You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by Keith W <ke...@gmail.com> on 2011/11/24 12:38:08 UTC
ACLV2 : permissioning the default exchange
Hi all
Some work here on QPID-3641 has provoked a discussion about the
correct way to write ACLV2 rules to permission the default exchange.
The ACLV2 documentatuion seems to say nothing on the subject.
As the default exchange is internal to the Broker, effectively acting
as a global registry for all queues with binds/unbinds managed within
the broker, the user has no reason to write BIND, UNBIND, CREATE or
DELETE rules for the internal exchange.
However, the user may wish to write PUBLISH rules for default
exchange. How are these expressed?
Suppose I wanted to stop guest publishing to the default exchange.
The following won't work as it violates the BNF for ACLv (and is
correctly rejected by both Brokers):
ACL DENY guest PUBLISH EXCHANGE name=
The best I can think of,within the restrictions of ACLV2 format, it to
enumerate all named exchanges allowing, then add a deny all, but this
seems very longwinded.
ACL ALLOW guest PUBLISH EXCHANGE name=amq.direct
ACL ALLOW guest PUBLISH EXCHANGE name=amq.topic
....
ACL DENY guest PUBLISH EXCHANGE
How is the CPP Broker handling this? I took a look through the CPP
tests and couldn't find anything illustrating how this would be done.
Thanks in advance, Keith.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
Re: ACLV2 : permissioning the default exchange
Posted by Gordon Sim <gs...@redhat.com>.
On 11/24/2011 11:38 AM, Keith W wrote:
> Some work here on QPID-3641 has provoked a discussion about the
> correct way to write ACLV2 rules to permission the default exchange.
> The ACLV2 documentatuion seems to say nothing on the subject.
>
> As the default exchange is internal to the Broker, effectively acting
> as a global registry for all queues with binds/unbinds managed within
> the broker, the user has no reason to write BIND, UNBIND, CREATE or
> DELETE rules for the internal exchange.
> However, the user may wish to write PUBLISH rules for default
> exchange. How are these expressed?
>
> Suppose I wanted to stop guest publishing to the default exchange.
>
> The following won't work as it violates the BNF for ACLv (and is
> correctly rejected by both Brokers):
>
> ACL DENY guest PUBLISH EXCHANGE name=
>
> The best I can think of,within the restrictions of ACLV2 format, it to
> enumerate all named exchanges allowing, then add a deny all, but this
> seems very longwinded.
>
> ACL ALLOW guest PUBLISH EXCHANGE name=amq.direct
> ACL ALLOW guest PUBLISH EXCHANGE name=amq.topic
> ....
> ACL DENY guest PUBLISH EXCHANGE
>
> How is the CPP Broker handling this? I took a look through the CPP
> tests and couldn't find anything illustrating how this would be done.
It appears it cannot handle it. If you try to specify '' or "" then that
is taken as a literal rather than an empty string.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org