You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by ch...@apache.org on 2014/07/23 19:01:41 UTC
svn commit: r1612874 [2/2] - in /qpid/trunk/qpid: cpp/src/qpid/acl/
cpp/src/qpid/broker/ cpp/src/tests/ doc/book/src/cpp-broker/
Modified: qpid/trunk/qpid/doc/book/src/cpp-broker/Security.xml
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/doc/book/src/cpp-broker/Security.xml?rev=1612874&r1=1612873&r2=1612874&view=diff
==============================================================================
--- qpid/trunk/qpid/doc/book/src/cpp-broker/Security.xml (original)
+++ qpid/trunk/qpid/doc/book/src/cpp-broker/Security.xml Wed Jul 23 17:01:40 2014
@@ -312,45 +312,45 @@ com.sun.security.jgss.initiate {
</section>
- <!-- ################################################### --> <section id="sect-Messaging_User_Guide-Security-Authorization">
- <title>Authorization</title>
- <para>
- In Qpid, Authorization specifies which actions can be performed by each authenticated user using an Access Control List (ACL).
- </para>
- <para>
- Use the <command>--acl-file</command> command to load the access control list. The filename should have a <filename>.acl</filename> extension:
- </para>
+ <!-- ################################################### --> <section id="sect-Messaging_User_Guide-Security-Authorization">
+ <title>Authorization</title>
+ <para>
+ In Qpid, Authorization specifies which actions can be performed by each authenticated user using an Access Control List (ACL).
+ </para>
+ <para>
+ Use the <command>--acl-file</command> command to load the access control list. The filename should have a <filename>.acl</filename> extension:
+ </para>
<screen>
$ qpidd --acl-file <replaceable>./aclfilename.acl</replaceable></screen>
- <para>
- Each line in an ACL file grants or denies specific rights to a user. If the last line in an ACL file is <literal>acl deny all all</literal>, the ACL uses <firstterm>deny mode</firstterm>, and only those rights that are explicitly allowed are granted:
- </para>
+ <para>
+ Each line in an ACL file grants or denies specific rights to a user. If the last line in an ACL file is <literal>acl deny all all</literal>, the ACL uses <firstterm>deny mode</firstterm>, and only those rights that are explicitly allowed are granted:
+ </para>
<programlisting>
acl allow rajith@QPID all all
acl deny all all
</programlisting>
- <para>
- On this server, <literal>rajith@QPID</literal> can perform any action, but nobody else can. Deny mode is the default, so the previous example is equivalent to the following ACL file:
- </para>
+ <para>
+ On this server, <literal>rajith@QPID</literal> can perform any action, but nobody else can. Deny mode is the default, so the previous example is equivalent to the following ACL file:
+ </para>
<programlisting>
acl allow rajith@QPID all all
</programlisting>
- <para>
- Alternatively the ACL file may use <firstterm>allow mode</firstterm> by placing:
- </para>
+ <para>
+ Alternatively the ACL file may use <firstterm>allow mode</firstterm> by placing:
+ </para>
<programlisting>
acl allow all all
</programlisting>
- <para>
- as the final line in the ACL file. In <emphasis>allow mode</emphasis> all actions by all users are allowed unless otherwise denied by specific ACL rules.
- The ACL rule which selects <emphasis>deny mode</emphasis> or <emphasis>allow mode</emphasis> must be the last line in the ACL rule file.
- </para>
- <para>
- ACL syntax allows fine-grained access rights for specific actions:
- </para>
+ <para>
+ as the final line in the ACL file. In <emphasis>allow mode</emphasis> all actions by all users are allowed unless otherwise denied by specific ACL rules.
+ The ACL rule which selects <emphasis>deny mode</emphasis> or <emphasis>allow mode</emphasis> must be the last line in the ACL rule file.
+ </para>
+ <para>
+ ACL syntax allows fine-grained access rights for specific actions:
+ </para>
<programlisting>
acl allow carlt@QPID create exchange name=carl.*
@@ -359,18 +359,18 @@ com.sun.security.jgss.initiate {
acl allow all bind exchange
acl deny all all
</programlisting>
- <para>
- An ACL file can define user groups, and assign permissions to them:
- </para>
+ <para>
+ An ACL file can define user groups, and assign permissions to them:
+ </para>
<programlisting>
group admin ted@QPID martin@QPID
acl allow admin create all
acl deny all all
</programlisting>
- <para>
- An ACL file can define per user connection and queue quotas:
- </para>
+ <para>
+ An ACL file can define per user connection and queue quotas:
+ </para>
<programlisting>
group admin ted@QPID martin@QPID
@@ -383,28 +383,28 @@ com.sun.security.jgss.initiate {
quota queues 1 test@qpid
</programlisting>
- <para>
- Performance Note: Most ACL queries are performed infrequently. The overhead associated with
- ACL passing an allow or deny decision on the creation of a queue is negligible
- compared to actually creating and using the queue. One notable exception is the <command>publish exchange</command>
- query. ACL files with no <emphasis>publish exchange</emphasis> rules are noted and the broker short circuits the logic
- associated with the per-messsage <emphasis>publish exchange</emphasis> ACL query.
- However, if an ACL file has any <emphasis>publish exchange</emphasis> rules
- then the broker is required to perform a <emphasis>publish exchange</emphasis> query for each message published.
- Users with performance critical applications are encouraged to structure exchanges, queues, and bindings so that
- the <emphasis>publish exchange</emphasis> ACL rules are unnecessary.
- </para>
+ <para>
+ Performance Note: Most ACL queries are performed infrequently. The overhead associated with
+ ACL passing an allow or deny decision on the creation of a queue is negligible
+ compared to actually creating and using the queue. One notable exception is the <command>publish exchange</command>
+ query. ACL files with no <emphasis>publish exchange</emphasis> rules are noted and the broker short circuits the logic
+ associated with the per-messsage <emphasis>publish exchange</emphasis> ACL query.
+ However, if an ACL file has any <emphasis>publish exchange</emphasis> rules
+ then the broker is required to perform a <emphasis>publish exchange</emphasis> query for each message published.
+ Users with performance critical applications are encouraged to structure exchanges, queues, and bindings so that
+ the <emphasis>publish exchange</emphasis> ACL rules are unnecessary.
+ </para>
- <!-- ######## --> <section id="sect-Messaging_User_Guide-Authorization-ACL_Syntax">
- <title>ACL Syntax</title>
- <para>
- ACL rules follow this syntax:
+ <!-- ######## --> <section id="sect-Messaging_User_Guide-Authorization-ACL_Syntax">
+ <title>ACL Syntax</title>
+ <para>
+ ACL rules follow this syntax:
<programlisting><![CDATA[
aclline = ( comment | aclspec | groupspec | quotaspec )
comment = "#" [ STRING ]
-aclspec = "acl" permission ( groupname | name | "all" )
+aclspec = "acl" permission ( groupname | name | "all" )
( action | "all" ) [ ( object | "all ) [ ( property "=" STRING )* ] ]
groupspec = "group" groupname ( name )* [ "\" ]
@@ -438,152 +438,111 @@ property = "name" | "durable" | "routin
"pagefactorlowerlimit" | "pagefactorupperlimit"
]]></programlisting>
- ACL rules can also include a single object name (or the keyword <parameter>all</parameter>) and one or more property name value pairs in the form <command>property=value</command>
- </para>
- <para>
- The following tables show the possible values for <command>permission</command>, <command>action</command>, <command>object</command>, and <command>property</command> in an ACL rules file.
