[
https://issues.apache.org/jira/browse/QPID-2539?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12865168#action_12865168
]
Andrew Kennedy commented on QPID-2539:
--------------------------------------
Sorry for the delay in adding this...
The changes are cosmetic, mostly, and would (admittedly) have the result of
breaking Java to C++ compatibility, although C++ ACL files would remain
parseable by the Java broker. The file format specification would have three
types of declarations: group, acl or config, which I will describe below.
Additionally, there are common features among these declarations.
1. Whitespace is considered to be any ASCII byte with a value below 0x20, and
is ignored when it occurs between tokens.
2. Continuations using the '\' character (ASCII 0x5c) are allowed anywhere on a
line, and can consist of a blank line with a continuation character as the lat
non-whitespace token
3. Comments are line-style comments, and any text after an un-quoted '#'
(ASCII 0x23) are ignored, including continuations. The '#' charater may appear
in a quoted string.
4. Quoted strings consist of any ASCII inside matching pairs of ''' or '"'
(ASCII 0x27 and 0x22) characters, including any otherwise special characters.
5. Tokens are *NOT* case sensitive, but quoted strings *ARE*.
6. The '=' (ASCII 0x3d) character is special, and is used to indicate property
value assignment.
7. Wildcards are specified using the '*' (ASCII 0x2a) character in a property
value string, which may be quoted.
The declarations are as follows, using some kind of grammar, with + and *
having the usual regular expression meanings, parenthesis denote grouping and
brackets denote optional elements.
CONFIG ( <config-property> '=' <TRUE | FALSE> ) +
GROUP <group-name> ( <username | group-name> ) +
[ <number> ] ACL <permission> <username | group-name | ALL> <operation> [
<object-type> ( <property-name> '=' <property-value> ) * ]
This allows a rather looser and more readable style for ACL files, while still
retaining the ability to read the stricter files accepted by the C++ broker.
Bear in mind that the group declarations are to be deprecated, in favour of an
external directory service, using a plugin mechanism.
The initial <number> is used to allow rulesets to be created which allow
indicidual rules to be enabled and disabled using an admin interface, and an
ACL file using numbered lines would be restricted to having increasing numbers
per rule, although gaps would be allowed to enable rules to be inserted later,
again using an admin interface. This administrative interface would also allow
saving of a modified ruleset and re-loading.
Additionally, the following operations, object types and property names are
defined, some of which are not present in the C++ implementation:
Operation: ALL, CONSUME, PUBLISH, CREATE, ACCESS, CONNECT, BIND, UNBIND,
DELETE, PURGE, UPDATE, ADMIN
ObjectType: ALL, VIRTUALHOST, QUEUE, TOPIC, EXCHANGE, BROKER, LINK, ROUTE,
METHOD, USER, LOG, CONFIG, ACL
Property: ROUTING_KEY, NAME, QUEUE_NAME, OWNER, TYPE, ALTERNATE, INTERNAL,
NO_WAIT, NO_LOCAL, NO_ACK, PASSIVE, DURABLE, EXCLUSIVE, TEMPORARY, AUTO_DELETE,
TCP_SESSION, REMOTE_ADDR
There are restrictions on the combinations of Operations and ObjectTypes, as
well as which Properties can be used to specify an ObjectType. I will attach a
more detailed document on these restrictions, which I am working on at the
moment, describing the use cases that are covered.
Andrew.
> Update ACL file syntax to be clearer and add extra operations
> -------------------------------------------------------------
>
> Key: QPID-2539
> URL: https://issues.apache.org/jira/browse/QPID-2539
> Project: Qpid
> Issue Type: Sub-task
> Components: Java Broker
> Reporter: Andrew Kennedy
> Fix For: 0.7
>
>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscr...@qpid.apache.org
