You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by kp...@apache.org on 2013/02/28 17:14:57 UTC
svn commit: r1451244 [19/45] - in /qpid/branches/asyncstore: ./ bin/ cpp/
cpp/bindings/ cpp/bindings/qmf/ cpp/bindings/qmf/python/
cpp/bindings/qmf/ruby/ cpp/bindings/qmf2/ cpp/bindings/qmf2/examples/cpp/
cpp/bindings/qmf2/python/ cpp/bindings/qmf2/rub...
Modified: qpid/branches/asyncstore/cpp/src/windows/QpiddBroker.cpp
URL: http://svn.apache.org/viewvc/qpid/branches/asyncstore/cpp/src/windows/QpiddBroker.cpp?rev=1451244&r1=1451243&r2=1451244&view=diff
==============================================================================
--- qpid/branches/asyncstore/cpp/src/windows/QpiddBroker.cpp (original)
+++ qpid/branches/asyncstore/cpp/src/windows/QpiddBroker.cpp Thu Feb 28 16:14:30 2013
@@ -27,11 +27,19 @@
#include "qpid/Plugin.h"
#include "qpid/sys/IntegerTypes.h"
#include "qpid/sys/windows/check.h"
+#include "qpid/sys/Thread.h"
#include "qpid/broker/Broker.h"
#include <iostream>
+#include <string>
+#include <vector>
#include <windows.h>
+namespace {
+ // This will accept args from the command line; augmented with service args.
+ std::vector<std::string> cmdline_args;
+}
+
namespace qpid {
namespace broker {
@@ -46,6 +54,10 @@ BootstrapOptions::BootstrapOptions(const
add(log);
}
+void BootstrapOptions::usage() const {
+ std::cout << "Usage: qpidd [OPTIONS]" << std::endl << std::endl << *this << std::endl;
+}
+
// Local functions to set and get the pid via a LockFile.
namespace {
@@ -218,10 +230,10 @@ VOID WINAPI SvcCtrlHandler(DWORD control
::SetServiceStatus(svcStatusHandle, &svcStatus);
CtrlHandler(CTRL_C_EVENT);
break;
-
+
case SERVICE_CONTROL_INTERROGATE:
break;
-
+
default:
break;
}
@@ -229,6 +241,25 @@ VOID WINAPI SvcCtrlHandler(DWORD control
VOID WINAPI ServiceMain(DWORD argc, LPTSTR *argv)
{
+ // The arguments can come from 2 places. Args set with the executable
+ // name when the service is installed come through main() and are now
+ // in cmdline_args. Arguments set in StartService come into argc/argv
+ // above; if they are set, argv[0] is the service name. Make command
+ // line args first; StartService args come later and can override
+ // command line args.
+ int all_argc = argc + cmdline_args.size();
+ if (argc == 0 && !cmdline_args.empty())
+ ++all_argc; // No StartService args, so need to add prog name argv[0]
+ const char **all_argv = new const char *[all_argc];
+ if (all_argc > 0) {
+ int i = 0;
+ all_argv[i++] = argc > 0 ? argv[0] : svcName.c_str();
+ for (size_t j = 0; j < cmdline_args.size(); ++j)
+ all_argv[i++] = cmdline_args[j].c_str();
+ for (DWORD k = 1; k < argc; ++k)
+ all_argv[i++] = argv[k];
+ }
+
::memset(&svcStatus, 0, sizeof(svcStatus));
svcStatusHandle = ::RegisterServiceCtrlHandler(svcName.c_str(),
SvcCtrlHandler);
@@ -238,7 +269,9 @@ VOID WINAPI ServiceMain(DWORD argc, LPTS
svcStatus.dwCurrentState = SERVICE_START_PENDING;
::SetServiceStatus(svcStatusHandle, &svcStatus);
// QpiddBroker class resets state to running.
- svcStatus.dwWin32ExitCode = run_broker(argc, argv, true);
+ svcStatus.dwWin32ExitCode = run_broker(all_argc,
+ const_cast<char**>(all_argv),
+ true);
svcStatus.dwCurrentState = SERVICE_STOPPED;
svcStatus.dwCheckPoint = 0;
svcStatus.dwWaitHint = 0;
@@ -278,7 +311,7 @@ struct ServiceOptions : public qpid::Opt
std::string password;
std::string depends;
- ServiceOptions()
+ ServiceOptions()
: qpid::Options("Service options"),
install(false),
start(false),
@@ -395,7 +428,7 @@ int QpiddBroker::execute (QpiddOptions *
// Relies on port number being set via --port or QPID_PORT env variable.
NamedSharedMemory<BrokerInfo> info(brokerInfoName(options->broker.port));
int pid = info.get().pid;
- if (pid < 0)
+ if (pid < 0)
return 1;
if (myOptions->control.check)
std::cout << pid << std::endl;
@@ -464,6 +497,11 @@ int main(int argc, char* argv[])
{ "", (LPSERVICE_MAIN_FUNCTION)qpid::broker::ServiceMain },
{ NULL, NULL }
};
+ // Copy any command line args to be available in case we're started
+ // as a service. Pick these back up in ServiceMain.
+ for (int i = 1; i < argc; ++i)
+ cmdline_args.push_back(argv[i]);
+
if (!StartServiceCtrlDispatcher(dispatchTable)) {
DWORD err = ::GetLastError();
if (err == ERROR_FAILED_SERVICE_CONTROLLER_CONNECT) // Run as console
Modified: qpid/branches/asyncstore/cpp/src/xml.mk
URL: http://svn.apache.org/viewvc/qpid/branches/asyncstore/cpp/src/xml.mk?rev=1451244&r1=1451243&r2=1451244&view=diff
==============================================================================
--- qpid/branches/asyncstore/cpp/src/xml.mk (original)
+++ qpid/branches/asyncstore/cpp/src/xml.mk Thu Feb 28 16:14:30 2013
@@ -24,6 +24,6 @@ xml_la_SOURCES = \
qpid/xml/XmlExchangePlugin.cpp
xml_la_LIBADD = -lxerces-c -lxqilla libqpidbroker.la
-
+xml_la_CXXFLAGS = $(AM_CXXFLAGS) -D_IN_QPID_BROKER
xml_la_LDFLAGS = $(PLUGINLDFLAGS)
Modified: qpid/branches/asyncstore/doc/book/src/Makefile.inc
URL: http://svn.apache.org/viewvc/qpid/branches/asyncstore/doc/book/src/Makefile.inc?rev=1451244&r1=1451243&r2=1451244&view=diff
==============================================================================
--- qpid/branches/asyncstore/doc/book/src/Makefile.inc (original)
+++ qpid/branches/asyncstore/doc/book/src/Makefile.inc Thu Feb 28 16:14:30 2013
@@ -17,7 +17,7 @@
# under the License.
#
-BOOK=$(wildcard *Book.xml)
+BOOK=$(wildcard *Book.xml Programming-In-Apache-Qpid.xml)
XML=$(wildcard *.xml) $(wildcard ../common/*.xml)
IMAGES=$(wildcard images/*.png)
CSS=$(wilcard ../common/css/*.css)
Modified: qpid/branches/asyncstore/doc/book/src/cpp-broker/AMQP-Messaging-Broker-CPP-Book.xml
URL: http://svn.apache.org/viewvc/qpid/branches/asyncstore/doc/book/src/cpp-broker/AMQP-Messaging-Broker-CPP-Book.xml?rev=1451244&r1=1451243&r2=1451244&view=diff
==============================================================================
--- qpid/branches/asyncstore/doc/book/src/cpp-broker/AMQP-Messaging-Broker-CPP-Book.xml (original)
+++ qpid/branches/asyncstore/doc/book/src/cpp-broker/AMQP-Messaging-Broker-CPP-Book.xml Thu Feb 28 16:14:30 2013
@@ -53,7 +53,6 @@
<xi:include href="Security.xml"/>
<xi:include href="LVQ.xml"/>
<xi:include href="queue-state-replication.xml"/>
- <xi:include href="Active-Active-Cluster.xml"/>
<xi:include href="producer-flow-control.xml"/>
<xi:include href="AMQP-Compatibility.xml"/>
<xi:include href="Qpid-Interoperability-Documentation.xml"/>
Modified: qpid/branches/asyncstore/doc/book/src/cpp-broker/Active-Passive-Cluster.xml
URL: http://svn.apache.org/viewvc/qpid/branches/asyncstore/doc/book/src/cpp-broker/Active-Passive-Cluster.xml?rev=1451244&r1=1451243&r2=1451244&view=diff
==============================================================================
--- qpid/branches/asyncstore/doc/book/src/cpp-broker/Active-Passive-Cluster.xml (original)
+++ qpid/branches/asyncstore/doc/book/src/cpp-broker/Active-Passive-Cluster.xml Thu Feb 28 16:14:30 2013
@@ -55,30 +55,45 @@ under the License.
<title>Avoiding message loss</title>
<para>
In order to avoid message loss, the primary broker <emphasis>delays
- acknowledgment</emphasis> of messages received from clients until the
- message has been replicated to and acknowledged by all of the back-up
+ acknowledgment</emphasis> of messages received from clients until the message has
+ been replicated to and acknowledged by all of the back-up brokers. This means that
+ all <emphasis>acknowledged</emphasis> messages are safely stored on all the backup
brokers.
</para>
<para>
- Clients buffer unacknowledged messages and re-send them in the event of
- a fail-over.
+ Clients keep <emphasis>unacknowledged</emphasis> messages in a buffer
+ <footnote>
+ <para>
+ You can control the maximum number of messages in the buffer by setting the
+ client's <literal>capacity</literal>. For details of how to set the capacity
+ in client code see "Using the Qpid Messaging API" in
+ <citetitle>Programming in Apache Qpid</citetitle>.
+ </para>
+ </footnote>
+ until they are acknowledged by the primary. If the primary fails, clients will
+ fail-over to the new primary and <emphasis>re-send</emphasis> all their
+ unacknowledged messages.
<footnote>
<para>
Clients must use "at-least-once" reliability to enable re-send of unacknowledged
messages. This is the default behavior, no options need be set to enable it. For
details of client addressing options see "Using the Qpid Messaging API"
- in <citetitle>Programming in Apache Qpid</citetitle>
+ in <citetitle>Programming in Apache Qpid</citetitle>.
