You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by ch...@apache.org on 2014/07/15 00:08:05 UTC
svn commit: r1610547 - /qpid/trunk/qpid/doc/book/src/cpp-broker/Security.xml
Author: chug
Date: Mon Jul 14 22:08:05 2014
New Revision: 1610547
URL: http://svn.apache.org/r1610547
Log:
QPID-5890: Refactoring AclModule documentation update.
Refactoring exposed new details about how Acl works.
Modified:
qpid/trunk/qpid/doc/book/src/cpp-broker/Security.xml
Modified: qpid/trunk/qpid/doc/book/src/cpp-broker/Security.xml
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/doc/book/src/cpp-broker/Security.xml?rev=1610547&r1=1610546&r2=1610547&view=diff
==============================================================================
--- qpid/trunk/qpid/doc/book/src/cpp-broker/Security.xml (original)
+++ qpid/trunk/qpid/doc/book/src/cpp-broker/Security.xml Mon Jul 14 22:08:05 2014
@@ -398,669 +398,727 @@ com.sun.security.jgss.initiate {
<!-- ######## --> <section id="sect-Messaging_User_Guide-Authorization-ACL_Syntax">
<title>ACL Syntax</title>
<para>
- ACL rules must be on a single line and follow this syntax:
+ ACL rules follow this syntax:
<programlisting><![CDATA[
- user = username[/domain[@realm]]
- user-list = user1 user2 user3 ...
- group-name-list = group1 group2 group3 ...
-
- group <group-name> = [user-list] [group-name-list]
-
- permission = [allow | allow-log | deny | deny-log]
- action = [consume | publish | create | access |
- bind | unbind | delete | purge | update |
- move | redirect | reroute]
- object = [queue | exchange | broker | link | method | query]
- property = [name | durable | owner | routingkey |
- autodelete | exclusive |type |
- alternate | queuename | exchangename |
- schemapackage | schemaclass |
- queuemaxsizelowerlimit |
- queuemaxsizeupperlimit |
- queuemaxcountlowerlimit |
- queuemaxcountupperlimit |
- filemaxsizelowerlimit |
- filemaxsizeupperlimit |
- filemaxcountlowerlimit |
- filemaxcountupperlimit |
- pageslowerlimit |
- pagesupperlimit |
- pagefactorlowerlimit |
- pagefactorupperlimit ]
-
- acl permission {<group-name>|<user-name>|"all"} {action|"all"} [object|"all"
- [property=<property-value> ...]]
-
- quota-spec = [connections | queues]
- quota quota-spec N {<group-name>|<user-name>|"all"}
- [{<group-name>|<user-name>|"all"}]
-]]></programlisting>
+aclline = ( comment | aclspec | groupspec | quotaspec )
- ACL rules can also include a single object name (or the keyword <parameter>all</parameter>) and one or more property name value pairs in the form <command>property=value</command>
- </para>
- <para>
- The following tables show the possible values for <command>permission</command>, <command>action</command>, <command>object</command>, and <command>property</command> in an ACL rules file.
- </para>
- <table id="tabl-Messaging_User_Guide-ACL_Syntax-ACL_Rules_permission">
- <title>ACL Rules: permission</title>
- <tgroup cols="2">
- <tbody>
- <row>
- <entry>
- <command>allow</command>
- </entry>
- <entry>
- <para>
- Allow the action <!-- ### rule => the action -->
- </para>
+comment = "#" [ STRING ]
- </entry>
+aclspec = "acl" permission ( groupname | name | "all" )
+ ( action | "all" ) [ ( object | "all ) [ ( property "=" STRING )* ] ]
- </row>
- <row>
- <entry>
- <command>allow-log</command>
- </entry>
- <entry>
- <para>
- Allow the action and log the action in the event log
- </para>
+groupspec = "group" groupname ( name )* [ "\" ]
- </entry>
+groupcontinuation = ( name )* [ "\" ]
- </row>
- <row>
- <entry>
- <command>deny</command>
- </entry>
- <entry>
- <para>
- Deny the action
- </para>
+quotaspec = "quota" ( "connections" | "queues" ) NUMBER ( groupname | name | "all" )*
- </entry>
+name = ( ALPHANUMERIC | "-" | "_" | "." | "@" | "/" ) [ ( ALPHANUMERIC | "-" | "_" | "." | "@" | "/" )* ]
- </row>
- <row>
- <entry>
- <command>deny-log</command>
- </entry>
- <entry>
- <para>
- Deny the action and log the action in the event log
- </para>
+groupname = ( ALPHANUMERIC | "-" | "_" ) [ ( ALPHANUMERIC | "-" | "_" )* ]
- </entry>
+permission = "allow" | "allow-log" | "deny" | "deny-log"
- </row>
+action = "consume" | "publish" | "create" | "access" |
+ "bind" | "unbind" | "delete" | "purge" |
+ "update"
- </tbody>
+object = "queue" | "exchange" | "broker" | "link" |
+ "method" | "query" | "connection"
- </tgroup>
+property = "name" | "durable" | "routingkey" | "autodelete" |
+ "exclusive" | "type" | "alternate" | "queuename" |
+ "exchangename" | "schemapackage" | "schemaclass" |
+ "policytype" | "paging" |
+ "queuemaxsizelowerlimit" | "queuemaxsizeupperlimit" |
+ "queuemaxcountlowerlimit" | "queuemaxcountupperlimit" |
+ "filemaxsizelowerlimit" | "filemaxsizeupperlimit" |
+ "filemaxcountlowerlimit" | "filemaxcountupperlimit" |
+ "pageslowerlimit" | "pagesupperlimit" |
+ "pagefactorlowerlimit" | "pagefactorupperlimit"
+]]></programlisting>
- </table>
+ ACL rules can also include a single object name (or the keyword <parameter>all</parameter>) and one or more property name value pairs in the form <command>property=value</command>
+ </para>
+ <para>
+ The following tables show the possible values for <command>permission</command>, <command>action</command>, <command>object</command>, and <command>property</command> in an ACL rules file.
