The Java broker utilises GroupProviders to allow assigning users to groups for use in ACLs. Following authentication by a given Authentication Provider, the configured Group Providers are consulted to allowing assignment of GroupPrincipals for a given authenticated user.
The FileGroupManager allows specifying group membership in a flat file on disk, and is also exposed for inspection and update through the brokers HTTP management interface.
To enable the FileGroupManager, add the following configuration to the config.xml, adjusting the groupFile attribute value to match your desired groups file location.
...
<security>
<file-group-manager>
<attributes>
<attribute>
<name>groupFile</name>
<value>${conf}/groups</value>
</attribute>
</attributes>
</file-group-manager>
</security>
...
The groups file has the following format:
# <GroupName>.users = <comma deliminated user list>
# For example:
administrators.users = admin,manager
Only users can be added to a group currently, not other groups. Usernames can't contain commas.
Lines starting with a '#' are treated as comments when opening the file, but these are not preserved when the broker updates the file due to changes made through the management interface.