</para>
</footnote>
- If the primary crashes before a message is replicated to
- all the backups, the client will re-send the message when it fails over
- to the new primary.
+ </para>
+ <para>
+ So if the primary crashes, all the <emphasis>acknowledged</emphasis>
+ messages will be available on the backup that takes over as the new
+ primary. The <emphasis>unacknowledged</emphasis> messages will be
+ re-sent by the clients. Thus no messages are lost.
</para>
<para>
Note that this means it is possible for messages to be
- <emphasis>duplicated</emphasis>. In the event of a failure it is
- possible for a message to be both received by the backup that becomes
- the new primary <emphasis>and</emphasis> re-sent by the client.
+ <emphasis>duplicated</emphasis>. In the event of a failure it is possible for a
+ message to received by the backup that becomes the new primary
+ <emphasis>and</emphasis> re-sent by the client. The application must take steps
+ to identify and eliminate duplicates.
</para>
<para>
When a new primary is promoted after a fail-over it is initially in
@@ -87,6 +102,11 @@ under the License.
primary. This protects those messages against a failure of the new
primary until the backups have a chance to connect and catch up.
</para>
+ <para>
+ Not all messages need to be replicated to the back-up brokers. If a
+ message is consumed and acknowledged by a regular client before it has
+ been replicated to a backup, then it doesn't need to be replicated.
+ </para>
<variablelist>
<title>Status of a HA broker</title>
<varlistentry>
@@ -134,67 +154,35 @@ under the License.
</variablelist>
</section>
<section>
- <title>Replacing the old cluster module</title>
+ <title>Limitations</title>
<para>
- The High Availability (HA) module replaces the previous
- <firstterm>active-active</firstterm> cluster module. The new active-passive
- approach has several advantages compared to the existing active-active cluster
- module.
- <itemizedlist>
- <listitem>
- It does not depend directly on openais or corosync. It does not use multicast
- which simplifies deployment.
- </listitem>
- <listitem>
- It is more portable: in environments that don't support corosync, it can be
- integrated with a resource manager available in that environment.
- </listitem>
- <listitem>
- Replication to a <firstterm>disaster recovery</firstterm> site can be handled as
- simply another node in the cluster, it does not require a separate replication
- mechanism.
- </listitem>
- <listitem>
- It can take advantage of features provided by the resource manager, for example
- virtual IP addresses.
- </listitem>
- <listitem>
- Improved performance and scalability due to better use of multiple CPUs
- </listitem>
- </itemizedlist>
+ There are a some known limitations in the current implementation. These
+ will be fixed in furture versions.
</para>
- </section>
- <section>
- <title>Limitations</title>
<itemizedlist>
<listitem>
- Transactional changes to queue state are not replicated atomically. If the
- primary crashes during a transaction, it is possible that the backup could
- contain only part of the changes introduced by a transaction.
- </listitem>
- <listitem>
- Not yet integrated with the persistent store. A persistent broker must have its
- store erased before joining an existing cluster. If the entire cluster fails,
- there are no tools to help identify the most recent store. In the future a
- persistent broker will be able to use its stored messages to avoid downloading
- messages from the primary when joining a cluster.
- </listitem>
- <listitem>
- Configuration changes (creating or deleting queues, exchanges and bindings) are
- replicated asynchronously. Management tools used to make changes will consider
- the change complete when it is complete on the primary, it may not yet be
- replicated to all the backups.
+ <para>
+ Transactional changes to queue state are not replicated atomically. If
+ the primary crashes during a transaction, it is possible that the
+ backup could contain only part of the changes introduced by a
+ transaction.
+ </para>
</listitem>
<listitem>
- Deletions made immediately after a failure (before all the backups are ready)
- may be lost on a backup. Queues, exchange or bindings that were deleted on the
- primary could re-appear if that backup is promoted to primary on a subsequent
- failure.
+ <para>
+ Configuration changes (creating or deleting queues, exchanges and
+ bindings) are replicated asynchronously. Management tools used to
+ make changes will consider the change complete when it is complete
+ on the primary, it may not yet be replicated to all the backups.
+ </para>
</listitem>
<listitem>
- Federated links <emphasis>from</emphasis> the primary will be lost in fail over,
- they will not be re-connected to the new primary. Federation links
- <emphasis>to</emphasis> the primary can fail over.
+ <para>
+ Federated links <emphasis>from</emphasis> the primary will be lost
+ in fail over, they will not be re-connected to the new
+ primary. Federation links <emphasis>to</emphasis> the primary will
+ fail over.
+ </para>
</listitem>
</itemizedlist>
</section>
@@ -247,12 +235,20 @@ under the License.
</row>
<row>
<entry>
+ <literal>ha-queue-replication <replaceable>yes|no</replaceable></literal>
+ </entry>
+ <entry>
+ Enable replication of specific queues without joining a cluster, see <xref linkend="ha-queue-replication"/>.
+ </entry>
+ </row>
+ <row>
+ <entry>
<literal>ha-brokers-url <replaceable>URL</replaceable></literal>
</entry>
<entry>
<para>
The URL
- <footnote>
+ <footnote id="ha-url-grammar">
<para>
The full format of the URL is given by this grammar:
<programlisting>
@@ -264,10 +260,9 @@ ssl_addr = "ssl:" host [":" port]'
</programlisting>
</para>
</footnote>
- used by cluster brokers to connect to each other. The URL can
- contain a list of all the broker addresses or it can contain a single
- virtual IP address. If a list is used it is comma separated, for example
- <literal>amqp:node1.exaple.com,node2.exaple.com,node3.exaple.com</literal>
+ used by cluster brokers to connect to each other. The URL should
+ contain a comma separated list of the broker addresses, rather than a
+ virtual IP address.
</para>
</entry>
</row>
@@ -275,20 +270,23 @@ ssl_addr = "ssl:" host [":" port]'
<entry><literal>ha-public-url <replaceable>URL</replaceable></literal> </entry>
<entry>
<para>
- The URL that is advertised to clients. This defaults to the
- <literal>ha-brokers-url</literal> URL above, and has the same format. A
- virtual IP address is recommended for the public URL as it simplifies
- deployment and hides changes to the cluster membership from clients.
+ The URL <footnoteref linkend="ha-url-grammar"/> is advertised to
+ clients as the "known-hosts" for fail-over. It can be a list or
+ a single virtual IP address. A virtual IP address is recommended.
</para>
<para>
- This option allows you to put client traffic on a different network from
- broker traffic, which is recommended.
+ Using this option you can put client and broker traffic on
+ separate networks, which is recommended.
+ </para>
+ <para>
+ Note: When HA clustering is enabled the broker option
+ <literal>known-hosts-url</literal> is ignored and over-ridden by
+ the <literal>ha-public-url</literal> setting.
</para>
</entry>
</row>
<row>
<entry><literal>ha-replicate </literal><replaceable>VALUE</replaceable></entry>
- <foo/>
<entry>
<para>
Specifies whether queues and exchanges are replicated by default.
@@ -330,6 +328,15 @@ ssl_addr = "ssl:" host [":" port]'
</para>
</entry>
</row>
+ <row>
+ <entry><literal>link-heartbeat-interval <replaceable>SECONDS</replaceable></literal></entry>
+ <entry>
+ <para>
+ Heartbeat interval for replication links. The link will be assumed broken
+ if there is no heartbeat for twice the interval.
+ </para>
+ </entry>
+ </row>
</tbody>
</tgroup>
</table>
@@ -382,7 +389,7 @@ ssl_addr = "ssl:" host [":" port]'
clustered services using <command>cman</command> and
<command>rgmanager</command>. It will show you how to configure an active-passive,
hot-standby <command>qpidd</command> HA cluster with <command>rgmanager</command>.
- </para>
+ </para>
<para>
You must provide a <literal>cluster.conf</literal> file to configure
<command>cman</command> and <command>rgmanager</command>. Here is
@@ -532,22 +539,28 @@ NOTE: fencing is not shown, you must con
</section>
<section id="ha-creating-replicated">
- <title>Creating replicated queues and exchanges</title>
+ <title>Controlling replication of queues and exchanges</title>
<para>
By default, queues and exchanges are not replicated automatically. You can change
the default behavior by setting the <literal>ha-replicate</literal> configuration
option. It has one of the following values:
<itemizedlist>
<listitem>
- <firstterm>all</firstterm>: Replicate everything automatically: queues,
- exchanges, bindings and messages.
+ <para>
+ <firstterm>all</firstterm>: Replicate everything automatically: queues,
+ exchanges, bindings and messages.
+ </para>
</listitem>
<listitem>
- <firstterm>configuration</firstterm>: Replicate the existence of queues,
- exchange and bindings but don't replicate messages.
+ <para>
+ <firstterm>configuration</firstterm>: Replicate the existence of queues,
+ exchange and bindings but don't replicate messages.
+ </para>
</listitem>
<listitem>
- <firstterm>none</firstterm>: Don't replicate anything, this is the default.
+ <para>
+ <firstterm>none</firstterm>: Don't replicate anything, this is the default.
+ </para>
</listitem>
</itemizedlist>
</para>
@@ -575,6 +588,18 @@ NOTE: fencing is not shown, you must con
<programlisting>
"myqueue;{create:always,node:{x-declare:{arguments:{'qpid.replicate':all}}}}"
</programlisting>
+ <para>
+ There are some built-in exchanges created automatically by the broker, these
+ exchangs are never replicated. The built-in exchanges are the default (nameless)
+ exchange, the AMQP standard exchanges (<literal>amq.direct, amq.topic, amq.fanout</literal> and
+ <literal>amq.match</literal>) and the management exchanges (<literal>qpid.management, qmf.default.direct</literal> and
+ <literal>qmf.default.topic</literal>)
+ </para>
+ <para>
+ Note that if you bind a replicated queue to one of these exchanges, the
+ binding wil <emphasis>not</emphasis> be replicated, so the queue will not
+ have the binding after a fail-over.
