You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by ac...@apache.org on 2014/01/21 21:57:24 UTC

svn commit: r1560179 - /qpid/trunk/qpid/doc/book/src/cpp-broker/Active-Passive-Cluster.xml

Author: aconway
Date: Tue Jan 21 20:57:23 2014
New Revision: 1560179

URL: http://svn.apache.org/r1560179
Log:
NO-JIRA: Update security section of HA user doc to mention acl allow all requirement.

Modified:
    qpid/trunk/qpid/doc/book/src/cpp-broker/Active-Passive-Cluster.xml

Modified: qpid/trunk/qpid/doc/book/src/cpp-broker/Active-Passive-Cluster.xml
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/doc/book/src/cpp-broker/Active-Passive-Cluster.xml?rev=1560179&r1=1560178&r2=1560179&view=diff
==============================================================================
--- qpid/trunk/qpid/doc/book/src/cpp-broker/Active-Passive-Cluster.xml (original)
+++ qpid/trunk/qpid/doc/book/src/cpp-broker/Active-Passive-Cluster.xml Tue Jan 21 20:57:23 2014
@@ -310,10 +310,8 @@ ssl_addr = "ssl:" host [":" port]'
 	      <para><literal>ha-mechanism <replaceable>MECHANISM</replaceable></literal></para>
 	    </entry>
 	    <entry>
-	      Authentication settings used by HA brokers to connect to each other.
-	      If you are using authorization
-	      (<xref linkend="sect-Messaging_User_Guide-Security-Authorization"/>)
-	      then this user must have all permissions.
+	      Authentication settings used by HA brokers to connect to each other,
+	      see <xref linkend="ha-security"/>
 	    </entry>
 	  </row>
 	  <row>
@@ -791,49 +789,52 @@ NOTE: fencing is not shown, you must con
   </section>
 
   <section id="ha-security">
-    <title>Security.</title>
+    <title>Security and Access Control.</title>
     <para>
-      You can secure your cluster using the authentication and authorization features
-      described in <xref linkend="chap-Messaging_User_Guide-Security"/>.
+      You can secure your cluster using the authentication and authorization
+      features described in <xref linkend="chap-Messaging_User_Guide-Security"/>.
+      HA brokers use the credentials set by the following options:
     </para>
-    <para>
-      Backup brokers connect to the primary broker and subscribe for management
-      events and queue contents. You can specify the identity used to connect
-      to the primary with the following options:
-    </para>
-    <table frame="all" id="ha-broker-security-options">
-      <title>Security options for High Availability Messaging Cluster</title>
+    <table frame="all" id="ha-security-options">
+      <title>HA Security Options</title>
       <tgroup align="left" cols="2" colsep="1" rowsep="1">
-	<colspec colname="c1" colwidth="1*"/>
-	<colspec colname="c2" colwidth="3*"/>
+	<colspec colname="c1"/>
+	<colspec colname="c2"/>
 	<thead>
 	  <row>
 	    <entry align="center" nameend="c2" namest="c1">
-	      Security options for High Availability Messaging Cluster
+	      HA Security Options
 	    </entry>
 	  </row>
 	</thead>
 	<tbody>
 	  <row>
-	    <entry>
-	      <para><literal>ha-username <replaceable>USER</replaceable></literal></para>
-	      <para><literal>ha-password <replaceable>PASS</replaceable></literal></para>
-	      <para><literal>ha-mechanism <replaceable>MECH</replaceable></literal></para>
-	    </entry>
-	    <entry>
-	      Authentication settings used by HA brokers to connect to each other.
-	      If you are using authorization
-	      (<xref linkend="sect-Messaging_User_Guide-Security-Authorization"/>)
-	      then this user must have all permissions.
-	    </entry>
+	    <entry><para><literal>ha-username</literal> <replaceable>USER</replaceable></para></entry>
+	    <entry><para>User name for HA brokers.</para></entry>
+	  </row>
+	  <row>
+	    <entry><para><literal>ha-password</literal> <replaceable>PASS</replaceable></para></entry>
+	    <entry><para>Password for HA brokers.</para></entry>
+	  </row>
+	  <row>
+	    <entry><para><literal>ha-mechanism</literal> <replaceable>MECHANISM</replaceable></para></entry>
+	    <entry><para>Mechanism for HA brokers.</para></entry>
 	  </row>
 	</tbody>
       </tgroup>
     </table>
     <para>
-      This identity is also used to authorize actions taken on the backup broker to replicate
-      from the primary, for example to create queues or exchanges.
+      This identity is used to authorize federation links from backup to
+      primary.  It is also used to authorize actions on the backup to replicate
+      primary state, for example creating queues and exchanges.
     </para>
+    <para>
+      When using an Access Control List the following ACL rule is required
+      when <literal>ha-username</literal>=<replaceable>USER</replaceable>
+    </para>
+    <programlisting>
+      acl allow <replaceable>USER</replaceable>@QPID all all
+    </programlisting>
   </section>
 
   <section id="ha-other-rm">



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org