- </para>
- <table id="tabl-Messaging_User_Guide-ACL_Syntax-ACL_Rules_permission">
- <title>ACL Rules: permission</title>
- <tgroup cols="2">
- <tbody>
- <row>
- <entry>
- <command>allow</command>
- </entry>
- <entry>
- <para>
- Allow the action <!-- ### rule => the action -->
- </para>
- </entry>
- </row>
- <row>
- <entry>
- <command>allow-log</command>
- </entry>
- <entry>
- <para>
- Allow the action and log the action in the event log
- </para>
- </entry>
- </row>
- <row>
- <entry>
- <command>deny</command>
- </entry>
- <entry>
- <para>
- Deny the action
- </para>
- </entry>
- </row>
- <row>
- <entry>
- <command>deny-log</command>
- </entry>
- <entry>
- <para>
- Deny the action and log the action in the event log
- </para>
- </entry>
- </row>
- </tbody>
- </tgroup>
- </table>
- <!-- Actions --> <table id="tabl-Messaging_User_Guide-ACL_Syntax-ACL_Rulesaction">
- <title>ACL Rules: action</title>
- <tgroup cols="2">
- <tbody>
- <row>
- <entry>
- <command>consume</command>
- </entry>
- <entry>
- <para>
- Using an object
- </para>
-
- </entry>
- </row>
- <row>
- <entry>
- <command>publish</command>
- </entry>
- <entry>
- <para>
- Authenticating an incoming message.
- </para>
- </entry>
- </row>
- <row>
- <entry>
- <command>create</command>
- </entry>
- <entry>
- <para>
- Creating an object.
- </para>
- </entry>
- </row>
- <row>
- <entry>
- <command>access</command>
- </entry>
- <entry>
- <para>
- Accessing or reading an object
- </para>
- </entry>
- </row>
- <row>
- <entry>
- <command>bind</command>
- </entry>
- <entry>
- <para>
- Associating a queue to an exchange with a routing key.
- </para>
- </entry>
- </row>
- <row>
- <entry>
- <command>unbind</command>
- </entry>
- <entry>
- <para>
- Disassociating a queue from an exchange with a routing key.
- </para>
- </entry>
- </row>
- <row>
- <entry>
- <command>delete</command>
- </entry>
- <entry>
- <para>
- Deleting an object.
- </para>
- </entry>
- </row>
- <row>
- <entry>
- <command>purge</command>
- </entry>
- <entry>
- <para>
- Purging a queue.
- </para>
- </entry>
- </row>
- <row>
- <entry>
- <command>update</command>
- </entry>
- <entry>
- <para>
- Changing a broker configuration setting.
- </para>
- </entry>
+ ACL rules can also include a single object name (or the keyword <parameter>all</parameter>) and one or more property name value pairs in the form <command>property=value</command>
+ </para>
+ <para>
+ The following tables show the possible values for <command>permission</command>, <command>action</command>, <command>object</command>, and <command>property</command> in an ACL rules file.
+ </para>
+ <table id="tabl-Messaging_User_Guide-ACL_Syntax-ACL_Rules_permission">
+ <title>ACL Rules: permission</title>
+ <tgroup cols="2">
+ <tbody>
+ <row>
+ <entry>
+ <command>allow</command>
+ </entry>
+ <entry>
+ <para>
+ Allow the action <!-- ### rule => the action -->
+ </para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>allow-log</command>
+ </entry>
+ <entry>
+ <para>
+ Allow the action and log the action in the event log
+ </para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>deny</command>
+ </entry>
+ <entry>
+ <para>
+ Deny the action
+ </para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>deny-log</command>
+ </entry>
+ <entry>
+ <para>
+ Deny the action and log the action in the event log
+ </para>
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ <!-- Actions --> <table id="tabl-Messaging_User_Guide-ACL_Syntax-ACL_Rulesaction">
+ <title>ACL Rules: action</title>
+ <tgroup cols="2">
+ <tbody>
+ <row>
+ <entry>
+ <command>access</command>
+ </entry>
+ <entry>
+ <para>
+ Accessing or reading an object
+ </para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>bind</command>
+ </entry>
+ <entry>
+ <para>
+ Associating a queue to an exchange with a routing key.
+ </para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>consume</command>
+ </entry>
+ <entry>
+ <para>
+ Using an object
+ </para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>create</command>
+ </entry>
+ <entry>
+ <para>
+ Creating an object.
+ </para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>delete</command>
+ </entry>
+ <entry>
+ <para>
+ Deleting an object.
+ </para>
+ </entry>
</row>
<row>
<entry>
@@ -597,6 +556,26 @@ property = "name" | "durable" | "routin
</row>
<row>
<entry>
+ <command>publish</command>
+ </entry>
+ <entry>
+ <para>
+ Authenticating an incoming message.
+ </para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>purge</command>
+ </entry>
+ <entry>
+ <para>
+ Purging a queue.
+ </para>
+ </entry>
+ </row>
+ <row>
+ <entry>
<command>redirect</command>
</entry>
<entry>
@@ -614,68 +593,40 @@ property = "name" | "durable" | "routin
Rerouting messages from a queue to an exchange
</para>
</entry>
- </row>
- </tbody>
- </tgroup>
- </table>
- <!-- object types --> <table id="tabl-Messaging_User_Guide-ACL_Syntax-ACL_Rulesobject">
- <title>ACL Rules:object</title>
- <tgroup cols="2">
- <tbody>
- <row>
- <entry>
- <command>queue</command>
- </entry>
- <entry>
- <para>
- </para>
- </entry>
- </row>
- <row>
- <entry>
- <command>exchange</command>
- </entry>
- <entry>
- <para>
- </para>
- </entry>
- </row>
- <row>
- <entry>
- <command>broker</command>
- </entry>
- <entry>
- <para>
- </para>
- </entry>
- </row>
- <row>
- <entry>
- <command>link</command>
- </entry>
- <entry>
- <para>
- A federation or inter-broker link
- </para>
- </entry>
- </row>
- <row>
- <entry>
- <command>method</command>
- </entry>
- <entry>
- <para>
- Management method
- </para>
- </entry>
- </row>
+ </row>
<row>
<entry>
- <command>query</command>
+ <command>unbind</command>
+ </entry>
+ <entry>
+ <para>
+ Disassociating a queue from an exchange with a routing key.
+ </para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>update</command>
+ </entry>
+ <entry>
+ <para>
+ Changing a broker configuration setting.
