You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@qpid.apache.org by Paul Colby <pa...@colby.id.au> on 2012/05/30 06:09:03 UTC
ACL to allow QMF agents / clients
Hi,
I'm implementing an access control list (ACL) for an internal Qpid cluster.
Most of the ACL is nice and straight-forward. However, I'm wondering what
the best way is to enabled QMF agents and clients to work (we have our own
custom QMF agents and clients using QMF2, plus of the standard Qpid tools).
When I said "best" above, I'm meaning:
* minimum extraneous access (ie not giving away more access than required);
and
* most maintainable (ie small number of clear, concise rules).
I've seen the rules at
https://github.com/matahari/matahari/wiki/QMF-Access-Control-Policy and
they look pretty good. They seem to have been based on Qpid 0.12, and I
vaguely recall reading plans to improve this aspect of ACL some time ago...
So, is the following the best there is, or can I do better with Qpid 0.16?
(I've intentionally skipped the declaration of the agents and consoles
groups)
acl allow agents bind exchange name=qmf.default.topic
routingkey=direct-agent.*acl allow agents bind exchange
name=qmf.default.topic routingkey=console.*acl allow agents publish
exchange name=qmf.default.topic routingkey=direct-console.*acl allow
agents publish exchange name=qmf.default.topic routingkey=agent.*acl
allow agents create linkacl allow agents create queueacl allow agents
create exchange name=qmf.default.topicacl allow agents access exchange
name=qmf.default.topicacl allow agents consume
acl allow consoles create exchange name=qmf.default.directacl allow
consoles access exchange name=qmf.default.directacl allow consoles
bind exchange name=qmf.default.topic routingkey=direct-console.*acl
allow consoles bind exchange name=qmf.default.topic
routingkey=agent.*acl allow consoles publish exchange
name=qmf.default.topic routingkey=direct-agent.*acl allow consoles
publish exchange name=qmf.default.topic routingkey=console.*acl allow
consoles publish exchange name=qmf.default.direct routingkey=brokeracl
allow consoles create queueacl allow consoles create exchange
name=qmf.default.topicacl allow consoles access exchange
name=qmf.default.topicacl allow consoles consume
acl deny-log all all
Thanks! :)
Paul
----
http://colby.id.au
Re: ACL to allow QMF agents / clients
Posted by Paul Colby <pa...@colby.id.au>.
Thanks Ted,
I'll use the matahari example as a starting point then.
Though I can confirm that it is insufficient for me with Qpid 0.16... for
example, one of my QMF2 agents also requires:
acl allow agents create exchange name=qmf.default.direct
(Of course the matahari example would still work, if my agent happened to
also be a console member, but its not in my case).
Thanks again,
pc
----
http://colby.id.au
On Thu, May 31, 2012 at 1:29 AM, Ted Ross <tr...@redhat.com> wrote:
> Hi Paul,
>
> This aspect of ACL is the same in 0.16 as it is in 0.14. That matahari
> web link is very up-to-date.
>
> -Ted
>
>
> On 05/30/2012 12:09 AM, Paul Colby wrote:
>
>> Hi,
>>
>> I'm implementing an access control list (ACL) for an internal Qpid
>> cluster.
>> Most of the ACL is nice and straight-forward. However, I'm wondering
>> what
>> the best way is to enabled QMF agents and clients to work (we have our own
>> custom QMF agents and clients using QMF2, plus of the standard Qpid
>> tools).
>>
>> When I said "best" above, I'm meaning:
>> * minimum extraneous access (ie not giving away more access than
>> required);
>> and
>> * most maintainable (ie small number of clear, concise rules).
>>
>> I've seen the rules at
>> https://github.com/matahari/**matahari/wiki/QMF-Access-**Control-Policy<https://github.com/matahari/matahari/wiki/QMF-Access-Control-Policy>and
>> they look pretty good. They seem to have been based on Qpid 0.12, and I
>> vaguely recall reading plans to improve this aspect of ACL some time
>> ago...
>>
>> So, is the following the best there is, or can I do better with Qpid 0.16?
