Author: chug Date: Mon Jul 14 22:08:05 2014 New Revision: 1610547 URL: http://svn.apache.org/r1610547 Log: QPID-5890: Refactoring AclModule documentation update. Refactoring exposed new details about how Acl works.
Modified:
qpid/trunk/qpid/doc/book/src/cpp-broker/Security.xml
Modified: qpid/trunk/qpid/doc/book/src/cpp-broker/Security.xml
URL:
http://svn.apache.org/viewvc/qpid/trunk/qpid/doc/book/src/cpp-broker/Security.xml?rev=1610547&r1=1610546&r2=1610547&view=diff
==============================================================================
--- qpid/trunk/qpid/doc/book/src/cpp-broker/Security.xml (original)
+++ qpid/trunk/qpid/doc/book/src/cpp-broker/Security.xml Mon Jul 14 22:08:05
2014
@@ -398,669 +398,727 @@ com.sun.security.jgss.initiate {
<!-- ######## --> <section
id="sect-Messaging_User_Guide-Authorization-ACL_Syntax">
<title>ACL Syntax</title>
<para>
- ACL rules must be on a single line and follow
this syntax:
+ ACL rules follow this syntax:
<programlisting><![CDATA[
- user = username[/domain[@realm]]
- user-list = user1 user2 user3 ...
- group-name-list = group1 group2 group3 ...
-
- group <group-name> = [user-list] [group-name-list]
-
- permission = [allow | allow-log | deny | deny-log]
- action = [consume | publish | create | access |
- bind | unbind | delete | purge | update |
- move | redirect | reroute]
- object = [queue | exchange | broker | link | method | query]
- property = [name | durable | owner | routingkey |
- autodelete | exclusive |type |
- alternate | queuename | exchangename |
- schemapackage | schemaclass |
- queuemaxsizelowerlimit |
- queuemaxsizeupperlimit |
- queuemaxcountlowerlimit |
- queuemaxcountupperlimit |
- filemaxsizelowerlimit |
- filemaxsizeupperlimit |
- filemaxcountlowerlimit |
- filemaxcountupperlimit |
- pageslowerlimit |
- pagesupperlimit |
- pagefactorlowerlimit |
- pagefactorupperlimit ]
-
- acl permission {<group-name>|<user-name>|"all"} {action|"all"}
[object|"all"
- [property=<property-value> ...]]
-
- quota-spec = [connections | queues]
- quota quota-spec N {<group-name>|<user-name>|"all"}
- [{<group-name>|<user-name>|"all"}]
-]]></programlisting>
+aclline = ( comment | aclspec | groupspec | quotaspec )
- ACL rules can also include a single object
name (or the keyword <parameter>all</parameter>) and one or more property name
value pairs in the form <command>property=value</command>
- </para>
- <para>
- The following tables show the possible values
for <command>permission</command>, <command>action</command>,
<command>object</command>, and <command>property</command> in an ACL rules file.
- </para>
- <table
id="tabl-Messaging_User_Guide-ACL_Syntax-ACL_Rules_permission">
- <title>ACL Rules: permission</title>
- <tgroup cols="2">
- <tbody>
- <row>
- <entry>
-
<command>allow</command>
- </entry>
- <entry>
- <para>
- Allow
the action <!-- ### rule => the action -->
- </para>
+comment = "#" [ STRING ]
- </entry>
+aclspec = "acl" permission ( groupname | name | "all" )
+ ( action | "all" ) [ ( object | "all ) [ ( property "=" STRING )* ] ]
- </row>
- <row>
- <entry>
-
<command>allow-log</command>
- </entry>
- <entry>
- <para>
- Allow
the action and log the action in the event log
- </para>