+ </para>
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ <!-- object types --> <table id="tabl-Messaging_User_Guide-ACL_Syntax-ACL_Rulesobject">
+ <title>ACL Rules:object</title>
+ <tgroup cols="2">
+ <tbody>
+ <row>
+ <entry>
+ <command>broker</command>
</entry>
<entry>
<para>
- Management query of an object or class
</para>
</entry>
</row>
@@ -689,99 +640,125 @@ property = "name" | "durable" | "routin
</para>
</entry>
</row>
- </tbody>
- </tgroup>
- </table>
- <!--
+ <row>
+ <entry>
+ <command>exchange</command>
+ </entry>
+ <entry>
+ <para>
+ </para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>link</command>
+ </entry>
+ <entry>
+ <para>
+ A federation or inter-broker link
+ </para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>method</command>
+ </entry>
+ <entry>
+ <para>
+ Management method
+ </para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>query</command>
+ </entry>
+ <entry>
+ <para>
+ Management query of an object or class
+ </para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>queue</command>
+ </entry>
+ <entry>
+ <para>
+ </para>
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ <!--
<para>
- Wild cards can be used on properties that are a string. The following rule properties are supported: --> <table id="tabl-Messaging_User_Guide-ACL_Syntax-ACL_Rulesproperty">
- <title>ACL Rules: property</title>
- <tgroup cols="4">
- <thead>
- <row>
- <entry>Property</entry>
- <entry>Type</entry>
- <entry>Description</entry>
- <entry>Usage</entry>
- </row>
- </thead>
- <tbody>
- <row>
- <entry> <command>name</command> </entry>
- <entry>String</entry>
- <entry>Rule refers to objects with this name</entry>
- <entry></entry>
- </row>
- <row>
- <entry> <command>durable</command> </entry>
- <entry>Boolean</entry>
- <entry>Rule applies to durable objects</entry>
- <entry>CREATE QUEUE, CREATE EXCHANGE, ACCESS QUEUE, ACCESS EXCHANGE, DELETE QUEUE, DELETE EXCHANGE</entry>
- </row>
- <row>
- <entry> <command>routingkey</command> </entry>
- <entry>String</entry>
- <entry>Specifies routing key</entry>
- <entry>BIND EXCHANGE, UNBIND EXCHANGE, ACCESS EXCHANGE, PUBLISH EXCHANGE</entry>
- </row>
- <row>
- <entry> <command>autodelete</command> </entry>
- <entry>Boolean</entry>
- <entry>Indicates whether or not the object gets deleted when the connection is closed</entry>
- <entry>CREATE QUEUE, CREATE EXCHANGE, ACCESS QUEUE, ACCESS EXCHANGE, DELETE QUEUE</entry>
- </row>
- <row>
- <entry> <command>exclusive</command> </entry>
- <entry>Boolean</entry>
- <entry>Indicates the presence of an <parameter>exclusive</parameter> flag</entry>
- <entry>CREATE QUEUE, ACCESS QUEUE, DELETE QUEUE</entry>
- </row>
- <row>
- <entry> <command>type</command> </entry>
- <entry>String</entry>
- <entry>Type of exchange, such as topic, fanout, or xml</entry>
- <entry>CREATE EXCHANGE, ACCESS EXCHANGE, DELETE EXCHANGE</entry>
- </row>
- <row>
- <entry> <command>alternate</command> </entry>
- <entry>String</entry>
- <entry>Name of the alternate exchange</entry>
- <entry>CREATE QUEUE, CREATE EXCHANGE, ACCESS QUEUE, ACCESS EXCHANGE, DELETE QUEUE, DELETE EXCHANGE</entry>
- </row>
- <row>
- <entry> <command>queuename</command> </entry>
- <entry>String</entry>
- <entry>Name of the queue</entry>
- <entry>ACCESS EXCHANGE, BIND EXCHANGE, MOVE QUEUE, UNBIND EXCHANGE</entry>
- </row>
- <row>
- <entry> <command>exchangename</command> </entry>
- <entry>String</entry>
- <entry>Name of the exchange</entry>
- <entry>REROUTE QUEUE</entry>
- </row>
- <row>
- <entry> <command>schemapackage</command> </entry>
- <entry>String</entry>
- <entry>QMF schema package name</entry>
- <entry>ACCESS METHOD</entry>
- </row>
- <row>
- <entry> <command>schemaclass</command> </entry>
- <entry>String</entry>
- <entry>QMF schema class name</entry>
- <entry>ACCESS METHOD, ACCESS QUERY</entry>
- </row>
- <row>
- <entry> <command>policytype</command> </entry>
- <entry>String</entry>
- <entry>"ring", "self-destruct", "reject"</entry>
- <entry>CREATE QUEUE, ACCESS QUEUE, DELETE QUEUE</entry>
- </row>
+ Wild cards can be used on properties that are a string. The following rule properties are supported: -->
+ <table id="tabl-Messaging_User_Guide-ACL_Syntax-ACL_Rulesproperty">
+ <title>ACL Rules: property</title>
+ <tgroup cols="4">
+ <thead>
<row>
- <entry> <command>paging</command> </entry>
+ <entry>Property</entry>
+ <entry>Type</entry>
+ <entry>Description</entry>
+ <entry>Usage</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry> <command>name</command> </entry>
+ <entry>String</entry>
+ <entry>Rule refers to objects with this name. When 'name' is blank or absent then the rule
+ applies to all objects of the given type.</entry>
+ <entry></entry>
+ </row>
+ <row>
+ <entry> <command>alternate</command> </entry>
+ <entry>String</entry>
+ <entry>Name of an alternate exchange</entry>
+ <entry>CREATE QUEUE, CREATE EXCHANGE, ACCESS QUEUE, ACCESS EXCHANGE, DELETE QUEUE, DELETE EXCHANGE</entry>
+ </row>
+ <row>
+ <entry> <command>autodelete</command> </entry>
+ <entry>Boolean</entry>
+ <entry>Indicates whether or not the object gets deleted when the connection that created it is closed</entry>
+ <entry>CREATE QUEUE, CREATE EXCHANGE, ACCESS QUEUE, ACCESS EXCHANGE, DELETE QUEUE</entry>
+ </row>
+ <row>
+ <entry> <command>durable</command> </entry>
<entry>Boolean</entry>
- <entry>Indicates if the queue is paging queue</entry>
+ <entry>Rule applies to durable objects</entry>
+ <entry>CREATE QUEUE, CREATE EXCHANGE, ACCESS QUEUE, ACCESS EXCHANGE, DELETE QUEUE, DELETE EXCHANGE</entry>
+ </row>
+ <row>
+ <entry> <command>exchangename</command> </entry>
+ <entry>String</entry>
+ <entry>Name of the exchange to which queue's entries are routed</entry>
+ <entry>REROUTE QUEUE</entry>
+ </row>
+ <row>
+ <entry> <command>filemaxcountlowerlimit</command> </entry>
+ <entry>Integer</entry>
+ <entry>Minimum value for file.max_count (files)</entry>
+ <entry>CREATE QUEUE</entry>
+ </row>
+ <row>
+ <entry> <command>filemaxcountupperlimit</command> </entry>
+ <entry>Integer</entry>
+ <entry>Maximum value for file.max_count (files)</entry>
+ <entry>CREATE QUEUE</entry>
+ </row>
+ <row>
+ <entry> <command>filemaxsizelowerlimit</command> </entry>
+ <entry>Integer</entry>
+ <entry>Minimum value for file.max_size (64kb pages)</entry>
+ <entry>CREATE QUEUE</entry>
+ </row>
+ <row>
+ <entry> <command>filemaxsizeupperlimit</command> </entry>
+ <entry>Integer</entry>
+ <entry>Maximum value for file.max_size (64kb pages)</entry>
<entry>CREATE QUEUE</entry>
</row>
<row>
@@ -790,443 +767,481 @@ property = "name" | "durable" | "routin
<entry>Target TCP/IP host or host range for create connection rules</entry>
<entry>CREATE CONNECTION</entry>
</row>
- <row>
- <entry> <command>queuemaxsizelowerlimit</command> </entry>
- <entry>Integer</entry>
- <entry>Minimum value for queue.max_size (memory bytes)</entry>
- <entry>CREATE QUEUE, ACCESS QUEUE</entry>
- </row>
- <row>
- <entry> <command>queuemaxsizeupperlimit</command> </entry>
- <entry>Integer</entry>