+ </para>
+ <table id="tabl-Messaging_User_Guide-ACL_Syntax-ACL_Rules_permission">
+ <title>ACL Rules: permission</title>
+ <tgroup cols="2">
+ <tbody>
+ <row>
+ <entry>
+ <command>allow</command>
+ </entry>
+ <entry>
+ <para>
+ Allow the action <!-- ### rule => the action -->
+ </para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>allow-log</command>
+ </entry>
+ <entry>
+ <para>
+ Allow the action and log the action in the event log
+ </para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>deny</command>
+ </entry>
+ <entry>
+ <para>
+ Deny the action
+ </para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>deny-log</command>
+ </entry>
+ <entry>
+ <para>
+ Deny the action and log the action in the event log
+ </para>
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
<!-- Actions --> <table id="tabl-Messaging_User_Guide-ACL_Syntax-ACL_Rulesaction">
- <title>ACL Rules:action</title>
- <tgroup cols="2">
- <tbody>
- <row>
- <entry>
- <command>consume</command>
- </entry>
- <entry>
- <para>
- Applied when subscriptions are created
- </para>
-
- </entry>
-
- </row>
- <row>
- <entry>
- <command>publish</command>
- </entry>
- <entry>
- <para>
- Applied on a per message basis
- to verify that the user has rights to publish to the given
- exchange with the given routingkey.
- </para>
-
- </entry>
-
- </row>
- <row>
- <entry>
- <command>create</command>
- </entry>
- <entry>
- <para>
- Applied when an object is created, such as bindings, queues, exchanges, links
- </para>
-
- </entry>
-
- </row>
- <row>
- <entry>
- <command>access</command>
- </entry>
- <entry>
- <para>
- Applied when an object is read or accessed
- </para>
-
- </entry>
-
- </row>
- <row>
- <entry>
- <command>bind</command>
- </entry>
- <entry>
- <para>
- Applied when objects are bound together
- </para>
-
- </entry>
-
- </row>
- <row>
- <entry>
- <command>unbind</command>
- </entry>
- <entry>
- <para>
- Applied when objects are unbound
- </para>
-
- </entry>
-
- </row>
- <row>
- <entry>
- <command>delete</command>
- </entry>
- <entry>
- <para>
- Applied when objects are deleted
- </para>
-
- </entry>
-
- </row>
- <row>
- <entry>
- <command>purge</command>
- </entry>
- <entry>
- <para>
- Similar to delete but the action is performed on more than one object
- </para>
-
- </entry>
-
- </row>
- <row>
- <entry>
- <command>update</command>
- </entry>
- <entry>
- <para>
- Applied when an object is updated
- </para>
-
- </entry>
- </row>
- <row>
- <entry>
- <command>move</command>
- </entry>
- <entry>
- <para>
- When moving messages between queues
- </para>
-
- </entry>
- </row>
- <row>
- <entry>
- <command>redirect</command>
- </entry>
- <entry>
- <para>
- When redirecting messages between queues
- </para>
-
- </entry>
- </row>
- <row>
- <entry>
- <command>reroute</command>
- </entry>
- <entry>
- <para>
- When rerouting messages from a queue to an exchange
- </para>
-
- </entry>
-
- </row>
-
- </tbody>
-
- </tgroup>
-
- </table>
+ <title>ACL Rules: action</title>
+ <tgroup cols="2">
+ <tbody>
+ <row>
+ <entry>
+ <command>consume</command>
+ </entry>
+ <entry>
+ <para>
+ User is attempting to read the object
+ </para>
+
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>publish</command>
+ </entry>
+ <entry>
+ <para>
+ User is attempting to write a message to the exchange.
+ </para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>create</command>
+ </entry>
+ <entry>
+ <para>
+ User is creating the object
+ </para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>access</command>
+ </entry>
+ <entry>
+ <para>
+ User is accessing (reading) the object
+ </para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>bind</command>
+ </entry>
+ <entry>
+ <para>
+ User is associating a queue to an exchange with a routing key.
+ </para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>unbind</command>
+ </entry>
+ <entry>
+ <para>
+ Useris disassociating a queue from an exchange with a routing key.
+ </para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>delete</command>
+ </entry>
+ <entry>
+ <para>
+ User is deleting the object.
+ </para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>purge</command>
+ </entry>
+ <entry>
+ <para>
+ User is purging a queue.
+ </para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>update</command>
+ </entry>
+ <entry>
+ <para>
+ User is changing a broker configuration setting.