+groupspec = "group" groupname ( name )* [ "\" ]
- </entry>
+groupcontinuation = ( name )* [ "\" ]
- </row>
- <row>
- <entry>
-
<command>deny</command>
- </entry>
- <entry>
- <para>
- Deny
the action
- </para>
+quotaspec = "quota" ( "connections" | "queues" ) NUMBER ( groupname | name |
"all" )*
- </entry>
+name = ( ALPHANUMERIC | "-" | "_" | "." | "@" | "/" ) [ ( ALPHANUMERIC | "-" |
"_" | "." | "@" | "/" )* ]
- </row>
- <row>
- <entry>
-
<command>deny-log</command>
- </entry>
- <entry>
- <para>
- Deny
the action and log the action in the event log
- </para>
+groupname = ( ALPHANUMERIC | "-" | "_" ) [ ( ALPHANUMERIC | "-" | "_" )* ]
- </entry>
+permission = "allow" | "allow-log" | "deny" | "deny-log"
- </row>
+action = "consume" | "publish" | "create" | "access" |
+ "bind" | "unbind" | "delete" | "purge" |
+ "update"
- </tbody>
+object = "queue" | "exchange" | "broker" | "link" |
+ "method" | "query" | "connection"
- </tgroup>
+property = "name" | "durable" | "routingkey" | "autodelete" |
+ "exclusive" | "type" | "alternate" | "queuename" |
+ "exchangename" | "schemapackage" | "schemaclass" |
+ "policytype" | "paging" |
+ "queuemaxsizelowerlimit" | "queuemaxsizeupperlimit" |
+ "queuemaxcountlowerlimit" | "queuemaxcountupperlimit" |
+ "filemaxsizelowerlimit" | "filemaxsizeupperlimit" |
+ "filemaxcountlowerlimit" | "filemaxcountupperlimit" |
+ "pageslowerlimit" | "pagesupperlimit" |
+ "pagefactorlowerlimit" | "pagefactorupperlimit"
+]]></programlisting>
- </table>
+ ACL rules can also include a single object
name (or the keyword <parameter>all</parameter>) and one or more property name
value pairs in the form <command>property=value</command>
+ </para>
+ <para>
+ The following tables show the possible values
for <command>permission</command>, <command>action</command>,
<command>object</command>, and <command>property</command> in an ACL rules file.
+ </para>
+ <table
id="tabl-Messaging_User_Guide-ACL_Syntax-ACL_Rules_permission">
+ <title>ACL Rules: permission</title>
+ <tgroup cols="2">
+ <tbody>
+ <row>
+ <entry>
+ <command>allow</command>
+ </entry>
+ <entry>
+ <para>
+ Allow the action <!-- ### rule =>
the action -->
+ </para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>allow-log</command>
+ </entry>
+ <entry>
+ <para>
+ Allow the action and log the action in
the event log
+ </para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>deny</command>
+ </entry>
+ <entry>
+ <para>
+ Deny the action
+ </para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>deny-log</command>
+ </entry>
+ <entry>
+ <para>
+ Deny the action and log the action in
the event log
+ </para>
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
<!-- Actions --> <table
id="tabl-Messaging_User_Guide-ACL_Syntax-ACL_Rulesaction">
- <title>ACL Rules:action</title>
- <tgroup cols="2">
- <tbody>
- <row>
- <entry>
-
<command>consume</command>
- </entry>
- <entry>
- <para>
- Applied
when subscriptions are created
- </para>
-
- </entry>
-
- </row>
- <row>
- <entry>
-
<command>publish</command>
- </entry>
- <entry>
- <para>
- Applied
on a per message basis
- to
verify that the user has rights to publish to the given
-
exchange with the given routingkey.