- <entry>Maximum value for queue.max_size (memory bytes)</entry>
- <entry>CREATE QUEUE, ACCESS QUEUE</entry>
- </row>
- <row>
- <entry> <command>queuemaxcountlowerlimit</command> </entry>
- <entry>Integer</entry>
- <entry>Minimum value for queue.max_count (messages)</entry>
- <entry>CREATE QUEUE, ACCESS QUEUE</entry>
- </row>
- <row>
- <entry> <command>queuemaxcountupperlimit</command> </entry>
- <entry>Integer</entry>
- <entry>Maximum value for queue.max_count (messages)</entry>
- <entry>CREATE QUEUE, ACCESS QUEUE</entry>
- </row>
- <row>
- <entry> <command>filemaxsizelowerlimit</command> </entry>
- <entry>Integer</entry>
- <entry>Minimum value for file.max_size (64kb pages)</entry>
- <entry>CREATE QUEUE</entry>
- </row>
- <row>
- <entry> <command>filemaxsizeupperlimit</command> </entry>
- <entry>Integer</entry>
- <entry>Maximum value for file.max_size (64kb pages)</entry>
- <entry>CREATE QUEUE</entry>
- </row>
- <row>
- <entry> <command>filemaxcountlowerlimit</command> </entry>
- <entry>Integer</entry>
- <entry>Minimum value for file.max_count (files)</entry>
- <entry>CREATE QUEUE</entry>
- </row>
- <row>
- <entry> <command>filemaxcountupperlimit</command> </entry>
- <entry>Integer</entry>
- <entry>Maximum value for file.max_count (files)</entry>
- <entry>CREATE QUEUE</entry>
- </row>
<row>
- <entry> <command>pageslowerlimit</command> </entry>
+ <entry> <command>exclusive</command> </entry>
+ <entry>Boolean</entry>
+ <entry>Indicates the presence of an <parameter>exclusive</parameter> flag</entry>
+ <entry>CREATE QUEUE, ACCESS QUEUE, DELETE QUEUE</entry>
+ </row>
+ <row>
+ <entry> <command>pagefactorlowerlimit</command> </entry>
<entry>Integer</entry>
- <entry>Minimum value for number of pages in memory of paged queue</entry>
+ <entry>Minimum value for size of a page in paged queue</entry>
<entry>CREATE QUEUE</entry>
</row>
<row>
- <entry> <command>pagesupperlimit</command> </entry>
+ <entry> <command>pagefactorupperlimit</command> </entry>
<entry>Integer</entry>
- <entry>Maximum value for number of pages in memory of paged queue</entry>
+ <entry>Maximum value for size of a page in paged queue</entry>
<entry>CREATE QUEUE</entry>
</row>
<row>
- <entry> <command>pagefactorlowerlimit</command> </entry>
+ <entry> <command>pageslowerlimit</command> </entry>
<entry>Integer</entry>
- <entry>Minimum value for size of one page in paged queue</entry>
+ <entry>Minimum value for number of paged queue pages in memory</entry>
<entry>CREATE QUEUE</entry>
</row>
<row>
- <entry> <command>pagefactorupperlimit</command> </entry>
+ <entry> <command>pagesupperlimit</command> </entry>
<entry>Integer</entry>
- <entry>Maximum value for size of one page in paged queue</entry>
+ <entry>Maximum value for number of paged queue pages in memory</entry>
+ <entry>CREATE QUEUE</entry>
+ </row>
+ <row>
+ <entry> <command>paging</command> </entry>
+ <entry>Boolean</entry>
+ <entry>Indicates if the queue is a paging queue</entry>
<entry>CREATE QUEUE</entry>
</row>
- </tbody>
- </tgroup>
- </table>
-
- <section id="sect-Messaging_User_Guide-Authorization-ACL_ActionObjectPropertyTuples">
- <title>ACL Action-Object-Property Tuples</title>
- <para>
- Not every ACL action is applicable to every ACL object. Furthermore, not every property may be
- specified for every action-object pair.
- The following table enumerates which action and object pairs are allowed.
- The table also lists which optional ACL properties are allowed to qualify
- action-object pairs.
- </para>
- <para>
- The <emphasis>access</emphasis> action is called with different argument
- lists for the <emphasis>exchange</emphasis> and <emphasis>queue</emphasis> objects.
- A separate column shows the AMQP 0.10 method that the Access ACL rule is satisfying.
- Write separate rules with the additional arguments for the <emphasis>declare</emphasis>
- and <emphasis>bind</emphasis> methods and include these rules in the ACL file
- before the rules for the <emphasis>query</emphasis> method.
- <!-- The exact sequence of calling these methods is a product of the client
- library. The user might not know anything about a 'declare' or a 'query' or
- a passive declaration. -->
- </para>
- <table id="tabl-Messaging_User_Guide-ACL_Syntax-ACL_ActionObject_properties">
- <title>ACL Properties Allowed for each Action and Object</title>
- <tgroup cols="4">
- <thead>
- <row>
- <entry>Action</entry>
- <entry>Object</entry>
- <entry>Properties</entry>
- <entry>Method</entry>
- </row>
- </thead>
- <tbody>
+ <row>
+ <entry> <command>policytype</command> </entry>
+ <entry>String</entry>
+ <entry>"ring", "self-destruct", "reject"</entry>
+ <entry>CREATE QUEUE, ACCESS QUEUE, DELETE QUEUE</entry>
+ </row>
+ <row>
+ <entry> <command>queuename</command> </entry>
+ <entry>String</entry>
+ <entry>Name of the target queue</entry>
+ <entry>ACCESS EXCHANGE, BIND EXCHANGE, MOVE QUEUE, UNBIND EXCHANGE</entry>
+ </row>
+ <row>
+ <entry> <command>queuemaxsizelowerlimit</command> </entry>
+ <entry>Integer</entry>
+ <entry>Minimum value for queue.max_size (memory bytes)</entry>
+ <entry>CREATE QUEUE, ACCESS QUEUE</entry>
+ </row>
+ <row>
+ <entry> <command>queuemaxsizeupperlimit</command> </entry>
+ <entry>Integer</entry>
+ <entry>Maximum value for queue.max_size (memory bytes)</entry>
+ <entry>CREATE QUEUE, ACCESS QUEUE</entry>
+ </row>
+ <row>
+ <entry> <command>queuemaxcountlowerlimit</command> </entry>
+ <entry>Integer</entry>
+ <entry>Minimum value for queue.max_count (messages)</entry>
+ <entry>CREATE QUEUE, ACCESS QUEUE</entry>
+ </row>
+ <row>
+ <entry> <command>queuemaxcountupperlimit</command> </entry>
+ <entry>Integer</entry>
+ <entry>Maximum value for queue.max_count (messages)</entry>
+ <entry>CREATE QUEUE, ACCESS QUEUE</entry>
+ </row>
+ <row>
+ <entry> <command>routingkey</command> </entry>
+ <entry>String</entry>
+ <entry>Specifies routing key</entry>
+ <entry>BIND EXCHANGE, UNBIND EXCHANGE, ACCESS EXCHANGE, PUBLISH EXCHANGE</entry>
+ </row>
+ <row>
+ <entry> <command>schemaclass</command> </entry>
+ <entry>String</entry>
+ <entry>QMF schema class name</entry>
+ <entry>ACCESS METHOD, ACCESS QUERY</entry>
+ </row>
+ <row>
+ <entry> <command>schemapackage</command> </entry>
+ <entry>String</entry>
+ <entry>QMF schema package name</entry>
+ <entry>ACCESS METHOD</entry>
+ </row>
+ <row>
+ <entry> <command>type</command> </entry>
+ <entry>String</entry>
+ <entry>Type of exchange, such as topic, fanout, or xml</entry>
+ <entry>CREATE EXCHANGE, ACCESS EXCHANGE, DELETE EXCHANGE</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+
+ <section id="sect-Messaging_User_Guide-Authorization-ACL_ActionObjectPropertyTuples">
+ <title>ACL Action-Object-Property Combinations</title>
+ <para>
+ Not every ACL action is applicable to every ACL object. Furthermore, not every property may be
+ specified for every action-object pair. The following table lists the broker events
+ that trigger ACL lookups. Then for each event it lists the action, object, and properties
+ allowed in the lookup.