+ </para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>move</command>
+ </entry>
+ <entry>
+ <para>
+ When moving messages between queues
+ </para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>redirect</command>
+ </entry>
+ <entry>
+ <para>
+ When redirecting messages between queues
+ </para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>reroute</command>
+ </entry>
+ <entry>
+ <para>
+ When rerouting messages from a queue to an exchange
+ </para>
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
<!-- object types --> <table id="tabl-Messaging_User_Guide-ACL_Syntax-ACL_Rulesobject">
- <title>ACL Rules:object</title>
- <tgroup cols="2">
- <tbody>
- <row>
- <entry>
- <command>queue</command>
- </entry>
- <entry>
- <para>
- A queue
- </para>
-
- </entry>
-
- </row>
- <row>
- <entry>
- <command>exchange</command>
- </entry>
- <entry>
- <para>
- An exchange
- </para>
-
- </entry>
-
- </row>
- <row>
- <entry>
- <command>broker</command>
- </entry>
- <entry>
- <para>
- The broker
- </para>
-
- </entry>
-
- </row>
- <row>
- <entry>
- <command>link</command>
- </entry>
- <entry>
- <para>
- A federation or inter-broker link
- </para>
-
- </entry>
-
- </row>
- <row>
- <entry>
- <command>method</command>
- </entry>
- <entry>
- <para>
- Management or agent or broker method
- </para>
-
- </entry>
-
- </row>
- <row>
- <entry>
- <command>query</command>
- </entry>
- <entry>
- <para>
- Management query (of an object or whole class)
- </para>
-
- </entry>
-
- </row>
-
- </tbody>
-
- </tgroup>
-
- </table>
+ <title>ACL Rules:object</title>
+ <tgroup cols="2">
+ <tbody>
+ <row>
+ <entry>
+ <command>queue</command>
+ </entry>
+ <entry>
+ <para>
+ A queue
+ </para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>exchange</command>
+ </entry>
+ <entry>
+ <para>
+ An exchange
+ </para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>broker</command>
+ </entry>
+ <entry>
+ <para>
+ The broker
+ </para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>link</command>
+ </entry>
+ <entry>
+ <para>
+ A federation or inter-broker link
+ </para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>method</command>
+ </entry>
+ <entry>
+ <para>
+ Management or agent or broker method
+ </para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>query</command>
+ </entry>
+ <entry>
+ <para>
+ Management query (of an object or whole class)
+ </para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>connection</command>
+ </entry>
+ <entry>
+ <para>
+ An incoming TCP/IP connection
+ </para>
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
<!--
<para>
- Wild cards can be used on properties that are a string. The following properties are supported: --> <table id="tabl-Messaging_User_Guide-ACL_Syntax-ACL_Rulesproperty">
- <title>ACL Rules:property</title>
- <tgroup cols="4">
- <thead>
- <row>
- <entry>Property</entry>
- <entry>Type</entry>
- <entry>Description</entry>
- <entry>Usage</entry>
- </row>
- </thead>
- <tbody>
- <row>
- <entry> <command>name</command> </entry>
- <entry>String</entry>
- <entry>Object name, such as a queue name or exchange name.</entry>
- <entry></entry>
- </row>
- <row>
- <entry> <command>durable</command> </entry>
- <entry>Boolean</entry>
- <entry>Indicates the object is durable</entry>
- <entry>CREATE QUEUE, CREATE EXCHANGE, ACCESS QUEUE, ACCESS EXCHANGE</entry>
- </row>
- <row>
- <entry> <command>routingkey</command> </entry>
- <entry>String</entry>
- <entry>Specifies routing key</entry>
- <entry>BIND EXCHANGE, UNBIND EXCHANGE, ACCESS EXCHANGE, PUBLISH EXCHANGE</entry>
- </row>
- <row>
- <entry> <command>autodelete</command> </entry>
- <entry>Boolean</entry>
- <entry>Indicates whether or not the object gets deleted when the connection is closed</entry>
- <entry>CREATE QUEUE, ACCESS QUEUE</entry>
- </row>
- <row>
- <entry> <command>exclusive</command> </entry>
- <entry>Boolean</entry>
- <entry>Indicates the presence of an <parameter>exclusive</parameter> flag</entry>
- <entry>CREATE QUEUE, ACCESS QUEUE</entry>
- </row>
- <row>
- <entry> <command>paging</command> </entry>
- <entry>Boolean</entry>
- <entry>Indicates if the queue is paging queue</entry>
- <entry>CREATE QUEUE, ACCESS QUEUE</entry>
- </row>
- <row>
- <entry> <command>type</command> </entry>
- <entry>String</entry>
- <entry>Type of exchange, such as topic, fanout, or xml</entry>
- <entry>CREATE EXCHANGE, ACCESS EXCHANGE</entry>
- </row>
- <row>
- <entry> <command>alternate</command> </entry>
- <entry>String</entry>
- <entry>Name of the alternate exchange</entry>
- <entry>CREATE EXCHANGE, CREATE QUEUE, ACCESS EXCHANGE, ACCESS QUEUE</entry>
- </row>
- <row>
- <entry> <command>queuename</command> </entry>
- <entry>String</entry>
- <entry>Name of the queue</entry>