+ </para>
</section>
<section>
@@ -588,12 +613,17 @@ NOTE: fencing is not shown, you must con
each type of client). There are two possibilities
<itemizedlist>
<listitem>
- The URL contains multiple addresses, one for each broker in the cluster.
+ <para>
+ The URL contains multiple addresses, one for each broker in the cluster.
+ </para>
</listitem>
<listitem>
- The URL contains a single <firstterm>virtual IP address</firstterm>
- that is assigned to the primary broker by the resource manager.
- <footnote><para>Only if the resource manager supports virtual IP addresses</para></footnote>
+ <para>
+ The URL contains a single <firstterm>virtual IP address</firstterm>
+ that is assigned to the primary broker by the resource manager.
+ <footnote><para>Only if the resource manager supports virtual IP
+ addresses</para></footnote>
+ </para>
</listitem>
</itemizedlist>
In the first case, clients will repeatedly re-try each address in the URL
@@ -790,10 +820,10 @@ NOTE: fencing is not shown, you must con
<para>
To integrate with a different resource manager you must configure it to:
<itemizedlist>
- <listitem>Start a qpidd process on each node of the cluster.</listitem>
- <listitem>Restart qpidd if it crashes.</listitem>
- <listitem>Promote exactly one of the brokers to primary.</listitem>
- <listitem>Detect a failure and promote a new primary.</listitem>
+ <listitem><para>Start a qpidd process on each node of the cluster.</para></listitem>
+ <listitem><para>Restart qpidd if it crashes.</para></listitem>
+ <listitem><para>Promote exactly one of the brokers to primary.</para></listitem>
+ <listitem><para>Detect a failure and promote a new primary.</para></listitem>
</itemizedlist>
</para>
<para>
@@ -821,6 +851,30 @@ NOTE: fencing is not shown, you must con
or to simulate a cluster on a single node. For deployment, a resource manager is required.
</para>
</section>
+ <section id="ha-queue-replication">
+ <title>Replicating specific queues</title>
+ <para>
+ In addition to the automatic replication performed in a cluster, you can
+ set up replication for specific queues between arbitrary brokers, even if
+ the brokers are not members of a cluster. The command:
+ </para>
+ <programlisting>
+ qpid-ha replicate <replaceable>QUEUE</replaceable> <replaceable>REMOTE-BROKER</replaceable>
+ </programlisting>
+ <para>
+ sets up replication of <replaceable>QUEUE</replaceable> on <replaceable>REMOTE-BROKER</replaceable> to <replaceable>QUEUE</replaceable> on the current broker.
+ </para>
+ <para>
+ Set the configuration option
+ <literal>ha-queue-replication=yes</literal> on both brokers to enable this
+ feature on non-cluster brokers. It is automatically enabled for brokers
+ that are part of a cluster.
+ </para>
+ <para>
+ Note that this feature does not provide automatic fail-over, for that you
+ need to run a cluster.
+ </para>
+ </section>
</section>
<!-- LocalWords: scalability rgmanager multicast RGManager mailto LVQ qpidd IP dequeued Transactional username
Modified: qpid/branches/asyncstore/doc/book/src/cpp-broker/Security.xml
URL: http://svn.apache.org/viewvc/qpid/branches/asyncstore/doc/book/src/cpp-broker/Security.xml?rev=1451244&r1=1451243&r2=1451244&view=diff
==============================================================================
--- qpid/branches/asyncstore/doc/book/src/cpp-broker/Security.xml (original)
+++ qpid/branches/asyncstore/doc/book/src/cpp-broker/Security.xml Thu Feb 28 16:14:30 2013
@@ -315,67 +315,102 @@ com.sun.security.jgss.initiate {
<!-- ################################################### --> <section id="sect-Messaging_User_Guide-Security-Authorization">
<title>Authorization</title>
<para>
- In Qpid, Authorization specifies which actions can be performed by each authenticated user using an Access Control List (ACL). Use the <command>--acl-file</command> command to load the access control list. The filename should have a <filename>.acl</filename> extension:
+ In Qpid, Authorization specifies which actions can be performed by each authenticated user using an Access Control List (ACL).
+ </para>
+ <para>
+ Use the <command>--acl-file</command> command to load the access control list. The filename should have a <filename>.acl</filename> extension:
</para>
<screen>
-$ qpidd --acl-file <replaceable>./aclfilename.acl</replaceable></screen>
+ $ qpidd --acl-file <replaceable>./aclfilename.acl</replaceable></screen>
<para>
Each line in an ACL file grants or denies specific rights to a user. If the last line in an ACL file is <literal>acl deny all all</literal>, the ACL uses <firstterm>deny mode</firstterm>, and only those rights that are explicitly allowed are granted:
</para>
<programlisting>
-acl allow rajith@QPID all all
-acl deny all all
+ acl allow rajith@QPID all all
+ acl deny all all
</programlisting>
<para>
On this server, <literal>rajith@QPID</literal> can perform any action, but nobody else can. Deny mode is the default, so the previous example is equivalent to the following ACL file:
</para>
<programlisting>
-acl allow rajith@QPID all all
+ acl allow rajith@QPID all all
+</programlisting>
+ <para>
+ Alternatively the ACL file may use <firstterm>allow mode</firstterm> by placing:
+ </para>
+<programlisting>
+ acl allow all all
</programlisting>
<para>
+ as the final line in the ACL file. In <emphasis>allow mode</emphasis> all actions by all users are allowed unless otherwise denied by specific ACL rules.
+ The ACL rule which selects <emphasis>deny mode</emphasis> or <emphasis>allow mode</emphasis> must be the last line in the ACL rule file.
+ </para>
+ <para>
ACL syntax allows fine-grained access rights for specific actions:
</para>
<programlisting>
-acl allow carlt@QPID create exchange name=carl.*
-acl allow fred@QPID create all
-acl allow all consume queue
-acl allow all bind exchange
-acl deny all all
+ acl allow carlt@QPID create exchange name=carl.*
+ acl allow fred@QPID create all
+ acl allow all consume queue
+ acl allow all bind exchange
+ acl deny all all
</programlisting>
<para>
An ACL file can define user groups, and assign permissions to them:
</para>
<programlisting>
-group admin ted@QPID martin@QPID
-acl allow admin create all
-acl deny all all
+ group admin ted@QPID martin@QPID
+ acl allow admin create all
+ acl deny all all
</programlisting>
+
+ <para>
+ Performance Note: Most ACL queries are performed infrequently. The overhead associated with
+ ACL passing an allow or deny decision on the creation of a queue is negligible
+ compared to actually creating and using the queue. One notable exception is the <command>publish exchange</command>
+ query. ACL files with no <emphasis>publish exchange</emphasis> rules are noted and the broker short circuits the logic
+ associated with the per-messsage <emphasis>publish exchange</emphasis> ACL query.
+ However, if an ACL file has any <emphasis>publish exchange</emphasis> rules
+ then the broker is required to perform a <emphasis>publish exchange</emphasis> query for each message published.
+ Users with performance critical applications are encouraged to structure exchanges, queues, and bindings so that
+ the <emphasis>publish exchange</emphasis> ACL rules are unnecessary.
+ </para>
+
<!-- ######## --> <section id="sect-Messaging_User_Guide-Authorization-ACL_Syntax">
<title>ACL Syntax</title>
<para>
ACL rules must be on a single line and follow this syntax:
<programlisting><![CDATA[
-user = username[/domain[@realm]]
-user-list = user1 user2 user3 ...
-group-name-list = group1 group2 group3 ...
-
-group <group-name> = [user-list] [group-name-list]
-
-permission = [allow|allow-log|deny|deny-log]
-action = [consume|publish|create|access|bind|unbind|delete|purge|update]
-object = [virtualhost|queue|exchange|broker|link|route|method]
-property = [name|durable|owner|routingkey|autodelete|exclusive|
- type|alternate|queuename|schemapackage|schemaclass|
- queuemaxsizelowerlimit|queuemaxsizeupperlimit|
- queuemaxcountlowerlimit|queuemaxcountupperlimit]
-
-acl permission {<group-name>|<user-name>|"all"} {action|"all"} [object|"all"
- [property=<property-value> ...]]
+ user = username[/domain[@realm]]
+ user-list = user1 user2 user3 ...
+ group-name-list = group1 group2 group3 ...
+
+ group <group-name> = [user-list] [group-name-list]
+
+ permission = [allow | allow-log | deny | deny-log]
+ action = [consume | publish | create | access |
+ bind | unbind | delete | purge | update]
+ object = [queue | exchange | broker | link | method]
+ property = [name | durable | owner | routingkey |
+ autodelete | exclusive |type |
+ alternate | queuename |
+ schemapackage | schemaclass |
+ queuemaxsizelowerlimit |
+ queuemaxsizeupperlimit |
+ queuemaxcountlowerlimit |
+ queuemaxcountupperlimit |
+ filemaxsizelowerlimit |
+ filemaxsizeupperlimit |
+ filemaxcountlowerlimit |
+ filemaxcountupperlimit ]
+
+ acl permission {<group-name>|<user-name>|"all"} {action|"all"} [object|"all"
+ [property=<property-value> ...]]
]]></programlisting>
ACL rules can also include a single object name (or the keyword <parameter>all</parameter>) and one or more property name value pairs in the form <command>property=value</command>
@@ -463,7 +498,9 @@ acl permission {<group-name>|<user-name>
</entry>
<entry>
<para>
- Applied on a per message basis on publish message transfers, this rule consumes the most resources
+ Applied on a per message basis
+ to verify that the user has rights to publish to the given
+ exchange with the given routingkey.