>> (I've intentionally skipped the declaration of the agents and consoles
>> groups)
>>
>> acl allow agents bind exchange name=qmf.default.topic
>> routingkey=direct-agent.*acl allow agents bind exchange
>> name=qmf.default.topic routingkey=console.*acl allow agents publish
>> exchange name=qmf.default.topic routingkey=direct-console.*acl allow
>> agents publish exchange name=qmf.default.topic routingkey=agent.*acl
>> allow agents create linkacl allow agents create queueacl allow agents
>> create exchange name=qmf.default.topicacl allow agents access exchange
>> name=qmf.default.topicacl allow agents consume
>>
>>
>> acl allow consoles create exchange name=qmf.default.directacl allow
>> consoles access exchange name=qmf.default.directacl allow consoles
>>
>> bind exchange name=qmf.default.topic routingkey=direct-console.*acl
>> allow consoles bind exchange name=qmf.default.topic
>> routingkey=agent.*acl allow consoles publish exchange
>> name=qmf.default.topic routingkey=direct-agent.*acl allow consoles
>> publish exchange name=qmf.default.topic routingkey=console.*acl allow
>>
>> consoles publish exchange name=qmf.default.direct routingkey=brokeracl
>> allow consoles create queueacl allow consoles create exchange
>> name=qmf.default.topicacl allow consoles access exchange
>> name=qmf.default.topicacl allow consoles consume
>>
>>
>> acl deny-log all all
>>
>> Thanks! :)
>>
>> Paul
>> ----
>> http://colby.id.au
>>
>>
>
> ------------------------------**------------------------------**---------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.**org<us...@qpid.apache.org>
> For additional commands, e-mail: users-help@qpid.apache.org
>
>
Re: ACL to allow QMF agents / clients
Posted by Ted Ross <tr...@redhat.com>.
Hi Paul,
This aspect of ACL is the same in 0.16 as it is in 0.14. That matahari
web link is very up-to-date.
-Ted
On 05/30/2012 12:09 AM, Paul Colby wrote:
> Hi,
>
> I'm implementing an access control list (ACL) for an internal Qpid cluster.
> Most of the ACL is nice and straight-forward. However, I'm wondering what
> the best way is to enabled QMF agents and clients to work (we have our own
> custom QMF agents and clients using QMF2, plus of the standard Qpid tools).
>
> When I said "best" above, I'm meaning:
> * minimum extraneous access (ie not giving away more access than required);
> and
> * most maintainable (ie small number of clear, concise rules).
>
> I've seen the rules at
> https://github.com/matahari/matahari/wiki/QMF-Access-Control-Policy and
> they look pretty good. They seem to have been based on Qpid 0.12, and I
> vaguely recall reading plans to improve this aspect of ACL some time ago...
>
> So, is the following the best there is, or can I do better with Qpid 0.16?
> (I've intentionally skipped the declaration of the agents and consoles
> groups)
>
> acl allow agents bind exchange name=qmf.default.topic
> routingkey=direct-agent.*acl allow agents bind exchange
> name=qmf.default.topic routingkey=console.*acl allow agents publish
> exchange name=qmf.default.topic routingkey=direct-console.*acl allow
> agents publish exchange name=qmf.default.topic routingkey=agent.*acl
> allow agents create linkacl allow agents create queueacl allow agents
> create exchange name=qmf.default.topicacl allow agents access exchange
> name=qmf.default.topicacl allow agents consume
>
> acl allow consoles create exchange name=qmf.default.directacl allow
> consoles access exchange name=qmf.default.directacl allow consoles
> bind exchange name=qmf.default.topic routingkey=direct-console.*acl
> allow consoles bind exchange name=qmf.default.topic
> routingkey=agent.*acl allow consoles publish exchange
> name=qmf.default.topic routingkey=direct-agent.*acl allow consoles
> publish exchange name=qmf.default.topic routingkey=console.*acl allow
> consoles publish exchange name=qmf.default.direct routingkey=brokeracl
> allow consoles create queueacl allow consoles create exchange
> name=qmf.default.topicacl allow consoles access exchange
> name=qmf.default.topicacl allow consoles consume
>
> acl deny-log all all
>
> Thanks! :)
>
> Paul
> ----
> http://colby.id.au
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org