+ </para>
+ <para>
+ User-specified ACL rules constrain property sets to those that match one or more of
+ the action and object pairs. For example these rules are allowed:
+ </para>
+<programlisting>
+ acl allow all access exchange
+ acl allow all access exchange name=abc
+ acl allow all access exchange name=abc durable=true
+</programlisting>
+ <para>
+ These rules could possibly match one or more of the broker lookups. However, this rule
+ is not allowed:
+ </para>
+<programlisting>
+ acl allow all access exchange queuename=queue1 durable=true
+</programlisting>
+ <para>
+ Properties <emphasis>queuename</emphasis> and <emphasis>durable</emphasis>
+ are not in the list of allowed properties for any 'access exchange' lookup.
+ This rule would never match a broker lookup query and would never contribute to an
+ allow or deny decision.
+ </para>
+ <para>
+ For more information about matching ACL rules please refer to
+ <link linkend="sect-Messaging_User_Guide-Authorization-ACL_Rule_Matching">
+ ACL Rule Matching
+ </link>
+ </para>
+
+ <table id="tabl-Messaging_User_Guide-ACL_Syntax-ACL_ActionObject_properties">
+ <title>Broker Lookup Events With Allowed Action, Object, and Properties</title>
+ <tgroup cols="4">
+ <thead>
+ <row>
+ <entry>Lookup Event</entry>
+ <entry>Action</entry>
+ <entry>Object</entry>
+ <entry>Properties</entry>
+ </row>
+ </thead>
+ <tbody>
<row>
+ <entry>User querying message timestamp setting </entry>
<entry>access</entry>
<entry>broker</entry>
<entry></entry>
- <entry>Broker:: getTimestampConfig</entry>
</row>
<row>
+ <entry>AMQP 0-10 protocol received 'query' </entry>
<entry>access</entry>
<entry>exchange</entry>
- <entry></entry>
- <entry>ExchangeHandlerImpl:: query</entry>
+ <entry>name </entry>
</row>
<row>
+ <entry>AMQP 0-10 query binding </entry>
<entry>access</entry>
<entry>exchange</entry>
- <entry></entry>
- <entry>Authorise:: access</entry>
+ <entry>name queuename routingkey </entry>
</row>
<row>
+ <entry>AMQP 0-10 exchange declare </entry>
<entry>access</entry>
<entry>exchange</entry>
- <entry>type alternate durable autodelete </entry>
- <entry>ExchangeHandlerImpl:: declare</entry>
+ <entry>name type alternate durable autodelete </entry>
</row>
<row>
+ <entry>AMQP 1.0 exchange access </entry>
<entry>access</entry>
<entry>exchange</entry>
- <entry>queuename routingkey </entry>
- <entry>ExchangeHandlerImpl:: bound</entry>
+ <entry>name type durable </entry>
</row>
<row>
+ <entry>AMQP 1.0 node resolution </entry>
<entry>access</entry>
<entry>exchange</entry>
- <entry>type durable </entry>
- <entry>Authorise:: access</entry>
+ <entry>name </entry>
</row>
<row>
+ <entry>Management method request </entry>
<entry>access</entry>
<entry>method</entry>
- <entry>schemapackage schemaclass </entry>
- <entry>ManagementAgent:: handleMethodRequest</entry>
+ <entry>name schemapackage schemaclass </entry>
</row>
<row>
+ <entry>Management agent method request </entry>
<entry>access</entry>
<entry>method</entry>
- <entry>schemapackage schemaclass </entry>
- <entry>ManagementAgent:: authorizeAgentMessage</entry>
+ <entry>name schemapackage schemaclass </entry>
</row>
<row>
+ <entry>Management agent query </entry>
<entry>access</entry>
<entry>query</entry>
- <entry>schemaclass </entry>
- <entry>ManagementAgent:: handleGetQuery</entry>
+ <entry>name schemaclass </entry>
</row>
<row>
+ <entry>QMF 'query queue' method </entry>
<entry>access</entry>
<entry>queue</entry>
- <entry></entry>
- <entry>Authorise:: access</entry>
+ <entry>name </entry>
</row>
<row>
+ <entry>AMQP 0-10 query </entry>
<entry>access</entry>
<entry>queue</entry>
- <entry></entry>
- <entry>QueueHandlerImpl:: query</entry>
+ <entry>name </entry>
</row>
<row>
+ <entry>AMQP 0-10 queue declare </entry>
<entry>access</entry>
<entry>queue</entry>
- <entry></entry>
- <entry>Broker:: queryQueue</entry>
+ <entry>name alternate durable exclusive autodelete policytype queuemaxcountlowerlimit queuemaxcountupperlimit queuemaxsizelowerlimit queuemaxsizeupperlimit </entry>
</row>
<row>
+ <entry>AMQP 1.0 queue access </entry>
<entry>access</entry>
<entry>queue</entry>
- <entry>alternate durable exclusive autodelete policytype queuemaxcountlowerlimit queuemaxcountupperlimit queuemaxsizelowerlimit queuemaxsizeupperlimit </entry>
- <entry>QueueHandlerImpl:: declare</entry>
+ <entry>name alternate durable exclusive autodelete policytype queuemaxcountlowerlimit queuemaxcountupperlimit queuemaxsizelowerlimit queuemaxsizeupperlimit </entry>
</row>
<row>
+ <entry>AMQP 1.0 node resolution </entry>
<entry>access</entry>
<entry>queue</entry>
- <entry>alternate durable exclusive autodelete policytype queuemaxcountlowerlimit queuemaxcountupperlimit queuemaxsizelowerlimit queuemaxsizeupperlimit </entry>
- <entry>Authorise:: access</entry>
+ <entry>name </entry>
</row>
<row>
+ <entry>AMQP 0-10 or QMF bind request </entry>
<entry>bind</entry>
<entry>exchange</entry>
- <entry>queuename routingkey </entry>
- <entry>Broker:: bind</entry>
+ <entry>name queuename routingkey </entry>
</row>
<row>
+ <entry>AMQP 1.0 new outgoing link from exchange</entry>
<entry>bind</entry>
<entry>exchange</entry>
- <entry>queuename routingkey </entry>
- <entry>Authorise:: outgoing</entry>
+ <entry>name queuename routingkey </entry>
</row>
<row>
+ <entry>AMQP 0-10 subscribe request </entry>
<entry>consume</entry>
<entry>queue</entry>
- <entry></entry>
- <entry>MessageHandlerImpl:: subscribe</entry>
+ <entry>name </entry>
</row>
<row>
+ <entry>AMQP 1.0 new outgoing link from queue </entry>
<entry>consume</entry>
<entry>queue</entry>
- <entry></entry>
- <entry>Authorise:: outgoing</entry>
+ <entry>name </entry>
</row>
<row>
+ <entry>TCP/IP connection creation </entry>
<entry>create</entry>
<entry>connection</entry>
- <entry>host</entry>
- <entry>Connection creation</entry>
+ <entry>host </entry>
</row>
<row>
+ <entry>Create exchange </entry>
<entry>create</entry>
<entry>exchange</entry>
- <entry>type alternate durable autodelete </entry>
- <entry>Broker:: createExchange</entry>
+ <entry>name type alternate durable autodelete </entry>
</row>
<row>
+ <entry>Interbroker link creation </entry>
<entry>create</entry>
<entry>link</entry>
<entry></entry>
- <entry>ConnectionHandler:: Handler:: open</entry>
</row>
<row>
+ <entry>Interbroker link creation </entry>
<entry>create</entry>