</para>
</entry>
@@ -647,49 +684,49 @@ acl permission {<group-name>|<user-name>
<entry> <command>name</command> </entry>
<entry>String</entry>
<entry>Object name, such as a queue name or exchange name.</entry>
- <entry>.</entry>
+ <entry></entry>
</row>
<row>
<entry> <command>durable</command> </entry>
<entry>Boolean</entry>
<entry>Indicates the object is durable</entry>
- <entry>CREATE QUEUE, CREATE EXCHANGE</entry>
+ <entry>CREATE QUEUE, CREATE EXCHANGE, ACCESS QUEUE, ACCESS EXCHANGE</entry>
</row>
<row>
<entry> <command>routingkey</command> </entry>
<entry>String</entry>
<entry>Specifies routing key</entry>
- <entry>BIND EXCHANGE, UNBIND EXCHANGE, ACCESS EXCHANGE</entry>
+ <entry>BIND EXCHANGE, UNBIND EXCHANGE, ACCESS EXCHANGE, PUBLISH EXCHANGE</entry>
</row>
<row>
<entry> <command>autodelete</command> </entry>
<entry>Boolean</entry>
<entry>Indicates whether or not the object gets deleted when the connection is closed</entry>
- <entry>CREATE QUEUE</entry>
+ <entry>CREATE QUEUE, ACCESS QUEUE</entry>
</row>
<row>
<entry> <command>exclusive</command> </entry>
<entry>Boolean</entry>
<entry>Indicates the presence of an <parameter>exclusive</parameter> flag</entry>
- <entry>CREATE QUEUE</entry>
+ <entry>CREATE QUEUE, ACCESS QUEUE</entry>
</row>
<row>
<entry> <command>type</command> </entry>
<entry>String</entry>
<entry>Type of exchange, such as topic, fanout, or xml</entry>
- <entry>CREATE EXCHANGE</entry>
+ <entry>CREATE EXCHANGE, ACCESS EXCHANGE</entry>
</row>
<row>
<entry> <command>alternate</command> </entry>
<entry>String</entry>
<entry>Name of the alternate exchange</entry>
- <entry>CREATE EXCHANGE, CREATE QUEUE</entry>
+ <entry>CREATE EXCHANGE, CREATE QUEUE, ACCESS EXCHANGE, ACCESS QUEUE</entry>
</row>
<row>
<entry> <command>queuename</command> </entry>
<entry>String</entry>
<entry>Name of the queue</entry>
- <entry>ACCESS EXCHANGE</entry>
+ <entry>ACCESS EXCHANGE, BIND EXCHANGE, UNBIND EXCHANGE</entry>
</row>
<row>
<entry> <command>schemapackage</command> </entry>
@@ -706,119 +743,571 @@ acl permission {<group-name>|<user-name>
<row>
<entry> <command>queuemaxsizelowerlimit</command> </entry>
<entry>Integer</entry>
- <entry>Minimum value for queue.max_size</entry>
- <entry>CREATE QUEUE</entry>
+ <entry>Minimum value for queue.max_size (memory bytes)</entry>
+ <entry>CREATE QUEUE, ACCESS QUEUE</entry>
</row>
<row>
<entry> <command>queuemaxsizeupperlimit</command> </entry>
<entry>Integer</entry>
- <entry>Maximum value for queue.max_size</entry>
- <entry>CREATE QUEUE</entry>
+ <entry>Maximum value for queue.max_size (memory bytes)</entry>
+ <entry>CREATE QUEUE, ACCESS QUEUE</entry>
</row>
<row>
<entry> <command>queuemaxcountlowerlimit</command> </entry>
<entry>Integer</entry>
- <entry>Minimum value for queue.max_count</entry>
- <entry>CREATE QUEUE</entry>
+ <entry>Minimum value for queue.max_count (messages)</entry>
+ <entry>CREATE QUEUE, ACCESS QUEUE</entry>
</row>
<row>
<entry> <command>queuemaxcountupperlimit</command> </entry>
<entry>Integer</entry>
- <entry>Maximum value for queue.max_count</entry>
- <entry>CREATE QUEUE</entry>
+ <entry>Maximum value for queue.max_count (messages)</entry>
+ <entry>CREATE QUEUE, ACCESS QUEUE</entry>
+ </row>
+ <row>
+ <entry> <command>filemaxsizelowerlimit</command> </entry>
+ <entry>Integer</entry>
+ <entry>Minimum value for file.max_size (64kb pages)</entry>
+ <entry>CREATE QUEUE, ACCESS QUEUE</entry>
+ </row>
+ <row>
+ <entry> <command>filemaxsizeupperlimit</command> </entry>
+ <entry>Integer</entry>
+ <entry>Maximum value for file.max_size (64kb pages)</entry>
+ <entry>CREATE QUEUE, ACCESS QUEUE</entry>
+ </row>
+ <row>
+ <entry> <command>filemaxcountlowerlimit</command> </entry>
+ <entry>Integer</entry>
+ <entry>Minimum value for file.max_count (files)</entry>
+ <entry>CREATE QUEUE, ACCESS QUEUE</entry>
+ </row>
+ <row>
+ <entry> <command>filemaxcountupperlimit</command> </entry>
+ <entry>Integer</entry>
+ <entry>Maximum value for file.max_count (files)</entry>
+ <entry>CREATE QUEUE, ACCESS QUEUE</entry>
</row>
-
</tbody>
-
</tgroup>
-
</table>
+
+ <section id="sect-Messaging_User_Guide-Authorization-ACL_ActionObjectPropertyTuples">
+ <title>ACL Action-Object-Property Tuples</title>
+ <para>
+ Not every ACL action is applicable to every ACL object. Furthermore, not every property may be
+ specified for every action-object pair.
+ The following table enumerates which action and object pairs are allowed.
+ The table also lists which optional ACL properties are allowed to qualify
+ action-object pairs.
+ </para>
+ <para>
+ The <emphasis>access</emphasis> action is called with different argument
+ lists for the <emphasis>exchange</emphasis> and <emphasis>queue</emphasis> objects.
+ A separate column shows the AMQP 0.10 method that the Access ACL rule is satisfying.
+ Write separate rules with the additional arguments for the <emphasis>declare</emphasis>
+ and <emphasis>bind</emphasis> methods and include these rules in the ACL file
+ before the rules for the <emphasis>query</emphasis> method.
+ <!-- The exact sequence of calling these methods is a product of the client
+ library. The user might not know anything about a 'declare' or a 'query' or
+ a passive declaration. -->
+ </para>
+ <table id="tabl-Messaging_User_Guide-ACL_Syntax-ACL_ActionObject_properties">
+ <title>ACL Properties Allowed for each Action and Object</title>
+ <tgroup cols="4">
+ <thead>
+ <row>
+ <entry>Action</entry>
+ <entry>Object</entry>
+ <entry>Properties</entry>
+ <entry>Method</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>access</entry>
+ <entry>broker</entry>
+ <entry></entry>
+ </row>
+ <row>
+ <entry>access</entry>
+ <entry>exchange</entry>
+ <entry>name type alternate durable</entry>
+ <entry>declare</entry>
+ </row>
+ <row>
+ <entry>access</entry>
+ <entry>exchange</entry>
+ <entry>name queuename routingkey</entry>
+ <entry>bound</entry>
+ </row>
+ <row>
+ <entry>access</entry>
+ <entry>exchange</entry>
+ <entry>name</entry>
+ <entry>query</entry>
+ </row>
+ <row>
+ <entry>access</entry>
+ <entry>method</entry>
+ <entry>name schemapackage schemaclass</entry>
+ <entry></entry>
+ </row>
+ <row>
+ <entry>access</entry>
+ <entry>queue</entry>
+ <entry>name alternate durable exclusive autodelete policy queuemaxsizelowerlimit queuemaxsizeupperlimit queuemaxcountlowerlimit queuemaxcountupperlimit filemaxsizelowerlimit filemaxsizeupperlimit filemaxcountlowerlimit filemaxcountupperlimit</entry>
+ <entry>declare</entry>
+ </row>
+ <row>
+ <entry>access</entry>
+ <entry>queue</entry>
+ <entry>name</entry>
+ <entry>query</entry>
+ </row>
+ <row>
+ <entry>bind</entry>
+ <entry>exchange</entry>
+ <entry>name queuename routingkey</entry>
+ <entry></entry>
+ </row>
+ <row>
+ <entry>consume</entry>
+ <entry>queue</entry>
+ <entry>name</entry>
+ <entry></entry>
+ </row>
+ <row>
+ <entry>create</entry>
+ <entry>exchange</entry>
+ <entry>name type alternate durable</entry>
+ <entry></entry>
+ </row>
+ <row>
+ <entry>create</entry>
+ <entry>link</entry>
+ <entry>name</entry>
+ <entry></entry>
+ </row>
+ <row>
+ <entry>create</entry>
+ <entry>queue</entry>
+ <entry>name alternate durable exclusive autodelete policy queuemaxsizelowerlimit queuemaxsizeupperlimit queuemaxcountlowerlimit queuemaxcountupperlimit filemaxsizelowerlimit filemaxsizeupperlimit filemaxcountlowerlimit filemaxcountupperlimit</entry>
+ <entry></entry>
+ </row>
+ <row>
+ <entry>delete</entry>
+ <entry>exchange</entry>
+ <entry>name</entry>
+ <entry></entry>
+ </row>
+ <row>
+ <entry>delete</entry>
+ <entry>queue</entry>
+ <entry>name</entry>
+ <entry></entry>
+ </row>
+ <row>
+ <entry>publish</entry>
+ <entry>exchange</entry>
+ <entry>name routingkey</entry>
+ <entry></entry>
+ </row>
+ <row>
+ <entry>purge</entry>
+ <entry>queue</entry>
+ <entry>name</entry>
+ <entry></entry>
+ </row>
+ <row>
+ <entry>unbind</entry>
+ <entry>exchange</entry>
+ <entry>name queuename routingkey</entry>
+ <entry></entry>
+ </row>
+ <row>
+ <entry>update</entry>
+ <entry>broker</entry>
+ <entry></entry>
+ <entry></entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ <para>
+ </para>
+ </section>
</section>
<section id="sect-Messaging_User_Guide-Authorization-ACL_Syntactic_Conventions">
<title>ACL Syntactic Conventions</title>
- <para>
- In ACL files, the following syntactic conventions apply:
+ <section id="sect-Messaging_User_Guide-Authorization-ACL_Syntactic_Conventions-comments">
+ <title>Comments</title>
+ <para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ A line starting with the <command>#</command> character is considered a comment and is ignored.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Embedded comments and trailing comments are not allowed. The <command>#</command> is commonly found in routing keys and other AMQP literals which occur naturally in ACL rule specifications.