- </para>
-
- </entry>
-
- </row>
- <row>
- <entry>
-
<command>create</command>
- </entry>
- <entry>
- <para>
- Applied
when an object is created, such as bindings, queues, exchanges, links
- </para>
-
- </entry>
-
- </row>
- <row>
- <entry>
-
<command>access</command>
- </entry>
- <entry>
- <para>
- Applied
when an object is read or accessed
- </para>
-
- </entry>
-
- </row>
- <row>
- <entry>
-
<command>bind</command>
- </entry>
- <entry>
- <para>
- Applied
when objects are bound together
- </para>
-
- </entry>
-
- </row>
- <row>
- <entry>
-
<command>unbind</command>
- </entry>
- <entry>
- <para>
- Applied
when objects are unbound
- </para>
-
- </entry>
-
- </row>
- <row>
- <entry>
-
<command>delete</command>
- </entry>
- <entry>
- <para>
- Applied
when objects are deleted
- </para>
-
- </entry>
-
- </row>
- <row>
- <entry>
-
<command>purge</command>
- </entry>
- <entry>
- <para>
- Similar
to delete but the action is performed on more than one object
- </para>
-
- </entry>
-
- </row>
- <row>
- <entry>
-
<command>update</command>
- </entry>
- <entry>
- <para>
- Applied
when an object is updated
- </para>
-
- </entry>
- </row>
- <row>
- <entry>
-
<command>move</command>
- </entry>
- <entry>
- <para>
- When
moving messages between queues
- </para>
-
- </entry>
- </row>
- <row>
- <entry>
-
<command>redirect</command>
- </entry>
- <entry>
- <para>
- When
redirecting messages between queues
- </para>
-
- </entry>
- </row>
- <row>
- <entry>
-
<command>reroute</command>
- </entry>
- <entry>
- <para>
- When
rerouting messages from a queue to an exchange
- </para>
-
- </entry>
-
- </row>
-
- </tbody>
-
- </tgroup>
-
- </table>
+ <title>ACL Rules: action</title>
+ <tgroup cols="2">
+ <tbody>
+ <row>
+ <entry>
+ <command>consume</command>
+ </entry>
+ <entry>
+ <para>
+ User is attempting to read the object
+ </para>
+
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>publish</command>
+ </entry>
+ <entry>
+ <para>
+ User is attempting to write a message to
the exchange.
+ </para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>create</command>
+ </entry>
+ <entry>
+ <para>
+ User is creating the object
+ </para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>access</command>
+ </entry>
+ <entry>
+ <para>
+ User is accessing (reading) the object
+ </para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>bind</command>
+ </entry>
+ <entry>
+ <para>
+ User is associating a queue to an exchange
with a routing key.
+ </para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>unbind</command>
+ </entry>
+ <entry>
+ <para>
+ Useris disassociating a queue from an
exchange with a routing key.
+ </para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>delete</command>
+ </entry>
+ <entry>
+ <para>
+ User is deleting the object.
+ </para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>purge</command>
+ </entry>
+ <entry>
+ <para>
+ User is purging a queue.
+ </para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>update</command>
+ </entry>
+ <entry>
+ <para>
+ User is changing a broker configuration
setting.
+ </para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>move</command>
+ </entry>
+ <entry>
+ <para>
+ When moving messages between queues
+ </para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>redirect</command>
+ </entry>
+ <entry>
+ <para>
+ When redirecting messages between queues
+ </para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>reroute</command>
+ </entry>
+ <entry>
+ <para>
+ When rerouting messages from a queue to
an exchange
+ </para>
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
<!-- object types --> <table
id="tabl-Messaging_User_Guide-ACL_Syntax-ACL_Rulesobject">
- <title>ACL Rules:object</title>
- <tgroup cols="2">
- <tbody>
- <row>
- <entry>
-
<command>queue</command>
- </entry>
- <entry>
- <para>
- A queue
- </para>
-
- </entry>
-
- </row>
- <row>
- <entry>
-