- <entry>ACCESS EXCHANGE, BIND EXCHANGE, UNBIND EXCHANGE</entry>
- </row>
- <row>
- <entry> <command>schemapackage</command> </entry>
- <entry>String</entry>
- <entry>QMF schema package name</entry>
- <entry>ACCESS METHOD</entry>
- </row>
- <row>
- <entry> <command>schemaclass</command> </entry>
- <entry>String</entry>
- <entry>QMF schema class name</entry>
- <entry>ACCESS METHOD</entry>
- </row>
- <row>
- <entry> <command>queuemaxsizelowerlimit</command> </entry>
- <entry>Integer</entry>
- <entry>Minimum value for queue.max_size (memory bytes)</entry>
- <entry>CREATE QUEUE, ACCESS QUEUE</entry>
- </row>
- <row>
- <entry> <command>queuemaxsizeupperlimit</command> </entry>
- <entry>Integer</entry>
- <entry>Maximum value for queue.max_size (memory bytes)</entry>
- <entry>CREATE QUEUE, ACCESS QUEUE</entry>
- </row>
- <row>
- <entry> <command>queuemaxcountlowerlimit</command> </entry>
- <entry>Integer</entry>
- <entry>Minimum value for queue.max_count (messages)</entry>
- <entry>CREATE QUEUE, ACCESS QUEUE</entry>
- </row>
- <row>
- <entry> <command>queuemaxcountupperlimit</command> </entry>
- <entry>Integer</entry>
- <entry>Maximum value for queue.max_count (messages)</entry>
- <entry>CREATE QUEUE, ACCESS QUEUE</entry>
- </row>
- <row>
- <entry> <command>filemaxsizelowerlimit</command> </entry>
- <entry>Integer</entry>
- <entry>Minimum value for file.max_size (64kb pages)</entry>
- <entry>CREATE QUEUE, ACCESS QUEUE</entry>
- </row>
- <row>
- <entry> <command>filemaxsizeupperlimit</command> </entry>
- <entry>Integer</entry>
- <entry>Maximum value for file.max_size (64kb pages)</entry>
- <entry>CREATE QUEUE, ACCESS QUEUE</entry>
- </row>
- <row>
- <entry> <command>filemaxcountlowerlimit</command> </entry>
- <entry>Integer</entry>
- <entry>Minimum value for file.max_count (files)</entry>
- <entry>CREATE QUEUE, ACCESS QUEUE</entry>
- </row>
- <row>
- <entry> <command>filemaxcountupperlimit</command> </entry>
- <entry>Integer</entry>
- <entry>Maximum value for file.max_count (files)</entry>
- <entry>CREATE QUEUE, ACCESS QUEUE</entry>
- </row>
- <row>
- <entry> <command>pageslowerlimit</command> </entry>
- <entry>Integer</entry>
- <entry>Minimum value for number of pages in memory of paged queue</entry>
- <entry>CREATE QUEUE</entry>
- </row>
- <row>
- <entry> <command>pagesupperlimit</command> </entry>
- <entry>Integer</entry>
- <entry>Maximum value for number of pages in memory of paged queue</entry>
- <entry>CREATE QUEUE</entry>
- </row>
- <row>
- <entry> <command>pagefactorlowerlimit</command> </entry>
- <entry>Integer</entry>
- <entry>Minimum value for size of one page in paged queue</entry>
- <entry>CREATE QUEUE</entry>
- </row>
- <row>
- <entry> <command>pagefactorupperlimit</command> </entry>
- <entry>Integer</entry>
- <entry>Maximum value for size of one page in paged queue</entry>
- <entry>CREATE QUEUE</entry>
- </row>
- </tbody>
- </tgroup>
- </table>
-
- <section id="sect-Messaging_User_Guide-Authorization-ACL_ActionObjectPropertyTuples">
- <title>ACL Action-Object-Property Tuples</title>
- <para>
- Not every ACL action is applicable to every ACL object. Furthermore, not every property may be
- specified for every action-object pair.
- The following table enumerates which action and object pairs are allowed.
- The table also lists which optional ACL properties are allowed to qualify
- action-object pairs.
- </para>
- <para>
- The <emphasis>access</emphasis> action is called with different argument
- lists for the <emphasis>exchange</emphasis> and <emphasis>queue</emphasis> objects.
- A separate column shows the AMQP 0.10 method that the Access ACL rule is satisfying.
- Write separate rules with the additional arguments for the <emphasis>declare</emphasis>
- and <emphasis>bind</emphasis> methods and include these rules in the ACL file
- before the rules for the <emphasis>query</emphasis> method.
- <!-- The exact sequence of calling these methods is a product of the client
- library. The user might not know anything about a 'declare' or a 'query' or
- a passive declaration. -->
- </para>
- <table id="tabl-Messaging_User_Guide-ACL_Syntax-ACL_ActionObject_properties">
- <title>ACL Properties Allowed for each Action and Object</title>
- <tgroup cols="4">
- <thead>
- <row>
- <entry>Action</entry>
- <entry>Object</entry>
- <entry>Properties</entry>
- <entry>Method</entry>
- </row>
- </thead>
- <tbody>
- <row>
- <entry>access</entry>
- <entry>broker</entry>
- <entry></entry>
- </row>
- <row>
- <entry>access</entry>
- <entry>exchange</entry>
- <entry>name type alternate durable</entry>
- <entry>declare</entry>
- </row>
- <row>
- <entry>access</entry>
- <entry>exchange</entry>
- <entry>name queuename routingkey</entry>