+ </para>
+ </listitem>
+ </itemizedlist>
+ </para>
+ </section>
+ <section id="sect-Messaging_User_Guide-Authorization-ACL_Syntactic_Conventions-whitespace">
+ <title>White Space</title>
+ <itemizedlist>
+ <listitem>
+ <para>
+ Empty lines and lines that contain only whitespace (' ', '\f', '\n', '\r', '\t', '\v') are ignored.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Additional whitespace between and after tokens is allowed.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Group and Acl definitions must start with <command>group</command> and <command>acl</command> respectively and with no preceding whitespace.
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+ <section id="sect-Messaging_User_Guide-Authorization-ACL_Syntactic_Conventions-characterset">
+ <title>Character Set</title>
+ <itemizedlist>
+ <listitem>
+ <para>
+ ACL files use 7-bit ASCII characters only
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Group names may contain only
<itemizedlist>
- <listitem>
- <para>
- A line starting with the <command>#</command> character is considered a comment and is ignored.
- </para>
-
- </listitem>
- <listitem>
- <para>
- Empty lines and lines that contain only whitespace (' ', '\f', '\n', '\r', '\t', '\v') are ignored.
- </para>
-
- </listitem>
- <listitem>
- <para>
- All tokens are case sensitive. <parameter>name1</parameter> is not the same as <parameter>Name1</parameter> and <parameter>create</parameter> is not the same as <parameter>CREATE</parameter>.
- </para>
-
- </listitem>
- <listitem>
- <para>
- Group lists can be extended to the following line by terminating the line with the <command>\</command> character.
- </para>
-
- </listitem>
- <listitem>
- <para>
- Additional whitespace - that is, where there is more than one whitespace character - between and after tokens is ignored. Group and ACL definitions must start with either <command>group</command> or <command>acl</command> and with no preceding whitespace.
- </para>
-
- </listitem>
- <listitem>
- <para>
- All ACL rules are limited to a single line of at most 1024 characters.
- </para>
-
- </listitem>
- <listitem>
- <para>
- Rules are interpreted from the top of the file down until a matching rule is obtained. The matching rule then controls the allow or deny decision.
- </para>
-
- </listitem>
- <listitem>
- <para>
- The keyword <parameter>all</parameter> is reserved and may be used in ACL rules to match all individuals and groups, all actions, or all objects.
- </para>
-
- </listitem>
- <listitem>
- <para>
- By default ACL files are in 'Deny Mode' and deny all actions by all users. That is, there is an implicit <parameter>acl deny all all</parameter> rule appended to the ACL rule list.
- </para>
-
- </listitem>
- <listitem>
- <para>
- Group names may contain only <parameter>a-z</parameter>, <parameter>A-Z</parameter>, <parameter>0-9</parameter>, <parameter>- hyphen</parameter> and <parameter>_ underscore</parameter>.
- </para>
-
- </listitem>
- <listitem>
- <para>
- Individual user names may contain only <parameter>a-z</parameter>, <parameter>A-Z</parameter>, <parameter>0-9</parameter>, <parameter>- hyphen</parameter>, <parameter>_ underscore</parameter>, <parameter>. period</parameter>, <parameter>@ ampersand</parameter>, and <parameter>/ slash</parameter>.
- </para>
-
- </listitem>
- <listitem>
- <para>
- Rules must be preceded by any group definitions they can use. Any name not defined as a group will be assumed to be that of an individual.
- </para>
-
- </listitem>
-
+ <listitem><command>[a-z]</command></listitem>
+ <listitem><command>[A-Z]</command></listitem>
+ <listitem><command>[0-9]</command></listitem>
+ <listitem><command>'-'</command> hyphen</listitem>
+ <listitem><command>'_'</command> underscore</listitem>
</itemizedlist>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Individual user names may contain only
+ <itemizedlist>
+ <listitem><command>[a-z]</command></listitem>
+ <listitem><command>[A-Z]</command></listitem>
+ <listitem><command>[0-9]</command></listitem>
+ <listitem><command>'-'</command> hyphen</listitem>
+ <listitem><command>'_'</command> underscore</listitem>
+ <listitem><command>'.'</command> period</listitem>
+ <listitem><command>'@'</command> ampersand</listitem>
+ <listitem><command>'/'</command> slash</listitem>
+ </itemizedlist>
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+ <section id="sect-Messaging_User_Guide-Authorization-ACL_Syntactic_Conventions-casesensitivity">
+ <title>Case Sensitivity</title>
+ <itemizedlist>
+ <listitem>
+ <para>
+ All tokens are case sensitive. <parameter>name1</parameter> is not the same as <parameter>Name1</parameter> and <parameter>create</parameter> is not the same as <parameter>CREATE</parameter>.
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+ <section id="sect-Messaging_User_Guide-Authorization-ACL_Syntactic_Conventions-linecontinuation">
+ <title>Line Continuation</title>
+ <itemizedlist>
+ <listitem>
+ <para>
+ Group lists can be extended to the following line by terminating the line with the <command>'\'</command> character. No other ACL file lines may be continued.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Group specification lines may be continued only after the group name or any of the user names included in the group. See example below.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Lines consisting solely of a <command>'\'</command> character are not permitted.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The <command>'\'</command> continuation character is recognized only if it is the last character in the line. Any characters after the <command>'\'</command> are not permitted.
+ </para>
+ </listitem>
+ </itemizedlist>
+<programlisting><![CDATA[
+ #
+ # Examples of extending group lists using a trailing '\' character
+ #
+ group group1 name1 name2 \
+ name3 name4 \
+ name5
+
+ group group2 \
+ group1 \
+ name6
+ #
+ # The following are illegal:
+ #
+ # '\' must be after group name
+ #
+ group \
+ group3 name7 name8
+ #
+ # No empty extension line
+ #
+ group group4 name9 \
+ \
+ name10
+]]></programlisting>
- </para>
+ </section>
+ <section id="sect-Messaging_User_Guide-Authorization-ACL_Syntactic_Conventions-linelength">
+ <title>Line Length</title>
+ <itemizedlist>
+ <listitem>
+ <para>
+ ACL file lines are limited to 1024 characters.
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+
+ <section id="sect-Messaging_User_Guide-Authorization-ACL_Syntactic_Conventions-keywords">
+ <title>ACL File Keywords</title>
+ ACL reserves several words for convenience and for context sensitive substitution.
+
+ <section id="sect-Messaging_User_Guide-Authorization-ACL_Syntactic_Conventions-keywords-all">
+ <title>The <command>all</command> Keyword</title>
+ The keyword <command>all</command> is reserved. It may be used in ACL rules to match all individuals and groups, all actions, or all objects.
+ <itemizedlist>
+ <listitem>acl allow all create queue</listitem>
+ <listitem>acl allow bob@QPID all queue</listitem>
+ <listitem>acl allow bob@QPID create all</listitem>
+ </itemizedlist>
+ </section>
+
+ <section id="sect-Messaging_User_Guide-Authorization-ACL_Syntactic_Conventions-keywords-userdomain">
+ <title>User Name and Domain Name Keywords</title>
+ <para>
+ In the C++ Broker 0.20 a simple set of user name and domain name substitution variable keyword tokens is defined. This provides administrators with an easy way to describe private or shared resources.
+ </para>
+ <para>
+ Symbol substitution is allowed in the ACL file anywhere that text is supplied for a property value.
+ </para>
+ <para>
+ In the following table an authenticated user named bob.user@QPID.COM has his substitution keywords expanded.
+
+ <table id="tabl-Messaging_User_Guide-ACL_Syntax-ACL_UsernameSubstitution">
+ <title>ACL User Name and Domain Name Substitution Keywords</title>
+ <tgroup cols="2">
+ <thead>
+ <row>
+ <entry>Keyword</entry>
+ <entry>Expansion</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry> <command>${userdomain}</command> </entry>
+ <entry>bob_user_QPID_COM</entry>
+ </row>
+ <row>
+ <entry> <command>${user}</command> </entry>
+ <entry>bob_user</entry>
+ </row>
+ <row>
+ <entry> <command>${domain}</command> </entry>
+ <entry>QPID_COM</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ </para>
+
+ <para>
+ <itemizedlist>
+ <listitem>
+ The original user name has the period â.â and ampersand â@â characters translated into underscore â_â. This allows substitution to work when the substitution keyword is used in a routingkey in the Acl file.
+ </listitem>
+ <listitem>
+ The Acl processing matches ${userdomain} before matching either ${user} or ${domain}. Rules that specify the combination ${user}_${domain} will never match.
+ </listitem>
+ </itemizedlist>
+ </para>
+
+<programlisting><![CDATA[
+ # Example:
+ #
+ # Administrators can set up Acl rule files that allow every user to create a
+ # private exchange, a private queue, and a private binding between them.
+ # In this example the users are also allowed to create private backup exchanges,
+ # queues and bindings. This effectively provides limits to user's exchange,
+ # queue, and binding creation and guarantees that each user gets exclusive
+ # access to these resources.
+ #
+ #
+ # Create primary queue and exchange:
+ #
+ acl allow all create queue name=$\{user}-work alternate=$\{user}-work2
+ acl deny all create queue name=$\{user}-work alternate=*
+ acl allow all create queue name=$\{user}-work
+ acl allow all create exchange name=$\{user}-work alternate=$\{user}-work2
+ acl deny all create exchange name=$\{user}-work alternate=*
+ acl allow all create exchange name=$\{user}-work
+ #
+ # Create backup queue and exchange
+ #
+ acl deny all create queue name=$\{user}-work2 alternate=*
+ acl allow all create queue name=$\{user}-work2
+ acl deny all create exchange name=$\{user}-work2 alternate=*
+ acl allow all create exchange name=$\{user}-work2
+ #
+ # Bind/unbind primary exchange
+ #
+ acl allow all bind exchange name=$\{user}-work routingkey=$\{user} queuename=$\{user}-work
+ acl allow all unbind exchange name=$\{user}-work routingkey=$\{user} queuename=$\{user}-work
+ #
+ # Bind/unbind backup exchange
+ #
+ acl allow all bind exchange name=$\{user}-work2 routingkey=$\{user} queuename=$\{user}-work2
+ acl allow all unbind exchange name=$\{user}-work2 routingkey=$\{user} queuename=$\{user}-work2
+ #
+ # Access primary exchange
+ #
+ acl allow all access exchange name=$\{user}-work routingkey=$\{user} queuename=$\{user}-work
+ #
+ # Access backup exchange
+ #
+ acl allow all access exchange name=$\{user}-work2 routingkey=$\{user} queuename=$\{user}-work2
+ #
+ # Publish primary exchange
+ #
+ acl allow all publish exchange name=$\{user}-work routingkey=$\{user}
+ #
+ # Publish backup exchange
+ #
+ acl allow all publish exchange name=$\{user}-work2 routingkey=$\{user}
+ #
+ # deny mode
+ #
+ acl deny all all
+]]></programlisting>
+ </section>
+
+ </section>
+
+ <section id="sect-Messaging_User_Guide-Authorization-ACL_Syntatic_Conventions-wildcards">
+ <title>Wildcards</title>
+ ACL privides two types of wildcard matching to provide flexibility in writing rules.