<command>exchange</command>
- </entry>
- <entry>
- <para>
- An
exchange
- </para>
-
- </entry>
-
- </row>
- <row>
- <entry>
-
<command>broker</command>
- </entry>
- <entry>
- <para>
- The
broker
- </para>
-
- </entry>
-
- </row>
- <row>
- <entry>
-
<command>link</command>
- </entry>
- <entry>
- <para>
- A
federation or inter-broker link
- </para>
-
- </entry>
-
- </row>
- <row>
- <entry>
-
<command>method</command>
- </entry>
- <entry>
- <para>
-
Management or agent or broker method
- </para>
-
- </entry>
-
- </row>
- <row>
- <entry>
-
<command>query</command>
- </entry>
- <entry>
- <para>
-
Management query (of an object or whole class)
- </para>
-
- </entry>
-
- </row>
-
- </tbody>
-
- </tgroup>
-
- </table>
+ <title>ACL Rules:object</title>
+ <tgroup cols="2">
+ <tbody>
+ <row>
+ <entry>
+ <command>queue</command>
+ </entry>
+ <entry>
+ <para>
+ A queue
+ </para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>exchange</command>
+ </entry>
+ <entry>
+ <para>
+ An exchange
+ </para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>broker</command>
+ </entry>
+ <entry>
+ <para>
+ The broker
+ </para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>link</command>
+ </entry>
+ <entry>
+ <para>
+ A federation or inter-broker link
+ </para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>method</command>
+ </entry>
+ <entry>
+ <para>
+ Management or agent or broker method
+ </para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>query</command>
+ </entry>
+ <entry>
+ <para>
+ Management query (of an object or whole
class)
+ </para>
+ </entry>
+ </row>
+ <row>
+ <entry>
+ <command>connection</command>
+ </entry>
+ <entry>
+ <para>
+ An incoming TCP/IP connection
+ </para>
+ </entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
<!--
<para>
- Wild cards can be used on properties that are a string. The
following properties are supported: --> <table
id="tabl-Messaging_User_Guide-ACL_Syntax-ACL_Rulesproperty">
- <title>ACL Rules:property</title>
- <tgroup cols="4">
- <thead>
- <row>
- <entry>Property</entry>
- <entry>Type</entry>
- <entry>Description</entry>
- <entry>Usage</entry>
- </row>
- </thead>
- <tbody>
- <row>
- <entry> <command>name</command> </entry>
- <entry>String</entry>
- <entry>Object name, such as a queue name
or exchange name.</entry>
- <entry></entry>
- </row>
- <row>
- <entry> <command>durable</command>
</entry>
- <entry>Boolean</entry>
- <entry>Indicates the object is
durable</entry>
- <entry>CREATE QUEUE, CREATE EXCHANGE,
ACCESS QUEUE, ACCESS EXCHANGE</entry>
- </row>
- <row>
- <entry> <command>routingkey</command>
</entry>
- <entry>String</entry>
- <entry>Specifies routing key</entry>
- <entry>BIND EXCHANGE, UNBIND EXCHANGE,
ACCESS EXCHANGE, PUBLISH EXCHANGE</entry>
- </row>
- <row>
- <entry> <command>autodelete</command>
</entry>
- <entry>Boolean</entry>
- <entry>Indicates whether or not the
object gets deleted when the connection is closed</entry>
- <entry>CREATE QUEUE, ACCESS QUEUE</entry>
- </row>
- <row>
- <entry> <command>exclusive</command>
</entry>
- <entry>Boolean</entry>
- <entry>Indicates the presence of an
<parameter>exclusive</parameter> flag</entry>
- <entry>CREATE QUEUE, ACCESS QUEUE</entry>
- </row>
- <row>
- <entry> <command>paging</command>
</entry>
- <entry>Boolean</entry>
- <entry>Indicates if the queue is paging
queue</entry>
- <entry>CREATE QUEUE, ACCESS
QUEUE</entry>
- </row>
- <row>
- <entry> <command>type</command> </entry>
- <entry>String</entry>
- <entry>Type of exchange, such as topic,
fanout, or xml</entry>
- <entry>CREATE EXCHANGE, ACCESS
EXCHANGE</entry>
- </row>
- <row>
- <entry> <command>alternate</command>
</entry>
- <entry>String</entry>
- <entry>Name of the alternate
exchange</entry>
- <entry>CREATE EXCHANGE, CREATE QUEUE,
ACCESS EXCHANGE, ACCESS QUEUE</entry>
- </row>
- <row>
- <entry> <command>queuename</command>
</entry>
- <entry>String</entry>