- <entry>bound</entry>
- </row>
- <row>
- <entry>access</entry>
- <entry>exchange</entry>
- <entry>name</entry>
- <entry>query</entry>
- </row>
- <row>
- <entry>access</entry>
- <entry>method</entry>
- <entry>name schemapackage schemaclass</entry>
- <entry></entry>
- </row>
- <row>
- <entry>access</entry>
- <entry>query</entry>
- <entry>name schemaclass</entry>
- <entry></entry>
- </row>
- <row>
- <entry>access</entry>
- <entry>queue</entry>
- <entry>name alternate durable exclusive autodelete policy queuemaxsizelowerlimit queuemaxsizeupperlimit queuemaxcountlowerlimit queuemaxcountupperlimit filemaxsizelowerlimit filemaxsizeupperlimit filemaxcountlowerlimit filemaxcountupperlimit</entry>
- <entry>declare</entry>
- </row>
- <row>
- <entry>access</entry>
- <entry>queue</entry>
- <entry>name</entry>
- <entry>query</entry>
- </row>
- <row>
- <entry>bind</entry>
- <entry>exchange</entry>
- <entry>name queuename routingkey</entry>
- <entry></entry>
- </row>
- <row>
- <entry>consume</entry>
- <entry>queue</entry>
- <entry>name</entry>
- <entry></entry>
- </row>
- <row>
- <entry>create</entry>
- <entry>exchange</entry>
- <entry>name type alternate durable</entry>
- <entry></entry>
- </row>
- <row>
- <entry>create</entry>
- <entry>link</entry>
- <entry>name</entry>
- <entry></entry>
- </row>
- <row>
- <entry>create</entry>
- <entry>queue</entry>
- <entry>name alternate durable exclusive autodelete policy queuemaxsizelowerlimit queuemaxsizeupperlimit queuemaxcountlowerlimit queuemaxcountupperlimit filemaxsizelowerlimit filemaxsizeupperlimit filemaxcountlowerlimit filemaxcountupperlimit paging pageslowerlimit pagesupperlimit pagefactorlowerlimit pagefactorupperlimit</entry>
- <entry></entry>
- </row>
- <row>
- <entry>delete</entry>
- <entry>exchange</entry>
- <entry>name</entry>
- <entry></entry>
- </row>
- <row>
- <entry>delete</entry>
- <entry>queue</entry>
- <entry>name</entry>
- <entry></entry>
- </row>
- <row>
- <entry>publish</entry>
- <entry>exchange</entry>
- <entry>name routingkey</entry>
- <entry></entry>
- </row>
- <row>
- <entry>purge</entry>
- <entry>queue</entry>
- <entry>name</entry>
- <entry></entry>
- </row>
- <row>
- <entry>move</entry>
- <entry>queue</entry>
- <entry>name</entry>
- <entry>queuename</entry>
- </row>
- <row>
- <entry>redirect</entry>
- <entry>queue</entry>
- <entry>name</entry>
- <entry>queuename</entry>
- </row>
- <row>
- <entry>reroute</entry>
- <entry>queue</entry>
- <entry>name</entry>
- <entry>exchangename</entry>
- </row>
- <row>
- <entry>unbind</entry>
- <entry>exchange</entry>
- <entry>name queuename routingkey</entry>
- <entry></entry>
- </row>
- <row>
- <entry>update</entry>
- <entry>broker</entry>
- <entry></entry>
- <entry></entry>
- </row>
- </tbody>
- </tgroup>
- </table>
- <para>
-
- </para>
- </section>
- </section>
+ Wild cards can be used on properties that are a string. The following rule properties are supported: --> <table id="tabl-Messaging_User_Guide-ACL_Syntax-ACL_Rulesproperty">
+ <title>ACL Rules: property</title>
+ <tgroup cols="4">
+ <thead>
+ <row>
+ <entry>Property</entry>
+ <entry>Type</entry>
+ <entry>Description</entry>
+ <entry>Usage</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry> <command>name</command> </entry>
+ <entry>String</entry>
+ <entry>Rule refers to objects with this name</entry>
+ <entry></entry>
+ </row>
+ <row>
+ <entry> <command>durable</command> </entry>
+ <entry>Boolean</entry>
+ <entry>Rule applies to durable objects</entry>
+ <entry>CREATE QUEUE, CREATE EXCHANGE, ACCESS QUEUE, ACCESS EXCHANGE, DELETE QUEUE, DELETE EXCHANGE</entry>
+ </row>
+ <row>
+ <entry> <command>routingkey</command> </entry>
+ <entry>String</entry>
+ <entry>Specifies routing key</entry>
+ <entry>BIND EXCHANGE, UNBIND EXCHANGE, ACCESS EXCHANGE, PUBLISH EXCHANGE</entry>
+ </row>
+ <row>
+ <entry> <command>autodelete</command> </entry>
+ <entry>Boolean</entry>
+ <entry>Indicates whether or not the object gets deleted when the connection is closed</entry>
+ <entry>CREATE QUEUE, CREATE EXCHANGE, ACCESS QUEUE, ACCESS EXCHANGE, DELETE QUEUE</entry>
+ </row>
+ <row>
+ <entry> <command>exclusive</command> </entry>
+ <entry>Boolean</entry>
+ <entry>Indicates the presence of an <parameter>exclusive</parameter> flag</entry>
+ <entry>CREATE QUEUE, ACCESS QUEUE, DELETE QUEUE</entry>
+ </row>
+ <row>
+ <entry> <command>type</command> </entry>
+ <entry>String</entry>
+ <entry>Type of exchange, such as topic, fanout, or xml</entry>
+ <entry>CREATE EXCHANGE, ACCESS EXCHANGE, DELETE EXCHANGE</entry>
+ </row>
+ <row>
+ <entry> <command>alternate</command> </entry>
+ <entry>String</entry>
+ <entry>Name of the alternate exchange</entry>
+ <entry>CREATE QUEUE, CREATE EXCHANGE, ACCESS QUEUE, ACCESS EXCHANGE, DELETE QUEUE, DELETE EXCHANGE</entry>