<entry>link</entry>
<entry></entry>
- <entry>Authorise:: interlink</entry>
</row>
<row>
+ <entry>Create queue </entry>
<entry>create</entry>
<entry>queue</entry>
- <entry>alternate durable exclusive autodelete policytype paging pageslowerlimit pagesupperlimit pagefactorlowerlimit pagefactorupperlimit queuemaxcountlowerlimit queuemaxcountupperlimit queuemaxsizelowerlimit queuemaxsizeupperlimit filemaxcountlowerlimit filemaxcountupperlimit filemaxsizelowerlimit filemaxsizeupperlimit </entry>
- <entry>Broker:: createQueue</entry>
+ <entry>name alternate durable exclusive autodelete policytype paging pageslowerlimit pagesupperlimit pagefactorlowerlimit pagefactorupperlimit queuemaxcountlowerlimit queuemaxcountupperlimit queuemaxsizelowerlimit queuemaxsizeupperlimit filemaxcountlowerlimit filemaxcountupperlimit filemaxsizelowerlimit filemaxsizeupperlimit </entry>
</row>
<row>
+ <entry>Delete exchange </entry>
<entry>delete</entry>
<entry>exchange</entry>
- <entry>type alternate durable </entry>
- <entry>Broker:: deleteExchange</entry>
+ <entry>name type alternate durable </entry>
</row>
<row>
+ <entry>Delete queue </entry>
<entry>delete</entry>
<entry>queue</entry>
- <entry>alternate durable exclusive autodelete policytype </entry>
- <entry>Broker:: deleteQueue</entry>
+ <entry>name alternate durable exclusive autodelete policytype </entry>
</row>
<row>
+ <entry>Management 'move queue' request </entry>
<entry>move</entry>
<entry>queue</entry>
- <entry>queuename</entry>
- <entry>Broker:: queueMoveMessages</entry>
+ <entry>name queuename </entry>
</row>
<row>
+ <entry>AMQP 0-10 received message processing </entry>
<entry>publish</entry>
<entry>exchange</entry>
- <entry></entry>
- <entry>Authorise:: incoming</entry>
+ <entry>name routingkey </entry>
</row>
<row>
+ <entry>AMQP 1.0 establish sender link to queue </entry>
<entry>publish</entry>
<entry>exchange</entry>
<entry>routingkey </entry>
- <entry>SemanticState:: route</entry>
</row>
<row>
+ <entry>AMQP 1.0 received message processing </entry>
<entry>publish</entry>
<entry>exchange</entry>
- <entry>routingkey </entry>
- <entry>Authorise:: route</entry>
+ <entry>name routingkey </entry>
</row>
<row>
+ <entry>Management 'purge queue' request </entry>
<entry>purge</entry>
<entry>queue</entry>
- <entry></entry>
- <entry>QueueHandlerImpl:: purge</entry>
+ <entry>name </entry>
</row>
<row>
+ <entry>Management 'purge queue' request </entry>
<entry>purge</entry>
<entry>queue</entry>
- <entry></entry>
- <entry>Queue:: ManagementMethod</entry>
+ <entry>name </entry>
</row>
<row>
+ <entry>Management 'redirect queue' request </entry>
<entry>redirect</entry>
<entry>queue</entry>
- <entry>queuename</entry>
- <entry>Broker:: queueRedirect</entry>
+ <entry>name queuename </entry>
</row>
<row>
+ <entry>Management 'reroute queue' request </entry>
<entry>reroute</entry>
<entry>queue</entry>
- <entry>exchangename </entry>
- <entry>Queue:: ManagementMethod</entry>
+ <entry>name exchangename </entry>
</row>
<row>
+ <entry>Management 'unbind exchange' request </entry>
<entry>unbind</entry>
<entry>exchange</entry>
- <entry>queuename routingkey </entry>
- <entry>Broker:: unbind</entry>
+ <entry>name queuename routingkey </entry>
</row>
<row>
+ <entry>User modifying message timestamp setting</entry>
<entry>update</entry>
<entry>broker</entry>
<entry></entry>
- <entry>Broker:: setTimestampConfig</entry>
</row>
- </tbody>
- </tgroup>
- </table>
- <para>
-
- </para>
- </section>
- </section>
-
- <section id="sect-Messaging_User_Guide-Authorization-ACL_Syntactic_Conventions">
- <title>ACL Syntactic Conventions</title>
- <section id="sect-Messaging_User_Guide-Authorization-ACL_Syntactic_Conventions-comments">
- <title>Comments</title>
- <para>
- <itemizedlist>
- <listitem>
- <para>
- A line starting with the <command>#</command> character is considered a comment and is ignored.
- </para>
- </listitem>
- <listitem>
- <para>
- Embedded comments and trailing comments are not allowed. The <command>#</command> is commonly found in routing keys and other AMQP literals which occur naturally in ACL rule specifications.
- </para>
- </listitem>
- </itemizedlist>
- </para>
- </section>
- <section id="sect-Messaging_User_Guide-Authorization-ACL_Syntactic_Conventions-whitespace">
- <title>White Space</title>
- <itemizedlist>
- <listitem>
- <para>
- Empty lines and lines that contain only whitespace (' ', '\f', '\n', '\r', '\t', '\v') are ignored.
- </para>
- </listitem>
- <listitem>
- <para>
- Additional whitespace between and after tokens is allowed.
- </para>
- </listitem>
- <listitem>
- <para>
- Group and Acl definitions must start with <command>group</command> and <command>acl</command> respectively and with no preceding whitespace.
- </para>
- </listitem>
- </itemizedlist>
- </section>
- <section id="sect-Messaging_User_Guide-Authorization-ACL_Syntactic_Conventions-characterset">
- <title>Character Set</title>
- <itemizedlist>
- <listitem>
- <para>
- ACL files use 7-bit ASCII characters only
- </para>
- </listitem>
- <listitem>
- <para>
- Group names may contain only
- <itemizedlist>
- <listitem><command>[a-z]</command></listitem>
- <listitem><command>[A-Z]</command></listitem>
- <listitem><command>[0-9]</command></listitem>
- <listitem><command>'-'</command> hyphen</listitem>
- <listitem><command>'_'</command> underscore</listitem>
- </itemizedlist>
- </para>
- </listitem>
- <listitem>
- <para>
- Individual user names may contain only
- <itemizedlist>
- <listitem><command>[a-z]</command></listitem>
- <listitem><command>[A-Z]</command></listitem>
- <listitem><command>[0-9]</command></listitem>
- <listitem><command>'-'</command> hyphen</listitem>
- <listitem><command>'_'</command> underscore</listitem>
- <listitem><command>'.'</command> period</listitem>
- <listitem><command>'@'</command> ampersand</listitem>
- <listitem><command>'/'</command> slash</listitem>
- </itemizedlist>
- </para>
- </listitem>
- </itemizedlist>
- </section>
- <section id="sect-Messaging_User_Guide-Authorization-ACL_Syntactic_Conventions-casesensitivity">
- <title>Case Sensitivity</title>
- <itemizedlist>
- <listitem>
- <para>
- All tokens are case sensitive. <parameter>name1</parameter> is not the same as <parameter>Name1</parameter> and <parameter>create</parameter> is not the same as <parameter>CREATE</parameter>.
