You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by ro...@apache.org on 2012/09/02 16:34:48 UTC

svn commit: r1379980 - in /qpid/trunk/qpid/doc/book/src/java-broker: AMQP-Messaging-Broker-Java-Book.xml Configure-ACLs.xml Configure-AuthenticationProviders.xml Configure-Group-Providers.xml

Author: robbie
Date: Sun Sep  2 14:34:48 2012
New Revision: 1379980

URL: http://svn.apache.org/viewvc?rev=1379980&view=rev
Log:
QPID-4236,QPID-4237: add some documentation for the FileGroupManager and update the ACL documentation to link that instead, removing the previous group info.

Added:
    qpid/trunk/qpid/doc/book/src/java-broker/Configure-Group-Providers.xml
Modified:
    qpid/trunk/qpid/doc/book/src/java-broker/AMQP-Messaging-Broker-Java-Book.xml
    qpid/trunk/qpid/doc/book/src/java-broker/Configure-ACLs.xml
    qpid/trunk/qpid/doc/book/src/java-broker/Configure-AuthenticationProviders.xml

Modified: qpid/trunk/qpid/doc/book/src/java-broker/AMQP-Messaging-Broker-Java-Book.xml
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/doc/book/src/java-broker/AMQP-Messaging-Broker-Java-Book.xml?rev=1379980&r1=1379979&r2=1379980&view=diff
==============================================================================
--- qpid/trunk/qpid/doc/book/src/java-broker/AMQP-Messaging-Broker-Java-Book.xml (original)
+++ qpid/trunk/qpid/doc/book/src/java-broker/AMQP-Messaging-Broker-Java-Book.xml Sun Sep  2 14:34:48 2012
@@ -52,6 +52,7 @@
 
         <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Add-New-Users.xml"/>
         <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Configure-ACLs.xml"/>
+        <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Configure-Group-Providers.xml"/>
         <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Configure-Java-Qpid-to-use-a-SSL-connection.xml"/>
         <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Configure-Log4j-CompositeRolling-Appender.xml"/>
         <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Configure-the-Broker-via-config.xml.xml"/>

Modified: qpid/trunk/qpid/doc/book/src/java-broker/Configure-ACLs.xml
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/doc/book/src/java-broker/Configure-ACLs.xml?rev=1379980&r1=1379979&r2=1379980&view=diff
==============================================================================
--- qpid/trunk/qpid/doc/book/src/java-broker/Configure-ACLs.xml (original)
+++ qpid/trunk/qpid/doc/book/src/java-broker/Configure-ACLs.xml Sun Sep  2 14:34:48 2012
@@ -79,11 +79,10 @@
     </title>
 
     <para>
-      The ACL file consists of a series of rules and group definitions.  Each rule grants or denies specific rights to a user or group. Group
-      definitions declare groups of users and serve to make the ACL file more concise.
+      The ACL file consists of a series of rules associating behaviour for a user or group. Use of groups can serve to make the ACL file more concise. See <link linkend="Configuring-Group-Providers">Configuring Group Providers</link> for more information on defining groups.
     </para>
     <para>
-      Each ACL rule grants (or denies) a particular action on a object to a user.  The rule may be augmented with one or more properties, restricting
+      Each ACL rule grants (or denies) a particular action on a object to a user/group.  The rule may be augmented with one or more properties, restricting
       the rule's applicability.
     </para>
     <programlisting>
@@ -136,13 +135,6 @@
     </programlisting>
 