+
+ <section id="sect-Messaging_User_Guide-Authorization-ACL_Syntatic_Conventions-wildcards-asterisk">
+ <title>Property Value Wildcard</title>
+ <para>
+ Text specifying a property value may end with a single trailing <command>*</command> character.
+ This is a simple wildcard match indicating that strings which match up to that point are matches for the ACL property rule.
+ An ACL rule such as
+ </para>
+ <para>
+ <programlisting> acl allow bob@QPID create queue name=bob*</programlisting>
+ </para>
+ <para>
+ allow user bob@QPID to create queues named bob1, bob2, bobQueue3, and so on.
+ </para>
+ </section>
+
+ <section id="sect-Messaging_User_Guide-Authorization-ACL_Syntatic_Conventions-wildcards-topickey">
+ <title>Topic Routing Key Wildcard</title>
+ <para>
+ In the C++ Broker 0.20 the logic governing the ACL Match has changed for each ACL rule that contains a routingkey property.
+ The routingkey property is matched according to Topic Exchange match logic the broker uses when it distributes messages published to a topic exchange.
+ </para>
+ <para>
+ Routing keys are hierarchical where each level is separated by a period:
+ <itemizedlist>
+ <listitem>weather.usa</listitem>
+ <listitem>weather.europe.germany</listitem>
+ <listitem>weather.europe.germany.berlin</listitem>
+ <listitem>company.engineering.repository</listitem>
+ </itemizedlist>
+ </para>
+ <para>
+ Within the routing key hierarchy two wildcard characters are defined.
+ <itemizedlist>
+ <listitem><command>*</command> matches one field</listitem>
+ <listitem><command>#</command> matches zero or more fields</listitem>
+ </itemizedlist>
+ </para>
+ <para>
+ Suppose an ACL rule file is:
+ </para>
+ <para>
+ <programlisting>
+ acl allow-log uHash1@COMPANY publish exchange name=X routingkey=a.#.b
+ acl deny all all
+ </programlisting>
+ </para>
+ <para>
+ When user uHash1@COMPANY attempts to publish to exchange X the ACL will return these results:
+
+ <table id="tabl-Messaging_User_Guide-ACL_Syntax-ACL_TopicExchangeMatch">
+ <title>Topic Exchange Wildcard Match Examples</title>
+ <tgroup cols="2">
+ <thead>
+ <row>
+ <entry>routingkey in publish to exchange X</entry>
+ <entry>result</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry> <command>a.b</command> </entry>
+ <entry>allow-log</entry>
+ </row>
+ <row>
+ <entry> <command>a.x.b</command> </entry>
+ <entry>allow-log</entry>
+ </row>
+ <row>
+ <entry> <command>a.x.y.zz.b</command> </entry>
+ <entry>allow-log</entry>
+ </row>
+ <row>
+ <entry> <command>a.b.</command> </entry>
+ <entry>deny</entry>
+ </row>
+ <row>
+ <entry> <command>q.x.b</command> </entry>
+ <entry>deny</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
- </section>
+ </para>
+ </section>
+
+ </section>
+
+
+
+ </section>
<section id="sect-Messaging_User_Guide-Authorization-ACL_Rule_Matching">
<title>ACL Rule Matching</title>
@@ -839,51 +1328,51 @@ acl permission {<group-name>|<user-name>
<para>
The following illustration shows how ACL rules are processed to find matching rules.
<programlisting><![CDATA[
-# Example of rule matching
-#
-# Using this ACL file content:
-
-(1) acl deny bob create exchange name=test durable=true passive=true
-(2) acl deny bob create exchange name=myEx type=direct
-(3) acl allow all all
-
-#
-# Lookup 1. id:bob action:create objectType:exchange name=test
-# {durable=false passive=false type=direct alternate=}
-#
-# ACL Match Processing:
-# 1. Rule 1 passes minimum criteria with user bob, action create,
-# and object exchange.
-# 2. Rule 1 matches name=test.
-# 3. Rule 1 does not match the rule's durable=true with the requested
-# lookup of durable=false.
-# 4. Rule 1 does not control the decision and processing continues
-# to Rule 2.
-# 5. Rule 2 passes minimum criteria with user bob, action create,
-# and object exchange.
-# 6. Rule 2 does not match the rule's name=myEx with the requested
-# lookup of name=test.
-# 7. Rule 2 does not control the decision and processing continues
-# to Rule 3.
-# 8. Rule 3 matches everything and the decision is 'allow'.
-#
-# Lookup 2. id:bob action:create objectType:exchange name=myEx
-# {durable=true passive=true type=direct alternate=}
-#
-# ACL Match Processing:
-# 1. Rule 1 passes minimum criteria with user bob, action create,
-# and object exchange.
-# 6. Rule 1 does not match the rule's name=test with the requested
-# lookup of name=myEx.
-# 4. Rule 1 does not control the decision and processing continues
-# to Rule 2.
-# 5. Rule 2 passes minimum criteria with user bob, action create,
-# and object exchange.
-# 2. Rule 2 matches name=myEx.
-# 3. Rule 2 matches the rule's type=direct with the requested
-# lookup of type=direct.
-# 8. Rule 2 is the matching rule and the decision is 'deny'.
-#
+ # Example of rule matching
+ #
+ # Using this ACL file content:
+
+ (1) acl deny bob create exchange name=test durable=true passive=true
+ (2) acl deny bob create exchange name=myEx type=direct
+ (3) acl allow all all
+
+ #
+ # Lookup 1. id:bob action:create objectType:exchange name=test
+ # {durable=false passive=false type=direct alternate=}
+ #
+ # ACL Match Processing:
+ # 1. Rule 1 passes minimum criteria with user bob, action create,
+ # and object exchange.
+ # 2. Rule 1 matches name=test.
+ # 3. Rule 1 does not match the rule's durable=true with the requested
+ # lookup of durable=false.
+ # 4. Rule 1 does not control the decision and processing continues
+ # to Rule 2.
+ # 5. Rule 2 passes minimum criteria with user bob, action create,
+ # and object exchange.
+ # 6. Rule 2 does not match the rule's name=myEx with the requested
+ # lookup of name=test.
+ # 7. Rule 2 does not control the decision and processing continues
+ # to Rule 3.
+ # 8. Rule 3 matches everything and the decision is 'allow'.
+ #
+ # Lookup 2. id:bob action:create objectType:exchange name=myEx
+ # {durable=true passive=true type=direct alternate=}
+ #
+ # ACL Match Processing:
+ # 1. Rule 1 passes minimum criteria with user bob, action create,
+ # and object exchange.
+ # 2. Rule 1 does not match the rule's name=test with the requested
+ # lookup of name=myEx.
+ # 3. Rule 1 does not control the decision and processing continues
+ # to Rule 2.
+ # 4. Rule 2 passes minimum criteria with user bob, action create,
+ # and object exchange.
+ # 5. Rule 2 matches name=myEx.
+ # 6. Rule 2 matches the rule's type=direct with the requested
+ # lookup of type=direct.
+ # 7. Rule 2 is the matching rule and the decision is 'deny'.
+ #
]]></programlisting>
</para>
@@ -892,38 +1381,38 @@ acl permission {<group-name>|<user-name>
<section id="sect-Messaging_User_Guide-Authorization-Specifying_ACL_Permissions">
<title>Specifying ACL Permissions</title>
<para>
- Now that we have seen the ACL syntax, we will provide representative examples and guidelines for ACL files.
+ Now that we have seen the ACL syntax, we will provide representative examples and guidelines for ACL files.
</para>
<para>
Most ACL files begin by defining groups:
</para>
<programlisting>
-group admin ted@QPID martin@QPID
-group user-consume martin@QPID ted@QPID
-group group2 kim@QPID user-consume rob@QPID
-group publisher group2 \
-tom@QPID andrew@QPID debbie@QPID
+ group admin ted@QPID martin@QPID
+ group user-consume martin@QPID ted@QPID
+ group group2 kim@QPID user-consume rob@QPID
+ group publisher group2 \
+ tom@QPID andrew@QPID debbie@QPID
</programlisting>
<para>
Rules in an ACL file grant or deny specific permissions to users or groups:
</para>
<programlisting>
-acl allow carlt@QPID create exchange name=carl.*
-acl allow rob@QPID create queue
-acl allow guest@QPID bind exchange name=amq.topic routingkey=stocks.rht.#
-acl allow user-consume create queue name=tmp.*
-
-acl allow publisher publish all durable=false
-acl allow publisher create queue name=RequestQueue
-acl allow consumer consume queue durable=true
-acl allow fred@QPID create all
-acl allow bob@QPID all queue
-acl allow admin all
-acl allow all consume queue
-acl allow all bind exchange
-acl deny all all
+ acl allow carlt@QPID create exchange name=carl.*
+ acl allow rob@QPID create queue
+ acl allow guest@QPID bind exchange name=amq.topic routingkey=stocks.rht.#
+ acl allow user-consume create queue name=tmp.*
+
+ acl allow publisher publish all durable=false
+ acl allow publisher create queue name=RequestQueue
+ acl allow consumer consume queue durable=true
+ acl allow fred@QPID create all
+ acl allow bob@QPID all queue
+ acl allow admin all
+ acl allow all consume queue
+ acl allow all bind exchange
+ acl deny all all
</programlisting>
<para>
In the previous example, the last line, <literal>acl deny all all</literal>, denies all authorizations that have not been specifically granted. This is the default, but it is useful to include it explicitly on the last line for the sake of clarity. If you want to grant all rights by default, you can specify <literal>acl allow all all</literal> in the last line.