- </para>
- </listitem>
- </itemizedlist>
- </section>
- <section id="sect-Messaging_User_Guide-Authorization-ACL_Syntactic_Conventions-linecontinuation">
- <title>Line Continuation</title>
- <itemizedlist>
- <listitem>
- <para>
- Group lists can be extended to the following line by terminating the line with the <command>'\'</command> character. No other ACL file lines may be continued.
- </para>
- </listitem>
- <listitem>
- <para>
- Group specification lines may be continued only after the group name or any of the user names included in the group. See example below.
- </para>
- </listitem>
- <listitem>
- <para>
- Lines consisting solely of a <command>'\'</command> character are not permitted.
- </para>
- </listitem>
- <listitem>
- <para>
- The <command>'\'</command> continuation character is recognized only if it is the last character in the line. Any characters after the <command>'\'</command> are not permitted.
- </para>
- </listitem>
- </itemizedlist>
+ </tbody>
+ </tgroup>
+ </table>
+ </section>
+ </section>
+
+ <section id="sect-Messaging_User_Guide-Authorization-ACL_Syntactic_Conventions">
+ <title>ACL Syntactic Conventions</title>
+ <section id="sect-Messaging_User_Guide-Authorization-ACL_Syntactic_Conventions-comments">
+ <title>Comments</title>
+ <para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ A line starting with the <command>#</command> character is considered a comment and is ignored.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Embedded comments and trailing comments are not allowed. The <command>#</command> is commonly found in routing keys and other AMQP literals which occur naturally in ACL rule specifications.
+ </para>
+ </listitem>
+ </itemizedlist>
+ </para>
+ </section>
+ <section id="sect-Messaging_User_Guide-Authorization-ACL_Syntactic_Conventions-whitespace">
+ <title>White Space</title>
+ <itemizedlist>
+ <listitem>
+ <para>
+ Empty lines and lines that contain only whitespace (' ', '\f', '\n', '\r', '\t', '\v') are ignored.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Additional whitespace between and after tokens is allowed.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Group and Acl definitions must start with <command>group</command> and <command>acl</command> respectively and with no preceding whitespace.
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+ <section id="sect-Messaging_User_Guide-Authorization-ACL_Syntactic_Conventions-characterset">
+ <title>Character Set</title>
+ <itemizedlist>
+ <listitem>
+ <para>
+ ACL files use 7-bit ASCII characters only
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Group names may contain only
+ <itemizedlist>
+ <listitem><command>[a-z]</command></listitem>
+ <listitem><command>[A-Z]</command></listitem>
+ <listitem><command>[0-9]</command></listitem>
+ <listitem><command>'-'</command> hyphen</listitem>
+ <listitem><command>'_'</command> underscore</listitem>
+ </itemizedlist>
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Individual user names may contain only
+ <itemizedlist>
+ <listitem><command>[a-z]</command></listitem>
+ <listitem><command>[A-Z]</command></listitem>
+ <listitem><command>[0-9]</command></listitem>
+ <listitem><command>'-'</command> hyphen</listitem>
+ <listitem><command>'_'</command> underscore</listitem>
+ <listitem><command>'.'</command> period</listitem>
+ <listitem><command>'@'</command> ampersand</listitem>
+ <listitem><command>'/'</command> slash</listitem>
+ </itemizedlist>
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+ <section id="sect-Messaging_User_Guide-Authorization-ACL_Syntactic_Conventions-casesensitivity">
+ <title>Case Sensitivity</title>
+ <itemizedlist>
+ <listitem>
+ <para>
+ All tokens are case sensitive. <parameter>name1</parameter> is not the same as <parameter>Name1</parameter> and <parameter>create</parameter> is not the same as <parameter>CREATE</parameter>.
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+ <section id="sect-Messaging_User_Guide-Authorization-ACL_Syntactic_Conventions-linecontinuation">
+ <title>Line Continuation</title>
+ <itemizedlist>
+ <listitem>
+ <para>
+ Group lists can be extended to the following line by terminating the line with the <command>'\'</command> character. No other ACL file lines may be continued.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Group specification lines may be continued only after the group name or any of the user names included in the group. See example below.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Lines consisting solely of a <command>'\'</command> character are not permitted.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ The <command>'\'</command> continuation character is recognized only if it is the last character in the line. Any characters after the <command>'\'</command> are not permitted.
+ </para>
+ </listitem>
+ </itemizedlist>
<programlisting><![CDATA[
#
# Examples of extending group lists using a trailing '\' character
@@ -1253,81 +1268,81 @@ property = "name" | "durable" | "routin
name10
]]></programlisting>
- </section>
- <section id="sect-Messaging_User_Guide-Authorization-ACL_Syntactic_Conventions-linelength">
- <title>Line Length</title>
- <itemizedlist>
- <listitem>
- <para>
- ACL file lines are limited to 1024 characters.
- </para>
- </listitem>
- </itemizedlist>
- </section>
-
-
- <section id="sect-Messaging_User_Guide-Authorization-ACL_Syntactic_Conventions-keywords">
- <title>ACL File Keywords</title>
- ACL reserves several words for convenience and for context sensitive substitution.
-
- <section id="sect-Messaging_User_Guide-Authorization-ACL_Syntactic_Conventions-keywords-all">
- <title>The <command>all</command> Keyword</title>
- The keyword <command>all</command> is reserved. It may be used in ACL rules to match all individuals and groups, all actions, or all objects.
- <itemizedlist>
- <listitem>acl allow all create queue</listitem>
- <listitem>acl allow bob@QPID all queue</listitem>
- <listitem>acl allow bob@QPID create all</listitem>
- </itemizedlist>
- </section>
-
- <section id="sect-Messaging_User_Guide-Authorization-ACL_Syntactic_Conventions-keywords-userdomain">
- <title>User Name and Domain Name Keywords</title>
- <para>
- In the C++ Broker 0.20 a simple set of user name and domain name substitution variable keyword tokens is defined. This provides administrators with an easy way to describe private or shared resources.
- </para>
- <para>
- Symbol substitution is allowed in the ACL file anywhere that text is supplied for a property value.
- </para>
- <para>
- In the following table an authenticated user named bob.user@QPID.COM has his substitution keywords expanded.
-
- <table id="tabl-Messaging_User_Guide-ACL_Syntax-ACL_UsernameSubstitution">
- <title>ACL User Name and Domain Name Substitution Keywords</title>
- <tgroup cols="2">
- <thead>
- <row>
- <entry>Keyword</entry>
- <entry>Expansion</entry>
- </row>
- </thead>
- <tbody>
- <row>
- <entry> <command>${userdomain}</command> </entry>
- <entry>bob_user_QPID_COM</entry>
- </row>
- <row>
- <entry> <command>${user}</command> </entry>
- <entry>bob_user</entry>
- </row>
- <row>
- <entry> <command>${domain}</command> </entry>
- <entry>QPID_COM</entry>
- </row>
- </tbody>
- </tgroup>
- </table>
- </para>
-
- <para>
- <itemizedlist>
- <listitem>
- The original user name has the period â.â and ampersand â@â characters translated into underscore â_â. This allows substitution to work when the substitution keyword is used in a routingkey in the Acl file.