+ </row>
+ <row>
+ <entry> <command>queuename</command> </entry>
+ <entry>String</entry>
+ <entry>Name of the queue</entry>
+ <entry>ACCESS EXCHANGE, BIND EXCHANGE, MOVE QUEUE, UNBIND EXCHANGE</entry>
+ </row>
+ <row>
+ <entry> <command>exchangename</command> </entry>
+ <entry>String</entry>
+ <entry>Name of the exchange</entry>
+ <entry>REROUTE QUEUE</entry>
+ </row>
+ <row>
+ <entry> <command>schemapackage</command> </entry>
+ <entry>String</entry>
+ <entry>QMF schema package name</entry>
+ <entry>ACCESS METHOD</entry>
+ </row>
+ <row>
+ <entry> <command>schemaclass</command> </entry>
+ <entry>String</entry>
+ <entry>QMF schema class name</entry>
+ <entry>ACCESS METHOD, ACCESS QUERY</entry>
+ </row>
+ <row>
+ <entry> <command>policytype</command> </entry>
+ <entry>String</entry>
+ <entry>"ring", "self-destruct", "reject"</entry>
+ <entry>CREATE QUEUE, ACCESS QUEUE, DELETE QUEUE</entry>
+ </row>
+ <row>
+ <entry> <command>paging</command> </entry>
+ <entry>Boolean</entry>
+ <entry>Indicates if the queue is paging queue</entry>
+ <entry>CREATE QUEUE</entry>
+ </row>
+ <row>
+ <entry> <command>host</command> </entry>
+ <entry>String</entry>
+ <entry>Target TCP/IP host or host range for create connection rules</entry>
+ <entry>CREATE CONNECTION</entry>
+ </row>
+ <row>
+ <entry> <command>queuemaxsizelowerlimit</command> </entry>
+ <entry>Integer</entry>
+ <entry>Minimum value for queue.max_size (memory bytes)</entry>
+ <entry>CREATE QUEUE, ACCESS QUEUE</entry>
+ </row>
+ <row>
+ <entry> <command>queuemaxsizeupperlimit</command> </entry>
+ <entry>Integer</entry>
+ <entry>Maximum value for queue.max_size (memory bytes)</entry>
+ <entry>CREATE QUEUE, ACCESS QUEUE</entry>
+ </row>
+ <row>
+ <entry> <command>queuemaxcountlowerlimit</command> </entry>
+ <entry>Integer</entry>
+ <entry>Minimum value for queue.max_count (messages)</entry>
+ <entry>CREATE QUEUE, ACCESS QUEUE</entry>
+ </row>
+ <row>
+ <entry> <command>queuemaxcountupperlimit</command> </entry>
+ <entry>Integer</entry>
+ <entry>Maximum value for queue.max_count (messages)</entry>
+ <entry>CREATE QUEUE, ACCESS QUEUE</entry>
+ </row>
+ <row>
+ <entry> <command>filemaxsizelowerlimit</command> </entry>
+ <entry>Integer</entry>
+ <entry>Minimum value for file.max_size (64kb pages)</entry>
+ <entry>CREATE QUEUE</entry>
+ </row>
+ <row>
+ <entry> <command>filemaxsizeupperlimit</command> </entry>
+ <entry>Integer</entry>
+ <entry>Maximum value for file.max_size (64kb pages)</entry>
+ <entry>CREATE QUEUE</entry>
+ </row>
+ <row>
+ <entry> <command>filemaxcountlowerlimit</command> </entry>
+ <entry>Integer</entry>
+ <entry>Minimum value for file.max_count (files)</entry>
+ <entry>CREATE QUEUE</entry>
+ </row>
+ <row>
+ <entry> <command>filemaxcountupperlimit</command> </entry>
+ <entry>Integer</entry>
+ <entry>Maximum value for file.max_count (files)</entry>
+ <entry>CREATE QUEUE</entry>
+ </row>
+ <row>
+ <entry> <command>pageslowerlimit</command> </entry>
+ <entry>Integer</entry>
+ <entry>Minimum value for number of pages in memory of paged queue</entry>
+ <entry>CREATE QUEUE</entry>
+ </row>
+ <row>
+ <entry> <command>pagesupperlimit</command> </entry>
+ <entry>Integer</entry>
+ <entry>Maximum value for number of pages in memory of paged queue</entry>
+ <entry>CREATE QUEUE</entry>
+ </row>
+ <row>
+ <entry> <command>pagefactorlowerlimit</command> </entry>
+ <entry>Integer</entry>
+ <entry>Minimum value for size of one page in paged queue</entry>
+ <entry>CREATE QUEUE</entry>
+ </row>
+ <row>
+ <entry> <command>pagefactorupperlimit</command> </entry>
+ <entry>Integer</entry>
+ <entry>Maximum value for size of one page in paged queue</entry>
+ <entry>CREATE QUEUE</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+
+ <section id="sect-Messaging_User_Guide-Authorization-ACL_ActionObjectPropertyTuples">
+ <title>ACL Action-Object-Property Tuples</title>
+ <para>
+ Not every ACL action is applicable to every ACL object. Furthermore, not every property may be
+ specified for every action-object pair.
+ The following table enumerates which action and object pairs are allowed.
+ The table also lists which optional ACL properties are allowed to qualify
+ action-object pairs.
+ </para>
+ <para>
+ The <emphasis>access</emphasis> action is called with different argument
+ lists for the <emphasis>exchange</emphasis> and <emphasis>queue</emphasis> objects.
+ A separate column shows the AMQP 0.10 method that the Access ACL rule is satisfying.
+ Write separate rules with the additional arguments for the <emphasis>declare</emphasis>
+ and <emphasis>bind</emphasis> methods and include these rules in the ACL file
+ before the rules for the <emphasis>query</emphasis> method.