@@ -933,10 +1422,10 @@ acl deny all all
</para>
<para>
<programlisting>
-group users alice@QPID bob@QPID charlie@QPID
-acl deny charlie@QPID create queue
-acl allow users create queue
-acl deny all all
+ group users alice@QPID bob@QPID charlie@QPID
+ acl deny charlie@QPID create queue
+ acl allow users create queue
+ acl deny all all
</programlisting>
</para>
<para>
@@ -947,42 +1436,74 @@ acl deny all all
</para>
<programlisting>
-group allUsers guest@QPID
-....
-acl deny-log allUsers create link
-acl deny-log allUsers access method name=connect
-acl deny-log allUsers access method name=echo
-acl allow all all
+ group allUsers guest@QPID
+ ...
+ acl deny-log allUsers create link
+ acl deny-log allUsers access method name=connect
+ acl deny-log allUsers access method name=echo
+ acl allow all all
</programlisting>
</section>
+ </section>
- <section id="sect-Messaging_User_Guide-Authorization-Specifying_ACL_Connection_Limits">
- <title>Specifying ACL Connection Limits</title>
- <para>
- The ACL module creates two broker command line switches that set limits on the number of connections allowed per user or per client host address. These settings are not specified in the ACL file.
- </para>
- <para>
-<programlisting>
---acl-max-connect-per-user N_USER
---acl-max-connect-per-ip N_IP
-</programlisting>
- </para>
- <para>
- If either of these switches is not specified or the value specified is zero then the corresponding connection limit is not enforced.
- </para>
- <para>
- If a limit is set for user connections then all users are limited to that number of connections regardless of the client IP address the users are coming from.
- </para>
- <para>
- If a limit is set for IP connections then connections for a given IP address are limited regardless of the user credentials presented with the connection.
- </para>
- <para>
- Note that addresses using different transports are counted separately even though the host is actually the same physical machine. In the setting illustrated above a host would allow N_IP connections from [::1] IPv6 transport localhost and another N_IP connections from [127.0.0.1] IPv4 transport localhost.
- </para>
- </section>
-
- </section>
+ <section id="sect-Messaging_User_Guide-Authorization-Specifying_ACL_Quotas">
+ <title>User Connection and Queue Quotas</title>
+ The ACL module enforces various quotas and thereby limits user activity.
+
+ <section id="sect-Messaging_User_Guide-Authorization-Specifying_ACL_Connection_Limits">
+ <title>Connection Limits</title>
+ <para>
+ The ACL module creates broker command line switches that set limits on the number of concurrent connections allowed per user or per client host address. These settings are not specified in the ACL file.
+ </para>
+ <para>
+ <programlisting>
+ --max-connections N
+ --max-connections-per-user N
+ --max-connections-per-ip N
+ </programlisting>
+ </para>
+ <para>
+ If a switch is not specified or the value specified is zero then the corresponding connection limit is not enforced.
+ </para>
+ <para>
+ <command>max-connections</command> specifies an upper limit for all user connections.
+ </para>
+ <para>
+ <command>max-connections-per-user</command> specifies an upper limit for each user based on the authenticated user name. This limit is enforced regardless of the client IP address from which the connection originates.
+ </para>
+ <para>
+ <command>max-connections-per-ip</command> specifies an upper limit for connections for all users based on the originating client IP address. This limit is enforced regardless of the user credentials presented with the connection.
+ <itemizedlist>
+ <listitem>
+ Note that addresses using different transports are counted separately even though the originating host is actually the same physical machine. In the setting illustrated above a host would allow N_IP connections from [::1] IPv6 transport localhost and another N_IP connections from [127.0.0.1] IPv4 transport localhost.
+ </listitem>
+ <listitem>
+ The max-connections-per-ip and max-connections-per-user counts are active simultaneously. From a given client system users may be denied access to the broker by either connection limit.
+ </listitem>
+ </itemizedlist>
+ </para>
+ </section>
+
+ <section id="sect-Messaging_User_Guide-Authorization-Specifying_ACL_Queue_Limits">
+ <title>Queue Limits</title>
+ <para>
+ The ACL module creates a broker command line switch that set limits on the number of queues each user is allowed to create. This settings is not specified in the ACL file.
+ </para>
+ <para>
+ <programlisting>
+ --max-queues-per-user N
+ </programlisting>
+ </para>
+ <para>
+ If this switch is not specified or the value specified is zero then the queue limit is not enforced.
+ </para>
+ <para>
+ The queue limit is set for all users on the broker based on the authenticated user name.
+ </para>
+ </section>
+
+ </section>
<!-- ########################### --> <section id="sect-Messaging_User_Guide-Security-Encryption_using_SSL">
<title>Encryption using SSL</title>
Modified: qpid/branches/asyncstore/doc/book/src/java-broker/AMQP-Messaging-Broker-Java-Book.xml
URL: http://svn.apache.org/viewvc/qpid/branches/asyncstore/doc/book/src/java-broker/AMQP-Messaging-Broker-Java-Book.xml?rev=1451244&r1=1451243&r2=1451244&view=diff
==============================================================================
--- qpid/branches/asyncstore/doc/book/src/java-broker/AMQP-Messaging-Broker-Java-Book.xml (original)
+++ qpid/branches/asyncstore/doc/book/src/java-broker/AMQP-Messaging-Broker-Java-Book.xml Thu Feb 28 16:14:30 2013
@@ -8,66 +8,33 @@
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
-
+
http://www.apache.org/licenses/LICENSE-2.0
-
+
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-
+
-->
-<book>
- <title>AMQP Messaging Broker (Implemented in Java)</title>
- <preface>
- <title>Introduction</title>
- <para>Qpid provides two AMQP messaging brokers:</para>
-
- <itemizedlist>
- <listitem><para>Implemented in C++ - high performance, low latency, and RDMA support.</para></listitem>
- <listitem><para>Implemented in Java - Fully JMS compliant, runs on any Java platform.</para></listitem>
- </itemizedlist>
-
- <para>Both AMQP messaging brokers support clients in multiple languages, as long as the messaging client and the messaging broker use the same version of AMQP.</para>
-
- <para>This manual contains information specific to the broker that is implemented in Java.</para>
- </preface>
-
-<chapter id="Java-General-User-Guides">
- <title>General User Guides</title>
-
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Java-Broker-Feature-Guide.xml"/>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Qpid-Java-FAQ.xml"/>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Java-Environment-Variables.xml"/>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Qpid-Troubleshooting-Guide.xml"/>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Broker-Configuration-Guide.xml"/>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="HA-Guide.xml"/>
-</chapter>
-
-<chapter id="Qpid-Java-Broker-HowTos">
-<title>How Tos</title>
-
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Add-New-Users.xml"/>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Configure-ACLs.xml"/>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Configure-Java-Qpid-to-use-a-SSL-connection.xml"/>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Configure-Log4j-CompositeRolling-Appender.xml"/>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Configure-the-Broker-via-config.xml.xml"/>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Configure-the-Virtual-Hosts-via-virtualhosts.xml.xml"/>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Debug-using-log4j.xml"/>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="How-to-Tune-M3-Java-Broker-Performance.xml"/>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Qpid-Java-Build-How-To.xml"/>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="OtherQueueTypes.xml"/>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="How-to-Use-SlowConsumerDisconnect.xml"/>
-</chapter>
-
-
-<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Qpid-JMX-Management-Console.xml"/>
-
-<chapter id="QpidJavaBroker-ManagementTools">
-<title>Management Tools</title>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Qpid-Java-Broker-Management-CLI.xml"/>
-</chapter>
+<book xmlns:xi="http://www.w3.org/2001/XInclude">
+<title>AMQP Messaging Broker (Java)</title>
+
+<xi:include href="Java-Broker-Introduction.xml"/>
+<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Java-Broker-Installation.xml"/>
+<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Java-Broker-Getting-Started.xml"/>
+<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Java-Broker-Concepts.xml"/>
+<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Java-Broker-Virtual-Hosts.xml"/>
+<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Java-Broker-Exchanges.xml"/>
+<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Java-Broker-Queues.xml"/>
+<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Java-Broker-Stores.xml"/>
+<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Java-Broker-Configuring-And-Managing.xml"/>
+<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Java-Broker-Security.xml"/>
+<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Java-Broker-Runtime.xml"/>
+<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Java-Broker-High-Availability.xml"/>
+<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Java-Broker-Miscellaneous.xml"/>
+
</book>
Modified: qpid/branches/asyncstore/doc/book/src/java-broker/images/HA-BDBHAMessageStore-MBean-jconsole.png
URL: http://svn.apache.org/viewvc/qpid/branches/asyncstore/doc/book/src/java-broker/images/HA-BDBHAMessageStore-MBean-jconsole.png?rev=1451244&r1=1451243&r2=1451244&view=diff
==============================================================================
Files qpid/branches/asyncstore/doc/book/src/java-broker/images/HA-BDBHAMessageStore-MBean-jconsole.png (original) and qpid/branches/asyncstore/doc/book/src/java-broker/images/HA-BDBHAMessageStore-MBean-jconsole.png Thu Feb 28 16:14:30 2013 differ
Modified: qpid/branches/asyncstore/doc/book/xsl/html-custom.xsl
URL: http://svn.apache.org/viewvc/qpid/branches/asyncstore/doc/book/xsl/html-custom.xsl?rev=1451244&r1=1451243&r2=1451244&view=diff
==============================================================================
--- qpid/branches/asyncstore/doc/book/xsl/html-custom.xsl (original)
+++ qpid/branches/asyncstore/doc/book/xsl/html-custom.xsl Thu Feb 28 16:14:30 2013
@@ -125,7 +125,7 @@
<DIV class="menu_box_body">
<H3>Documentation</H3>
<UL>
- <LI><A href="http://qpid.apache.org/documentation.html#doc-release">0.14 Release</A></LI>
+ <LI><A href="http://qpid.apache.org/documentation.html#doc-release">Latest Release</A></LI>
<LI><A href="http://qpid.apache.org/documentation.html#doc-trunk">Trunk</A></LI>
<LI><A href="http://qpid.apache.org/documentation.html#doc-archives">Archive</A></LI>
</UL>
Modified: qpid/branches/asyncstore/extras/qmf/setup.py
URL: http://svn.apache.org/viewvc/qpid/branches/asyncstore/extras/qmf/setup.py?rev=1451244&r1=1451243&r2=1451244&view=diff
==============================================================================
--- qpid/branches/asyncstore/extras/qmf/setup.py (original)
+++ qpid/branches/asyncstore/extras/qmf/setup.py Thu Feb 28 16:14:30 2013
@@ -20,7 +20,7 @@
from distutils.core import setup
setup(name="qpid-qmf",
- version="0.19",
+ version="0.21",
author="Apache Qpid",
author_email="dev@qpid.apache.org",
packages=["qmf"],
Modified: qpid/branches/asyncstore/extras/qmf/src/py/qmf/console.py
URL: http://svn.apache.org/viewvc/qpid/branches/asyncstore/extras/qmf/src/py/qmf/console.py?rev=1451244&r1=1451243&r2=1451244&view=diff
==============================================================================
--- qpid/branches/asyncstore/extras/qmf/src/py/qmf/console.py (original)
+++ qpid/branches/asyncstore/extras/qmf/src/py/qmf/console.py Thu Feb 28 16:14:30 2013
@@ -25,6 +25,7 @@ import qpid
import struct
import socket
import re
+import sys
from qpid.datatypes import UUID
from qpid.datatypes import timestamp
from qpid.datatypes import datetime
@@ -2423,11 +2424,21 @@ class Broker(Thread):
oldTimeout = sock.gettimeout()
sock.settimeout(self.connTimeout)
connSock = None
+ force_blocking = False
if self.ssl:
+ # Bug (QPID-4337): the "old" implementation of python SSL
+ # fails if the socket is set to non-blocking (which settimeout()
+ # may change).