- <entry>Name of the queue</entry>
- <entry>ACCESS EXCHANGE, BIND EXCHANGE,
UNBIND EXCHANGE</entry>
- </row>
- <row>
- <entry> <command>schemapackage</command>
</entry>
- <entry>String</entry>
- <entry>QMF schema package name</entry>
- <entry>ACCESS METHOD</entry>
- </row>
- <row>
- <entry> <command>schemaclass</command>
</entry>
- <entry>String</entry>
- <entry>QMF schema class name</entry>
- <entry>ACCESS METHOD</entry>
- </row>
- <row>
- <entry>
<command>queuemaxsizelowerlimit</command> </entry>
- <entry>Integer</entry>
- <entry>Minimum value for queue.max_size
(memory bytes)</entry>
- <entry>CREATE QUEUE, ACCESS QUEUE</entry>
- </row>
- <row>
- <entry>
<command>queuemaxsizeupperlimit</command> </entry>
- <entry>Integer</entry>
- <entry>Maximum value for queue.max_size
(memory bytes)</entry>
- <entry>CREATE QUEUE, ACCESS QUEUE</entry>
- </row>
- <row>
- <entry>
<command>queuemaxcountlowerlimit</command> </entry>
- <entry>Integer</entry>
- <entry>Minimum value for queue.max_count
(messages)</entry>
- <entry>CREATE QUEUE, ACCESS QUEUE</entry>
- </row>
- <row>
- <entry>
<command>queuemaxcountupperlimit</command> </entry>
- <entry>Integer</entry>
- <entry>Maximum value for queue.max_count
(messages)</entry>
- <entry>CREATE QUEUE, ACCESS QUEUE</entry>
- </row>
- <row>
- <entry>
<command>filemaxsizelowerlimit</command> </entry>
- <entry>Integer</entry>
- <entry>Minimum value for file.max_size
(64kb pages)</entry>
- <entry>CREATE QUEUE, ACCESS QUEUE</entry>
- </row>
- <row>
- <entry>
<command>filemaxsizeupperlimit</command> </entry>
- <entry>Integer</entry>
- <entry>Maximum value for file.max_size
(64kb pages)</entry>
- <entry>CREATE QUEUE, ACCESS QUEUE</entry>
- </row>
- <row>
- <entry>
<command>filemaxcountlowerlimit</command> </entry>
- <entry>Integer</entry>
- <entry>Minimum value for file.max_count
(files)</entry>
- <entry>CREATE QUEUE, ACCESS QUEUE</entry>
- </row>
- <row>
- <entry>
<command>filemaxcountupperlimit</command> </entry>
- <entry>Integer</entry>
- <entry>Maximum value for file.max_count
(files)</entry>
- <entry>CREATE QUEUE, ACCESS QUEUE</entry>
- </row>
- <row>
- <entry>
<command>pageslowerlimit</command> </entry>
- <entry>Integer</entry>
- <entry>Minimum value for number of
pages in memory of paged queue</entry>
- <entry>CREATE QUEUE</entry>
- </row>
- <row>
- <entry>
<command>pagesupperlimit</command> </entry>
- <entry>Integer</entry>
- <entry>Maximum value for number of
pages in memory of paged queue</entry>
- <entry>CREATE QUEUE</entry>
- </row>
- <row>
- <entry>
<command>pagefactorlowerlimit</command> </entry>
- <entry>Integer</entry>
- <entry>Minimum value for size of one
page in paged queue</entry>
- <entry>CREATE QUEUE</entry>
- </row>
- <row>
- <entry>
<command>pagefactorupperlimit</command> </entry>
- <entry>Integer</entry>
- <entry>Maximum value for size of one
page in paged queue</entry>
- <entry>CREATE QUEUE</entry>
- </row>
- </tbody>
- </tgroup>
- </table>
-
- <section
id="sect-Messaging_User_Guide-Authorization-ACL_ActionObjectPropertyTuples">
- <title>ACL Action-Object-Property Tuples</title>
- <para>
- Not every ACL action is applicable to every ACL
object. Furthermore, not every property may be
- specified for every action-object pair.
- The following table enumerates which action and
object pairs are allowed.
- The table also lists which optional ACL properties
are allowed to qualify
- action-object pairs.
- </para>
- <para>
- The <emphasis>access</emphasis> action is called
with different argument
- lists for the <emphasis>exchange</emphasis> and
<emphasis>queue</emphasis> objects.
- A separate column shows the AMQP 0.10 method that
the Access ACL rule is satisfying.
- Write separate rules with the additional arguments
for the <emphasis>declare</emphasis>
- and <emphasis>bind</emphasis> methods and include
these rules in the ACL file
- before the rules for the <emphasis>query</emphasis>
method.
