[ https://issues.apache.org/jira/browse/QPID-4230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13438039#comment-13438039 ]
Chuck Rolke commented on QPID-4230: ----------------------------------- https://reviews.apache.org/r/6645/ is the proposed implementation of this feature. 1. This patch does not change the syntax for the Acl file. It adds keyword interpretation to the Acl file content. 2. The substitution keywords are: "$\{user\}", "$\{domain\}", and "$\{userdomain\}". 3. User and domain names are normalized by replacing period "." and ampersand "@" with underscore "_". 4. For user bob.u...@qpid.com the run-time substitution values would be {noformat} Keyword Value ============= ================= ${user} bob_user ${domain} QPID_COM ${userdomain} bob_user_QPID_COM {noformat} 5. Keyword substitution is allowed for * Any object name: exchange, queue, link, broker, method * Routing keys * Alternate exchange name * Queue name 6. For routing key lookups the $\{userdomain\} keyword is found before either $\{user\} or $\{domain\}. If the user presents a routing key lookup of "bob_user_QPID_COM" then it will match an Acl rule with $\{userdomain\} and not with $\{user\}_$\{domain\}. 7. Example Acl file. This example allows any user to create a private queue and exchange to which only that user may bind. The queue and exchange may have a private backup exchange and queue to which only that user may bind. {noformat} # Create primary queue and exchange: # allow predefined alternate # deny any other alternate # allow no alternate acl allow all create queue name=${userdomain}-work alternate=${userdomain}-work2 acl deny all create queue name=${userdomain}-work alternate=* acl allow all create queue name=${userdomain}-work acl allow all create exchange name=${userdomain}-work alternate=${userdomain}-work2 acl deny all create exchange name=${userdomain}-work alternate=* acl allow all create exchange name=${userdomain}-work # Create backup queue and exchange # Deny any alternate acl deny all create queue name=${userdomain}-work2 alternate=* acl allow all create queue name=${userdomain}-work2 acl deny all create exchange name=${userdomain}-work2 alternate=* acl allow all create exchange name=${userdomain}-work2 # Bind/unbind primary exchange # Use only predefined routingkey and queuename acl allow all bind exchange name=${userdomain}-work routingkey=${userdomain} queuename=${userdomain}-work acl allow all unbind exchange name=${userdomain}-work routingkey=${userdomain} queuename=${userdomain}-work # Bind/unbind backup exchange # Use only predefined routingkey and queuename acl allow all bind exchange name=${userdomain}-work2 routingkey=${userdomain} queuename=${userdomain}-work2 acl allow all unbind exchange name=${userdomain}-work2 routingkey=${userdomain} queuename=${userdomain}-work2 # Access primary exchange # Use only predefined routingkey and queuename acl allow all access exchange name=${userdomain}-work routingkey=${userdomain} queuename=${userdomain}-work # Access backup exchange # Use only predefined routingkey and queuename acl allow all access exchange name=${userdomain}-work2 routingkey=${userdomain} queuename=${userdomain}-work2 # Publish primary exchange # Use only predefined routingkey acl allow all publish exchange name=${userdomain}-work routingkey=${userdomain} # Publish backup exchange # Use only predefined routingkey acl allow all publish exchange name=${userdomain}-work2 routingkey=${userdomain} # deny mode acl deny all all {noformat} > C++ Broker could use username substitution keyword strings in Acl rules > ----------------------------------------------------------------------- > > Key: QPID-4230 > URL: https://issues.apache.org/jira/browse/QPID-4230 > Project: Qpid > Issue Type: Improvement > Components: C++ Broker > Affects Versions: 0.19 > Reporter: Chuck Rolke > Assignee: Chuck Rolke > > Acl processing in the broker could perform username substitution into Acl > rules. This would provide an easy and flexible way to constrain users. > 1. Let the literal string ${user} be the keyword placed into Acl files. > 2. When expanded ${user} will become the full authenticated userId such as > 'bob@QPID'. Note that simply using 'bob' leads to issues distinguishing > between 'bob@QPID' and 'b...@example.com'. > 3. Username keyword substitution is performed only on object names and in > routing keys. > Acl rule file examples: > acl allow all create exchange name=temp-${user} > acl allow all access exchange name=temp-${user} > acl allow all bind exchange name=temp-${user} > acl allow all unbind exchange name=temp-${user} > acl allow all delete exchange name=temp-${user} > acl allow all publish exchange name=temp-${user} routingkey=temp.${user} > acl allow all create queue name=temp-${user} > acl allow all access queue name=temp-${user} > acl allow all purge queue name=temp-${user} > acl allow all consume queue name=temp-${user} > acl allow all delete queue name=temp-${user} > Using a rule set like this would allow all users to create a private temp- > exchange and a private temp- queue bound to their user names. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org