You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by ro...@apache.org on 2012/08/03 17:38:45 UTC
svn commit: r1369046 - /qpid/trunk/qpid/java/broker/etc/broker_example.acl
Author: robbie
Date: Fri Aug 3 15:38:44 2012
New Revision: 1369046
URL: http://svn.apache.org/viewvc?rev=1369046&view=rev
Log:
QPID-4185: improve broker_example.acl to give more reasonable settings, replacing some ALLOW-LOG with ALLOW for read only operations and removing 'dead rule' example.
Applied patch from Philip Harvey <ph...@philharveyonline.com> , Oleksandr Rudyy<or...@gmail.com> and myself.
Modified:
qpid/trunk/qpid/java/broker/etc/broker_example.acl
Modified: qpid/trunk/qpid/java/broker/etc/broker_example.acl
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/java/broker/etc/broker_example.acl?rev=1369046&r1=1369045&r2=1369046&view=diff
==============================================================================
--- qpid/trunk/qpid/java/broker/etc/broker_example.acl (original)
+++ qpid/trunk/qpid/java/broker/etc/broker_example.acl Fri Aug 3 15:38:44 2012
@@ -18,6 +18,7 @@
#
### EXAMPLE ACL V2 FILE
+### NOTE: Rules are considered from top to bottom, and the first matching rule governs the decision.
### DEFINE GROUPS ###
@@ -27,30 +28,30 @@ GROUP messaging-users client server
#Define a group for management web console users
GROUP webadmins webadmin
-### MANAGEMENT ####
+### JMX MANAGEMENT ####
# Allow everyone to perform read operations on the ServerInformation mbean
# This is used for items such as querying the management API and broker release versions.
-ACL ALLOW-LOG ALL ACCESS METHOD component="ServerInformation"
+ACL ALLOW ALL ACCESS METHOD component="ServerInformation"
-# Allow 'admin' all management operations
+# Allow 'admin' all management operations. To reduce log file noise, only non-read-only operations are logged.
+ACL ALLOW admin ACCESS METHOD
ACL ALLOW-LOG admin ALL METHOD
+# Allow 'guest' to view logger levels, and use getter methods on LoggingManagement
+ACL ALLOW guest ACCESS METHOD component="LoggingManagement" name="viewEffectiveRuntimeLoggerLevels"
+ACL ALLOW guest ACCESS METHOD component="LoggingManagement" name="get*"
+
# Deny access to Shutdown, UserManagement, ConfigurationManagement and LoggingManagement for all other users
-# You could grant specific users access to these beans by adding ALLOW-LOG rules above for them
+# You could grant specific users access to these beans by adding rules above to allow them
ACL DENY-LOG ALL ACCESS METHOD component="Shutdown"
ACL DENY-LOG ALL ACCESS METHOD component="UserManagement"
ACL DENY-LOG ALL ACCESS METHOD component="ConfigurationManagement"
ACL DENY-LOG ALL ACCESS METHOD component="LoggingManagement"
-# Allow 'guest' to view logger levels, and use getter methods on LoggingManagement
-# These are examples of redundant rules! The DENY-LOG rule above will be invoked
-# first and will deny the access to all methods of LoggingManagement for guest
-ACL ALLOW-LOG guest ACCESS METHOD component="LoggingManagement" name="viewEffectiveRuntimeLoggerLevels"
-ACL ALLOW-LOG guest ACCESS METHOD component="LoggingManagement" name="get*"
-
-# Allow everyone to perform all read operations on the mbeans not listened in the DENY-LOG rules above
-ACL ALLOW-LOG ALL ACCESS METHOD
+# Allow everyone to perform all read operations (using ALLOW rather than ALLOW-LOG to reduce log file noise)
+# on the mbeans not listed in the DENY rules above
+ACL ALLOW ALL ACCESS METHOD
### MESSAGING ###
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org