- <!-- The exact sequence of calling these methods is
a product of the client
- library. The user might not know anything about a
'declare' or a 'query' or
- a passive declaration. -->
- </para>
- <table
id="tabl-Messaging_User_Guide-ACL_Syntax-ACL_ActionObject_properties">
- <title>ACL Properties Allowed for each Action and
Object</title>
- <tgroup cols="4">
- <thead>
- <row>
- <entry>Action</entry>
- <entry>Object</entry>
- <entry>Properties</entry>
- <entry>Method</entry>
- </row>
- </thead>
- <tbody>
- <row>
- <entry>access</entry>
- <entry>broker</entry>
- <entry></entry>
- </row>
- <row>
- <entry>access</entry>
- <entry>exchange</entry>
- <entry>name type alternate durable</entry>
- <entry>declare</entry>
- </row>
- <row>
- <entry>access</entry>
- <entry>exchange</entry>
- <entry>name queuename routingkey</entry>
- <entry>bound</entry>
- </row>
- <row>
- <entry>access</entry>
- <entry>exchange</entry>
- <entry>name</entry>
- <entry>query</entry>
- </row>
- <row>
- <entry>access</entry>
- <entry>method</entry>
- <entry>name schemapackage schemaclass</entry>
- <entry></entry>
- </row>
- <row>
- <entry>access</entry>
- <entry>query</entry>
- <entry>name schemaclass</entry>
- <entry></entry>
- </row>
- <row>
- <entry>access</entry>
- <entry>queue</entry>
- <entry>name alternate durable exclusive
autodelete policy queuemaxsizelowerlimit queuemaxsizeupperlimit
queuemaxcountlowerlimit queuemaxcountupperlimit filemaxsizelowerlimit
filemaxsizeupperlimit filemaxcountlowerlimit filemaxcountupperlimit</entry>
- <entry>declare</entry>
- </row>
- <row>
- <entry>access</entry>
- <entry>queue</entry>
- <entry>name</entry>
- <entry>query</entry>
- </row>
- <row>
- <entry>bind</entry>
- <entry>exchange</entry>
- <entry>name queuename routingkey</entry>
- <entry></entry>
- </row>
- <row>
- <entry>consume</entry>
- <entry>queue</entry>
- <entry>name</entry>
- <entry></entry>
- </row>
- <row>
- <entry>create</entry>
- <entry>exchange</entry>
- <entry>name type alternate durable</entry>
- <entry></entry>
- </row>
- <row>
- <entry>create</entry>
- <entry>link</entry>
- <entry>name</entry>
- <entry></entry>
- </row>
- <row>
- <entry>create</entry>
- <entry>queue</entry>
- <entry>name alternate durable exclusive
autodelete policy queuemaxsizelowerlimit queuemaxsizeupperlimit
queuemaxcountlowerlimit queuemaxcountupperlimit filemaxsizelowerlimit
filemaxsizeupperlimit filemaxcountlowerlimit filemaxcountupperlimit paging
pageslowerlimit pagesupperlimit pagefactorlowerlimit
pagefactorupperlimit</entry>
- <entry></entry>
- </row>
- <row>
- <entry>delete</entry>
- <entry>exchange</entry>
- <entry>name</entry>
- <entry></entry>
- </row>
- <row>
- <entry>delete</entry>
- <entry>queue</entry>
- <entry>name</entry>
- <entry></entry>
- </row>
- <row>
- <entry>publish</entry>
- <entry>exchange</entry>
- <entry>name routingkey</entry>
- <entry></entry>
- </row>
- <row>
- <entry>purge</entry>
- <entry>queue</entry>
- <entry>name</entry>
- <entry></entry>
- </row>
- <row>
- <entry>move</entry>
- <entry>queue</entry>
- <entry>name</entry>
- <entry>queuename</entry>
- </row>
- <row>
- <entry>redirect</entry>
- <entry>queue</entry>
- <entry>name</entry>
- <entry>queuename</entry>
- </row>
- <row>
- <entry>reroute</entry>
- <entry>queue</entry>
- <entry>name</entry>
- <entry>exchangename</entry>
- </row>
- <row>
- <entry>unbind</entry>
- <entry>exchange</entry>