+ <!-- The exact sequence of calling these methods is a product of the client
+ library. The user might not know anything about a 'declare' or a 'query' or
+ a passive declaration. -->
+ </para>
+ <table id="tabl-Messaging_User_Guide-ACL_Syntax-ACL_ActionObject_properties">
+ <title>ACL Properties Allowed for each Action and Object</title>
+ <tgroup cols="4">
+ <thead>
+ <row>
+ <entry>Action</entry>
+ <entry>Object</entry>
+ <entry>Properties</entry>
+ <entry>Method</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>access</entry>
+ <entry>broker</entry>
+ <entry></entry>
+ <entry>Broker:: getTimestampConfig</entry>
+ </row>
+ <row>
+ <entry>access</entry>
+ <entry>exchange</entry>
+ <entry></entry>
+ <entry>ExchangeHandlerImpl:: query</entry>
+ </row>
+ <row>
+ <entry>access</entry>
+ <entry>exchange</entry>
+ <entry></entry>
+ <entry>Authorise:: access</entry>
+ </row>
+ <row>
+ <entry>access</entry>
+ <entry>exchange</entry>
+ <entry>type alternate durable autodelete </entry>
+ <entry>ExchangeHandlerImpl:: declare</entry>
+ </row>
+ <row>
+ <entry>access</entry>
+ <entry>exchange</entry>
+ <entry>queuename routingkey </entry>
+ <entry>ExchangeHandlerImpl:: bound</entry>
+ </row>
+ <row>
+ <entry>access</entry>
+ <entry>exchange</entry>
+ <entry>type durable </entry>
+ <entry>Authorise:: access</entry>
+ </row>
+ <row>
+ <entry>access</entry>
+ <entry>method</entry>
+ <entry>schemapackage schemaclass </entry>
+ <entry>ManagementAgent:: handleMethodRequest</entry>
+ </row>
+ <row>
+ <entry>access</entry>
+ <entry>method</entry>
+ <entry>schemapackage schemaclass </entry>
+ <entry>ManagementAgent:: authorizeAgentMessage</entry>
+ </row>
+ <row>
+ <entry>access</entry>
+ <entry>query</entry>
+ <entry>schemaclass </entry>
+ <entry>ManagementAgent:: handleGetQuery</entry>
+ </row>
+ <row>
+ <entry>access</entry>
+ <entry>queue</entry>
+ <entry></entry>
+ <entry>Authorise:: access</entry>
+ </row>
+ <row>
+ <entry>access</entry>
+ <entry>queue</entry>
+ <entry></entry>
+ <entry>QueueHandlerImpl:: query</entry>
+ </row>
+ <row>
+ <entry>access</entry>
+ <entry>queue</entry>
+ <entry></entry>
+ <entry>Broker:: queryQueue</entry>
+ </row>
+ <row>
+ <entry>access</entry>
+ <entry>queue</entry>
+ <entry>alternate durable exclusive autodelete policytype queuemaxcountlowerlimit queuemaxcountupperlimit queuemaxsizelowerlimit queuemaxsizeupperlimit </entry>
+ <entry>QueueHandlerImpl:: declare</entry>
+ </row>
+ <row>
+ <entry>access</entry>
+ <entry>queue</entry>
+ <entry>alternate durable exclusive autodelete policytype queuemaxcountlowerlimit queuemaxcountupperlimit queuemaxsizelowerlimit queuemaxsizeupperlimit </entry>
+ <entry>Authorise:: access</entry>
+ </row>
+ <row>
+ <entry>bind</entry>
+ <entry>exchange</entry>
+ <entry>queuename routingkey </entry>
+ <entry>Broker:: bind</entry>
+ </row>
+ <row>
+ <entry>bind</entry>
+ <entry>exchange</entry>
+ <entry>queuename routingkey </entry>
+ <entry>Authorise:: outgoing</entry>
+ </row>
+ <row>
+ <entry>consume</entry>
+ <entry>queue</entry>
+ <entry></entry>
+ <entry>MessageHandlerImpl:: subscribe</entry>
+ </row>
+ <row>
+ <entry>consume</entry>
+ <entry>queue</entry>
+ <entry></entry>
+ <entry>Authorise:: outgoing</entry>
+ </row>
+ <row>
+ <entry>create</entry>
+ <entry>connection</entry>
+ <entry>host</entry>
+ <entry>Connection creation</entry>
+ </row>
+ <row>
+ <entry>create</entry>
+ <entry>exchange</entry>
+ <entry>type alternate durable autodelete </entry>
+ <entry>Broker:: createExchange</entry>
+ </row>
+ <row>
+ <entry>create</entry>
+ <entry>link</entry>
+ <entry></entry>
+ <entry>ConnectionHandler:: Handler:: open</entry>
+ </row>
+ <row>
+ <entry>create</entry>
+ <entry>link</entry>
+ <entry></entry>
+ <entry>Authorise:: interlink</entry>
+ </row>
+ <row>
+ <entry>create</entry>
+ <entry>queue</entry>
+ <entry>alternate durable exclusive autodelete policytype paging pageslowerlimit pagesupperlimit pagefactorlowerlimit pagefactorupperlimit queuemaxcountlowerlimit queuemaxcountupperlimit queuemaxsizelowerlimit queuemaxsizeupperlimit filemaxcountlowerlimit filemaxcountupperlimit filemaxsizelowerlimit filemaxsizeupperlimit </entry>
+ <entry>Broker:: createQueue</entry>
+ </row>
+ <row>
+ <entry>delete</entry>
+ <entry>exchange</entry>
+ <entry>type alternate durable </entry>
+ <entry>Broker:: deleteExchange</entry>
+ </row>
+ <row>
+ <entry>delete</entry>
+ <entry>queue</entry>
+ <entry>alternate durable exclusive autodelete policytype </entry>
+ <entry>Broker:: deleteQueue</entry>
+ </row>
+ <row>
+ <entry>move</entry>
+ <entry>queue</entry>
+ <entry>queuename</entry>
+ <entry>Broker:: queueMoveMessages</entry>
+ </row>
+ <row>
+ <entry>publish</entry>
+ <entry>exchange</entry>
+ <entry></entry>
+ <entry>Authorise:: incoming</entry>
+ </row>
+ <row>
+ <entry>publish</entry>
+ <entry>exchange</entry>
+ <entry>routingkey </entry>
+ <entry>SemanticState:: route</entry>
+ </row>
+ <row>
+ <entry>publish</entry>
+ <entry>exchange</entry>
+ <entry>routingkey </entry>
+ <entry>Authorise:: route</entry>
+ </row>
+ <row>
+ <entry>purge</entry>
+ <entry>queue</entry>
+ <entry></entry>
+ <entry>QueueHandlerImpl:: purge</entry>
+ </row>
+ <row>
+ <entry>purge</entry>
+ <entry>queue</entry>
+ <entry></entry>
+ <entry>Queue:: ManagementMethod</entry>
+ </row>
+ <row>
+ <entry>redirect</entry>
+ <entry>queue</entry>
+ <entry></entry>
+ <entry>Broker:: queueRedirect</entry>
+ </row>
+ <row>
+ <entry>reroute</entry>
+ <entry>queue</entry>
+ <entry>exchangename </entry>
+ <entry>Queue:: ManagementMethod</entry>
+ </row>
+ <row>
+ <entry>unbind</entry>
+ <entry>exchange</entry>
+ <entry>queuename routingkey </entry>
+ <entry>Broker:: unbind</entry>
+ </row>
+ <row>
+ <entry>update</entry>
+ <entry>broker</entry>
+ <entry></entry>
+ <entry>Broker:: setTimestampConfig</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ <para>
+
+ </para>
+ </section>
+ </section>
<section id="sect-Messaging_User_Guide-Authorization-ACL_Syntactic_Conventions">
<title>ACL Syntactic Conventions</title>
@@ -1497,6 +1555,27 @@ com.sun.security.jgss.initiate {
#
]]></programlisting>
</para>
+ <para>
+ Referring to <link linkend="tabl-Messaging_User_Guide-ACL_Syntax-ACL_ActionObject_properties">ACL Properties Allowed for each Action and Object table</link> observe that some Action/Object pairs have different sets of allowed properties. For example different broker ACL lookups for <emphasis>access exchange</emphasis> have different property subsets.