     <para>
-       GROUP definitions must follow this syntax:
-    </para>
-    <programlisting>
-     GROUP {group name} {username 1}..{username n} # Where username is a username, or a groupname.
-    </programlisting>
-
-    <para>
        Comments may be introduced with the hash (#) character and are ignored.  Long lines can be broken with the slash (\) character.
     </para>
     <programlisting>
@@ -150,8 +142,6 @@
       ACL ALLOW admin CREATE ALL # Also a comment
       ACL DENY guest \
       ALL ALL   # A broken line
-      GROUP securegroup bob \
-      alice # Another broker line
     </programlisting>
   </section>
   <table id="tabl-ConfigureACLs-Syntax_permissions">
@@ -385,13 +375,10 @@
         Worked example 2 - User maintainer group
       </title>
       <para>
-         Suppose you wish to restrict User Management operations to users belonging to a group 'usermaint'.  No other user
-         is allowed to perform user maintainence  This example illustrates the permissioning of a individual component 
-         and a group definition.
+         Suppose you wish to restrict User Management operations to users belonging to a <link linkend="Configuring-Group-Providers">group</link> 'usermaint'.  No other user
+         is allowed to perform user maintainence  This example illustrates the permissioning of an individual component.
       </para>
       <programlisting>
-        # Create a group usermaint with members bob and alice
-        GROUP usermaint bob alice
         # Give operator permission to execute all JMX Methods
         ACL ALLOW usermaint ALL METHOD component="UserManagement"
         ACL DENY ALL ALL METHOD component="UserManagement"

Modified: qpid/trunk/qpid/doc/book/src/java-broker/Configure-AuthenticationProviders.xml
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/doc/book/src/java-broker/Configure-AuthenticationProviders.xml?rev=1379980&r1=1379979&r2=1379980&view=diff
==============================================================================
--- qpid/trunk/qpid/doc/book/src/java-broker/Configure-AuthenticationProviders.xml (original)
+++ qpid/trunk/qpid/doc/book/src/java-broker/Configure-AuthenticationProviders.xml Sun Sep  2 14:34:48 2012
@@ -21,7 +21,7 @@
  
 -->
 
-<section>
+<section id="Configuring-Authentication-Mechanisms">
   <title>Configuring Authentication Mechanisms</title>
   <para>
     In order to successfully establish a connection to the Java Broker, the connection must be

Added: qpid/trunk/qpid/doc/book/src/java-broker/Configure-Group-Providers.xml
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/doc/book/src/java-broker/Configure-Group-Providers.xml?rev=1379980&view=auto
==============================================================================
--- qpid/trunk/qpid/doc/book/src/java-broker/Configure-Group-Providers.xml (added)
+++ qpid/trunk/qpid/doc/book/src/java-broker/Configure-Group-Providers.xml Sun Sep  2 14:34:48 2012
@@ -0,0 +1,73 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<!--
+
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements.  See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership.  The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License.  You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied.  See the License for the
+ specific language governing permissions and limitations
+ under the License.
+
+-->
+
+<section id="Configuring-Group-Providers">
+  <title>Configuring Group Providers</title>
+  <para>
+    The Java broker utilises GroupProviders to allow assigning users to groups for use in <link linkend="Configuring-ACLS">ACLs</link>. Following authentication by a given <link linkend="Configuring-Authentication-Mechanisms">Authentication Provider</link>, the configured Group Providers are consulted to allowing assignment of GroupPrincipals for a given authenticated user. 
+  </para>
+
+
+  <section role="h3" id="File-Group-Manager">
+    <title>FileGroupManager</title>
+    <para>
+      The FileGroupManager allows specifying group membership in a flat file on disk, and is also exposed for inspection and update through the brokers HTTP management interface.
+    </para>
+    <para>
+      To enable the FileGroupManager, add the following configuration to the config.xml, adjusting the groupFile attribute value to match your desired groups file location.
+    </para>
+
+    <programlisting><![CDATA[
+    ...
+    <security>
+        <file-group-manager>
+            <attributes>
+              <attribute>
+                <name>groupFile</name>
+                 <value>${conf}/groups</value>
+              </attribute>
+            </attributes>
+        </file-group-manager>
+    </security>]]>
+    ...
+</programlisting>
+
+	<section role="h4" id="File-Group-Manager-FileFormat">
+       <title>File Format</title>
+	  <para>
+            The groups file has the following format:
+          </para>
+            <programlisting>
+    # &lt;GroupName&gt;.users = &lt;comma deliminated user list&gt;
+    # For example:
+
+    administrators.users = admin,manager
+</programlisting>
+          <para>
+            Only users can be added to a group currently, not other groups. Usernames can't contain commas.
+          </para><para>
+            Lines starting with a '#' are treated as comments when opening the file, but these are not preserved when the broker updates the file due to changes made through the management interface.
+          </para>
+     </section>
+  </section>
+</section>



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org