- <entry>name queuename routingkey</entry>
- <entry></entry>
- </row>
- <row>
- <entry>update</entry>
- <entry>broker</entry>
- <entry></entry>
- <entry></entry>
- </row>
- </tbody>
- </tgroup>
- </table>
- <para>
-
- </para>
- </section>
- </section>
+ Wild cards can be used on properties that are a string. The
following rule properties are supported: --> <table
id="tabl-Messaging_User_Guide-ACL_Syntax-ACL_Rulesproperty">
+ <title>ACL Rules: property</title>
+ <tgroup cols="4">
+ <thead>
+ <row>
+ <entry>Property</entry>
+ <entry>Type</entry>
+ <entry>Description</entry>
+ <entry>Usage</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry> <command>name</command> </entry>
+ <entry>String</entry>
+ <entry>Rule refers to objects with this
name</entry>
+ <entry></entry>
+ </row>
+ <row>
+ <entry> <command>durable</command> </entry>
+ <entry>Boolean</entry>
+ <entry>Rule applies to durable objects</entry>
+ <entry>CREATE QUEUE, CREATE EXCHANGE, ACCESS
QUEUE, ACCESS EXCHANGE, DELETE QUEUE, DELETE EXCHANGE</entry>
+ </row>
+ <row>
+ <entry> <command>routingkey</command> </entry>
+ <entry>String</entry>
+ <entry>Specifies routing key</entry>
+ <entry>BIND EXCHANGE, UNBIND EXCHANGE, ACCESS
EXCHANGE, PUBLISH EXCHANGE</entry>
+ </row>
+ <row>
+ <entry> <command>autodelete</command> </entry>
+ <entry>Boolean</entry>
+ <entry>Indicates whether or not the object
gets deleted when the connection is closed</entry>
+ <entry>CREATE QUEUE, CREATE EXCHANGE, ACCESS
QUEUE, ACCESS EXCHANGE, DELETE QUEUE</entry>
+ </row>
+ <row>
+ <entry> <command>exclusive</command> </entry>
+ <entry>Boolean</entry>
+ <entry>Indicates the presence of an
<parameter>exclusive</parameter> flag</entry>
+ <entry>CREATE QUEUE, ACCESS QUEUE, DELETE
QUEUE</entry>
+ </row>
+ <row>
+ <entry> <command>type</command> </entry>
+ <entry>String</entry>
+ <entry>Type of exchange, such as topic,
fanout, or xml</entry>
+ <entry>CREATE EXCHANGE, ACCESS EXCHANGE,
DELETE EXCHANGE</entry>
+ </row>
+ <row>
+ <entry> <command>alternate</command> </entry>
+ <entry>String</entry>
+ <entry>Name of the alternate exchange</entry>
+ <entry>CREATE QUEUE, CREATE EXCHANGE, ACCESS
QUEUE, ACCESS EXCHANGE, DELETE QUEUE, DELETE EXCHANGE</entry>
+ </row>
+ <row>
+ <entry> <command>queuename</command> </entry>
+ <entry>String</entry>
+ <entry>Name of the queue</entry>
+ <entry>ACCESS EXCHANGE, BIND EXCHANGE, MOVE
QUEUE, UNBIND EXCHANGE</entry>
+ </row>
+ <row>
+ <entry> <command>exchangename</command>
</entry>
+ <entry>String</entry>
+ <entry>Name of the exchange</entry>
+ <entry>REROUTE QUEUE</entry>
+ </row>
+ <row>
+ <entry> <command>schemapackage</command>
</entry>
+ <entry>String</entry>
+ <entry>QMF schema package name</entry>
+ <entry>ACCESS METHOD</entry>
+ </row>
+ <row>
+ <entry> <command>schemaclass</command> </entry>
+ <entry>String</entry>
+ <entry>QMF schema class name</entry>
+ <entry>ACCESS METHOD, ACCESS QUERY</entry>
+ </row>
+ <row>
+ <entry> <command>policytype</command> </entry>
+ <entry>String</entry>
+ <entry>"ring", "self-destruct",
"reject"</entry>
+ <entry>CREATE QUEUE, ACCESS QUEUE, DELETE
QUEUE</entry>
+ </row>
+ <row>
+ <entry> <command>paging</command> </entry>
+ <entry>Boolean</entry>
+ <entry>Indicates if the queue is paging
queue</entry>
+ <entry>CREATE QUEUE</entry>
+ </row>
+ <row>
+ <entry> <command>host</command> </entry>
+ <entry>String</entry>