+ if sys.version_info[:2] < (2, 6): # 2.6+ uses openssl - it's ok
+ force_blocking = True
+ sock.setblocking(1)
+ certfile = None
if 'ssl_certfile' in self.connectArgs:
- connSock = ssl(sock, certfile=self.connectArgs['ssl_certfile'])
- else:
- connSock = ssl(sock)
+ certfile = self.connectArgs['ssl_certfile']
+ keyfile = None
+ if 'ssl_keyfile' in self.connectArgs:
+ keyfile = self.connectArgs['ssl_keyfile']
+ connSock = ssl(sock, certfile=certfile, keyfile=keyfile)
else:
connSock = sock
self.conn = Connection(connSock, username=self.authUser, password=self.authPass,
@@ -2438,7 +2449,10 @@ class Broker(Thread):
oldAborted = self.conn.aborted
self.conn.aborted = aborted
self.conn.start()
- sock.settimeout(oldTimeout)
+
+ # Bug (QPID-4337): don't enable non-blocking (timeouts) for old SSL
+ if not force_blocking:
+ sock.settimeout(oldTimeout)
self.conn.aborted = oldAborted
uid = self.conn.user_id
if uid.__class__ == tuple and len(uid) == 2:
Propchange: qpid/branches/asyncstore/java/
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/java:r1375509-1450773
Modified: qpid/branches/asyncstore/java/.gitignore
URL: http://svn.apache.org/viewvc/qpid/branches/asyncstore/java/.gitignore?rev=1451244&r1=1451243&r2=1451244&view=diff
==============================================================================
--- qpid/branches/asyncstore/java/.gitignore (original)
+++ qpid/branches/asyncstore/java/.gitignore Thu Feb 28 16:14:30 2013
@@ -18,3 +18,4 @@
#
*.swp
eclipse-projects/*
+derby.log
Propchange: qpid/branches/asyncstore/java/amqp-1-0-client/
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/java/amqp-1-0-client:r1375509-1450773
Propchange: qpid/branches/asyncstore/java/amqp-1-0-client-jms/
------------------------------------------------------------------------------
Merged /qpid/trunk/qpid/java/amqp-1-0-client-jms:r1375509-1450773
Modified: qpid/branches/asyncstore/java/amqp-1-0-client-jms/build.xml
URL: http://svn.apache.org/viewvc/qpid/branches/asyncstore/java/amqp-1-0-client-jms/build.xml?rev=1451244&r1=1451243&r2=1451244&view=diff
==============================================================================
--- qpid/branches/asyncstore/java/amqp-1-0-client-jms/build.xml (original)
+++ qpid/branches/asyncstore/java/amqp-1-0-client-jms/build.xml Thu Feb 28 16:14:30 2013
@@ -24,6 +24,9 @@
<property name="module.depends" value="amqp-1-0-common amqp-1-0-client"/>
<property name="module.genpom.args" value="-Sgeronimo-jms_1.1_spec=provided"/>
+ <property name="example.src.dir" value="${project.root}/amqp-1-0-client-jms/example/src/main/java" />
+ <property name="example.jar.file" value="${build.lib}/qpid-amqp-1-0-client-jms-example-${project.version}.jar" />
+
<target name="release-bin-copy-readme">
<copy todir="${module.release}" overwrite="true" failonerror="true">
Modified: qpid/branches/asyncstore/java/amqp-1-0-client-jms/src/main/java/org/apache/qpid/amqp_1_0/jms/impl/ConnectionFactoryImpl.java
URL: http://svn.apache.org/viewvc/qpid/branches/asyncstore/java/amqp-1-0-client-jms/src/main/java/org/apache/qpid/amqp_1_0/jms/impl/ConnectionFactoryImpl.java?rev=1451244&r1=1451243&r2=1451244&view=diff
==============================================================================
--- qpid/branches/asyncstore/java/amqp-1-0-client-jms/src/main/java/org/apache/qpid/amqp_1_0/jms/impl/ConnectionFactoryImpl.java (original)
+++ qpid/branches/asyncstore/java/amqp-1-0-client-jms/src/main/java/org/apache/qpid/amqp_1_0/jms/impl/ConnectionFactoryImpl.java Thu Feb 28 16:14:30 2013
@@ -20,8 +20,12 @@
*/
package org.apache.qpid.amqp_1_0.jms.impl;
+import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
+import java.net.URLConnection;
+import java.net.URLDecoder;
+import java.net.URLStreamHandler;
import javax.jms.JMSException;
import javax.jms.QueueConnection;
import javax.jms.QueueConnectionFactory;
@@ -39,6 +43,8 @@ public class ConnectionFactoryImpl imple
private String _remoteHost;
private boolean _ssl;
+ private String _queuePrefix;
+ private String _topicPrefix;
public ConnectionFactoryImpl(final String host,
final int port,
@@ -86,36 +92,70 @@ public class ConnectionFactoryImpl imple
public ConnectionImpl createConnection() throws JMSException
{
- return new ConnectionImpl(_host, _port, _username, _password, _clientId, _remoteHost, _ssl);
+ return createConnection(_username, _password);
}
public ConnectionImpl createConnection(final String username, final String password) throws JMSException
{
- return new ConnectionImpl(_host, _port, username, password, _clientId, _remoteHost, _ssl);
+ ConnectionImpl connection = new ConnectionImpl(_host, _port, username, password, _clientId, _remoteHost, _ssl);
+ connection.setQueuePrefix(_queuePrefix);
+ connection.setTopicPrefix(_topicPrefix);
+ return connection;
}
public static ConnectionFactoryImpl createFromURL(final String urlString) throws MalformedURLException
{
- URL url = new URL(urlString);
+ URL url = new URL(null, urlString, new URLStreamHandler()
+ {
+ @Override
+ protected URLConnection openConnection(URL u) throws IOException
+ {
+ throw new UnsupportedOperationException();
+ }
+ });
+ String protocol = url.getProtocol();
+ if(protocol == null || "".equals(protocol))
+ {
+ protocol = "amqp";
+ }
+ else if(!protocol.equals("amqp") && !protocol.equals("amqps"))
+ {
+ throw new MalformedURLException("Protocol '"+protocol+"' unknown. Must be one of 'amqp' or 'amqps'.");
+ }
String host = url.getHost();
int port = url.getPort();
+
+ boolean ssl = false;
+
if(port == -1)
{
- port = 5672;
+ if("amqps".equals(protocol))
+ {
+ port = 5671;
+ ssl = true;
+ }
+ else
+ {
+ port = 5672;
+ }
}
+ else if("amqps".equals(protocol))
+ {
+ ssl = true;
+ }
+
String userInfo = url.getUserInfo();
String username = null;
String password = null;
String clientId = null;
String remoteHost = null;
- boolean ssl = false;
if(userInfo != null)
{
String[] components = userInfo.split(":",2);
- username = components[0];
+ username = URLDecoder.decode(components[0]);
if(components.length == 2)
{
- password = components[1];
+ password = URLDecoder.decode(components[1]);
}
}
String query = url.getQuery();
@@ -139,6 +179,11 @@ public class ConnectionFactoryImpl imple
}
}
+ if(remoteHost == null)
+ {
+ remoteHost = host;
+ }
+
return new ConnectionFactoryImpl(host, port, username, password, clientId, remoteHost, ssl);
}
@@ -170,4 +215,24 @@ public class ConnectionFactoryImpl imple
connection.setTopicConnection(true);
return connection;
}
+
+ public String getTopicPrefix()
+ {
+ return _topicPrefix;
+ }
+
+ public void setTopicPrefix(String topicPrefix)
+ {
+ _topicPrefix = topicPrefix;
+ }
+
+ public String getQueuePrefix()
+ {
+ return _queuePrefix;
+ }
+
+ public void setQueuePrefix(String queuePrefix)
+ {
+ _queuePrefix = queuePrefix;
+ }
}
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org