin interactionThe plugins can return four different values - ALLOWED, DENIED, ABSTAIN and DEFER. Since we can have two plugins of the same type looking at a particular access request, one for the virtual host and the other for global, the reults ineract as follows:
The host and global entries in the Result column indicate that the default answer for that plugin should be returned. ACL FileThe access control file consists of a series of rules, describing the permissions granted to users or groups for operations on object types, with specific properties. these are all restricted to certain values, as illustrated by the following lists of tokens: PermissionALLOW, ALLOW_LOG, DENY, DENY_LOG OperationALL, CONSUME, PUBLISH, CREATE, ACCESS, CONNECT, BIND, UNBIND, DELETE, PURGE, UPDATE, (ADMIN ?) ObjectTypeALL, VIRTUALHOST, QUEUE, TOPIC, EXCHANGE, BROKER, LINK, ROUTE, METHOD, (USER, LOG, CONFIG ?) ObjectPropertyROUTING_KEY, NAME, QUEUE_NAME, OWNER, TYPE, ALTERNATE, INTERNAL, NO_WAIT, NO_LOCAL, NO_ACK, PASSIVE, DURABLE, EXCLUSIVE, TEMPORARY, AUTO_DELETE The ObjectProperties are keys that are listed as key = value pairs after an Operation/ObjectType combination. They must be in this format; a lone string is not accepted here. This is to make the ACL entries less ambiguous. Allowed CombinationsThe object types and operations are related, with only certain combinations allowed. The table below lists allowed combinations with y. The rows contain ObjectTypes and the columns Operations.
See Method Considered Harmful Redux for more information on how METHOD and OBJECT are intended to work. ACL ConfigurationThese are true/false properties that can be specified to confgure the ACL mechanism further, and would be added to the start of an ACL file.
Syntax
The declarations are as follows, using some kind of grammar, with + and * having the usual regular expression meanings, parenthesis denote grouping and brackets denote optional elements. CONFIG ( <config-property> '=' <TRUE | FALSE> ) + GROUP <group-name> ( <username | group-name> ) + [ <number> ] ACL <permission> <username | group-name | ALL> <operation> [ <object-type> ( <property-name> '=' <property-value> ) * ] This allows a rather looser and more readable style for ACL files, while still retaining the ability to read the stricter files accepted by the C++ broker. Bear in mind that the group declarations are to be deprecated, in favour of an external directory service, using a plugin mechanism. The initial <number> is used to allow rulesets to be created which allow indicidual rules to be enabled and disabled using an admin interface, and an ACL file using numbered lines would be restricted to having increasing numbers per rule, although gaps would be allowed to enable rules to be inserted later, again using an admin interface. This administrative interface would also allow saving of a modified ruleset and re-loading. ExamplesAllow "adk@iterator.co.uk" Create Queue \ Owner="adk@iterator.co.uk" Routingkey = "chocolate biscuits" \ QueueName="kitten.*" # allow adk to create queues Allow "adk@iterator.co.uk" Create Queue \ Owner = "adk@iterator.co.uk" \ Routingkey = "chocolate biscuits" \ QueueName=kitten # allow adk access to this virtual host 110 ALLOW "adk@iterator" ACCESS VIRTUALHOST # allow creating temporary queues and queues with names matching adk.* 210 ALLOW-LOG \ "adk@iterator" BIND EXCHANGE \ routingKey="adk.*" \ name="amq.direct" # allow adk.* queue bind to amq.direct 220 \ ALLOW-LOG "adk@iterator" BIND EXCHANGE \ routingKey="tmp.*" name="amq.direct" 230 ALLOW "adk@iterator" CREATE QUEUE name="adk.*" owner="adk@iterator" 240 ALLOW "adk@iterator" CREATE QUEUE temporary="true" owner="adk@iterator" # allow publish and consume of messages on the queues 310 ALLOW "adk@iterator" CONSUME QUEUE name="adk.*" 315 ALLOW "adk@iterator" PUBLISH QUEUE routingkey="adk.export#extra" # foo 320 ALLOW "adk@iterator" PUBLISH QUEUE name="adk.*" # default deny 910 DENY ANY ALL ALL |
![]() |
Document generated by Confluence on May 26, 2010 10:33 |