- </listitem>
- <listitem>
- The Acl processing matches ${userdomain} before matching either ${user} or ${domain}. Rules that specify the combination ${user}_${domain} will never match.
- </listitem>
- </itemizedlist>
- </para>
+ </section>
+ <section id="sect-Messaging_User_Guide-Authorization-ACL_Syntactic_Conventions-linelength">
+ <title>Line Length</title>
+ <itemizedlist>
+ <listitem>
+ <para>
+ ACL file lines are limited to 1024 characters.
+ </para>
+ </listitem>
+ </itemizedlist>
+ </section>
+
+
+ <section id="sect-Messaging_User_Guide-Authorization-ACL_Syntactic_Conventions-keywords">
+ <title>ACL File Keywords</title>
+ ACL reserves several words for convenience and for context sensitive substitution.
+
+ <section id="sect-Messaging_User_Guide-Authorization-ACL_Syntactic_Conventions-keywords-all">
+ <title>The <command>all</command> Keyword</title>
+ The keyword <command>all</command> is reserved. It may be used in ACL rules to match all individuals and groups, all actions, or all objects.
+ <itemizedlist>
+ <listitem>acl allow all create queue</listitem>
+ <listitem>acl allow bob@QPID all queue</listitem>
+ <listitem>acl allow bob@QPID create all</listitem>
+ </itemizedlist>
+ </section>
+
+ <section id="sect-Messaging_User_Guide-Authorization-ACL_Syntactic_Conventions-keywords-userdomain">
+ <title>User Name and Domain Name Keywords</title>
+ <para>
+ In the C++ Broker 0.20 a simple set of user name and domain name substitution variable keyword tokens is defined. This provides administrators with an easy way to describe private or shared resources.
+ </para>
+ <para>
+ Symbol substitution is allowed in the ACL file anywhere that text is supplied for a property value.
+ </para>
+ <para>
+ In the following table an authenticated user named bob.user@QPID.COM has his substitution keywords expanded.
+
+ <table id="tabl-Messaging_User_Guide-ACL_Syntax-ACL_UsernameSubstitution">
+ <title>ACL User Name and Domain Name Substitution Keywords</title>
+ <tgroup cols="2">
+ <thead>
+ <row>
+ <entry>Keyword</entry>
+ <entry>Expansion</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry> <command>${userdomain}</command> </entry>
+ <entry>bob_user_QPID_COM</entry>
+ </row>
+ <row>
+ <entry> <command>${user}</command> </entry>
+ <entry>bob_user</entry>
+ </row>
+ <row>
+ <entry> <command>${domain}</command> </entry>
+ <entry>QPID_COM</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ </para>
+
+ <para>
+ <itemizedlist>
+ <listitem>
+ The original user name has the period â.â and ampersand â@â characters translated into underscore â_â. This allows substitution to work when the substitution keyword is used in a routingkey in the Acl file.
+ </listitem>
+ <listitem>
+ The Acl processing matches ${userdomain} before matching either ${user} or ${domain}. Rules that specify the combination ${user}_${domain} will never match.
+ </listitem>
+ </itemizedlist>
+ </para>
<programlisting><![CDATA[
# Example:
@@ -1388,122 +1403,122 @@ property = "name" | "durable" | "routin
]]></programlisting>
</section>
- </section>
+ </section>
+
+ <section id="sect-Messaging_User_Guide-Authorization-ACL_Syntatic_Conventions-wildcards">
+ <title>Wildcards</title>
+ ACL privides two types of wildcard matching to provide flexibility in writing rules.
+
+ <section id="sect-Messaging_User_Guide-Authorization-ACL_Syntatic_Conventions-wildcards-asterisk">
+ <title>Property Value Wildcard</title>
+ <para>
+ Text specifying a property value may end with a single trailing <command>*</command> character.
+ This is a simple wildcard match indicating that strings which match up to that point are matches for the ACL property rule.
+ An ACL rule such as
+ </para>
+ <para>
+ <programlisting> acl allow bob@QPID create queue name=bob*</programlisting>
+ </para>
+ <para>
+ allow user bob@QPID to create queues named bob1, bob2, bobQueue3, and so on.
+ </para>
+ </section>
- <section id="sect-Messaging_User_Guide-Authorization-ACL_Syntatic_Conventions-wildcards">
- <title>Wildcards</title>
- ACL privides two types of wildcard matching to provide flexibility in writing rules.
-
- <section id="sect-Messaging_User_Guide-Authorization-ACL_Syntatic_Conventions-wildcards-asterisk">
- <title>Property Value Wildcard</title>
- <para>
- Text specifying a property value may end with a single trailing <command>*</command> character.
- This is a simple wildcard match indicating that strings which match up to that point are matches for the ACL property rule.
- An ACL rule such as
- </para>
- <para>
- <programlisting> acl allow bob@QPID create queue name=bob*</programlisting>
- </para>
- <para>
- allow user bob@QPID to create queues named bob1, bob2, bobQueue3, and so on.
- </para>
- </section>
-
- <section id="sect-Messaging_User_Guide-Authorization-ACL_Syntatic_Conventions-wildcards-topickey">
- <title>Topic Routing Key Wildcard</title>
- <para>
- In the C++ Broker 0.20 the logic governing the ACL Match has changed for each ACL rule that contains a routingkey property.
- The routingkey property is matched according to Topic Exchange match logic the broker uses when it distributes messages published to a topic exchange.
- </para>
- <para>
- Routing keys are hierarchical where each level is separated by a period:
- <itemizedlist>
- <listitem>weather.usa</listitem>
- <listitem>weather.europe.germany</listitem>
- <listitem>weather.europe.germany.berlin</listitem>
- <listitem>company.engineering.repository</listitem>
- </itemizedlist>
- </para>
- <para>
- Within the routing key hierarchy two wildcard characters are defined.
- <itemizedlist>
- <listitem><command>*</command> matches one field</listitem>
- <listitem><command>#</command> matches zero or more fields</listitem>
- </itemizedlist>
- </para>
- <para>
- Suppose an ACL rule file is:
- </para>
- <para>
- <programlisting>
+ <section id="sect-Messaging_User_Guide-Authorization-ACL_Syntatic_Conventions-wildcards-topickey">
+ <title>Topic Routing Key Wildcard</title>
+ <para>
+ In the C++ Broker 0.20 the logic governing the ACL Match has changed for each ACL rule that contains a routingkey property.
+ The routingkey property is matched according to Topic Exchange match logic the broker uses when it distributes messages published to a topic exchange.
+ </para>
+ <para>
+ Routing keys are hierarchical where each level is separated by a period:
+ <itemizedlist>
+ <listitem>weather.usa</listitem>
+ <listitem>weather.europe.germany</listitem>
+ <listitem>weather.europe.germany.berlin</listitem>
+ <listitem>company.engineering.repository</listitem>
+ </itemizedlist>
+ </para>
+ <para>
+ Within the routing key hierarchy two wildcard characters are defined.
+ <itemizedlist>
+ <listitem><command>*</command> matches one field</listitem>
+ <listitem><command>#</command> matches zero or more fields</listitem>
+ </itemizedlist>
+ </para>
+ <para>
+ Suppose an ACL rule file is:
+ </para>
+ <para>
+ <programlisting>
acl allow-log uHash1@COMPANY publish exchange name=X routingkey=a.#.b
acl deny all all
[... 987 lines stripped ...]
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org