+ </para>
+
+<programlisting>
+ access exchange
+ access exchange type alternate durable autodelete
+ access exchange queuename routingkey
+ access exchange type durable
+</programlisting>
+
+ <para>
+ If an ACL rule specifies the <emphasis>autodelete</emphasis> property then it can possibly match only the second case above. It can never match cases 1, 3, and 4 because the broker calls to ACL will not present the autodelete property for matching. To get proper matching the ACL rule must have only the properties of the intended lookup case.
+ </para>
+
+<programlisting>
+ acl allow bob access exchange alternate=other ! may match pattern 2 only
+ acl allow bob access exchange queuename=other ! may match pattern 3 only
+ acl allow bob access exchange durable=true ! may match patterns 2 and 4 only
+ acl deny bob access exchange ! may match all patterns
+</programlisting>
</section>
@@ -1574,7 +1653,7 @@ com.sun.security.jgss.initiate {
The ACL module enforces various quotas and thereby limits user activity.
<section id="sect-Messaging_User_Guide-Authorization-Specifying_ACL_Connection_Limits">
- <title>Connection Limits</title>
+ <title>Connection Count Limits</title>
<para>
The ACL module creates broker command line switches that set limits on the number of concurrent connections allowed per user or per client host address. These settings are not specified in the ACL file.
</para>
@@ -1641,6 +1720,51 @@ com.sun.security.jgss.initiate {
</para>
</section>
+ <section id="sect-Messaging_User_Guide-Authorization-Specifying_ACL_Connection_Host_Limits">
+ <title>Connection Limits by Host Name</title>
+ <para>
+ The 0.30 C++ Broker ACL module adds the ability to create allow and deny lists of the TCP/IP hosts from which users may connect. The rule accepts two forms:
+ </para>
+ <para>
+ <programlisting>
+ acl allow user create connection host=host1
+ acl allow user create connection host=host1,host2
+ </programlisting>
+ </para>
+ <para>
+ Using the form <command>host=host1</command> specifies a single host. With a single host the name may resolve to multiple TCP/IP addresses. For example <emphasis>localhost</emphasis> resolves to both <emphasis>127.0.0.1</emphasis> and <emphasis>::1</emphasis> and possibly many other addresses. A connection from any of the addresses associated with this host match the rule and the connection is allowed or denied accordingly.
+ </para>
+ <para>
+ Using the form <command>host=host1,host2</command> specifies a range of TCP/IP addresses. With a host range each host must resolve to a single TCP/IP address and the second address must be numerically larger than the first. A connection from any host where host >= host1 and host <= host2 match the rule and the connection is allowed or denied accordingly.
+ </para>
+ <para>
+ Connection denial is only applied to incoming TCP/IP connections. Other socket types are not subjected to nor denied by range checks.
+ </para>
+ <para>
+ The following example illustrates how this feature can be used.
+ </para>
+ <para>
+ <programlisting>
+ group admins alice bob chuck
+ group Company1 c1_usera c1_userb
+ group Company2 c2_userx c2_usery c2_userz
+ acl allow admins create connection host=localhost
+ acl allow admins create connection host=10.0.0.0,10.255.255.255
+ acl allow admins create connection host=192.168.0.0,192.168.255.255
+ acl allow Company1 create connection host=company1.com
+ acl allow Company2 create connection host=company2.com
+ acl deny all create connection host=company1.com
+ acl deny all create connection host=company2.com
+ acl deny all create connection host=10.0.0.0,10.255.255.255
+ acl deny all create connection host=192.168.0.0,192.168.255.255
+ acl deny all create connection host=localhost
+ </programlisting>
+ </para>
+ <para>
+ In this example admins may connect from localhost or from any system on the 10.0.0.0/24 and 192.168.0.0/16 subnets. Company1 users may connect only from company1.com while admins and Company2 users are blocked. Similarly Company2 users may connect only from company2.com while admins and Company1 users are blocked.
+ </para>
+ </section>
+
<section id="sect-Messaging_User_Guide-Authorization-Specifying_ACL_Queue_Limits">
<title>Queue Limits</title>
<para>
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org