+ <entry>Target TCP/IP host or host range for
create connection rules</entry>
+ <entry>CREATE CONNECTION</entry>
+ </row>
+ <row>
+ <entry>
<command>queuemaxsizelowerlimit</command> </entry>
+ <entry>Integer</entry>
+ <entry>Minimum value for queue.max_size
(memory bytes)</entry>
+ <entry>CREATE QUEUE, ACCESS QUEUE</entry>
+ </row>
+ <row>
+ <entry>
<command>queuemaxsizeupperlimit</command> </entry>
+ <entry>Integer</entry>
+ <entry>Maximum value for queue.max_size
(memory bytes)</entry>
+ <entry>CREATE QUEUE, ACCESS QUEUE</entry>
+ </row>
+ <row>
+ <entry>
<command>queuemaxcountlowerlimit</command> </entry>
+ <entry>Integer</entry>
+ <entry>Minimum value for queue.max_count
(messages)</entry>
+ <entry>CREATE QUEUE, ACCESS QUEUE</entry>
+ </row>
+ <row>
+ <entry>
<command>queuemaxcountupperlimit</command> </entry>
+ <entry>Integer</entry>
+ <entry>Maximum value for queue.max_count
(messages)</entry>
+ <entry>CREATE QUEUE, ACCESS QUEUE</entry>
+ </row>
+ <row>
+ <entry>
<command>filemaxsizelowerlimit</command> </entry>
+ <entry>Integer</entry>
+ <entry>Minimum value for file.max_size (64kb
pages)</entry>
+ <entry>CREATE QUEUE</entry>
+ </row>
+ <row>
+ <entry>
<command>filemaxsizeupperlimit</command> </entry>
+ <entry>Integer</entry>
+ <entry>Maximum value for file.max_size (64kb
pages)</entry>
+ <entry>CREATE QUEUE</entry>
+ </row>
+ <row>
+ <entry>
<command>filemaxcountlowerlimit</command> </entry>
+ <entry>Integer</entry>
+ <entry>Minimum value for file.max_count
(files)</entry>
+ <entry>CREATE QUEUE</entry>
+ </row>
+ <row>
+ <entry>
<command>filemaxcountupperlimit</command> </entry>
+ <entry>Integer</entry>
+ <entry>Maximum value for file.max_count
(files)</entry>
+ <entry>CREATE QUEUE</entry>
+ </row>
+ <row>
+ <entry> <command>pageslowerlimit</command>
</entry>
+ <entry>Integer</entry>
+ <entry>Minimum value for number of pages in
memory of paged queue</entry>
+ <entry>CREATE QUEUE</entry>
+ </row>
+ <row>
+ <entry> <command>pagesupperlimit</command>
</entry>
+ <entry>Integer</entry>
+ <entry>Maximum value for number of pages in
memory of paged queue</entry>
+ <entry>CREATE QUEUE</entry>
+ </row>
+ <row>
+ <entry>
<command>pagefactorlowerlimit</command> </entry>
+ <entry>Integer</entry>
+ <entry>Minimum value for size of one page in
paged queue</entry>
+ <entry>CREATE QUEUE</entry>
+ </row>
+ <row>
+ <entry>
<command>pagefactorupperlimit</command> </entry>
+ <entry>Integer</entry>
+ <entry>Maximum value for size of one page in
paged queue</entry>
+ <entry>CREATE QUEUE</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+
+ <section
id="sect-Messaging_User_Guide-Authorization-ACL_ActionObjectPropertyTuples">
+ <title>ACL Action-Object-Property Tuples</title>
+ <para>
+ Not every ACL action is applicable to every ACL
object. Furthermore, not every property may be
+ specified for every action-object pair.
+ The following table enumerates which action and
object pairs are allowed.
+ The table also lists which optional ACL properties
are allowed to qualify
+ action-object pairs.
+ </para>
+ <para>
+ The <emphasis>access</emphasis> action is called
with different argument
+ lists for the <emphasis>exchange</emphasis> and
<emphasis>queue</emphasis> objects.
+ A separate column shows the AMQP 0.10 method that
the Access ACL rule is satisfying.
+ Write separate rules with the additional arguments
for the <emphasis>declare</emphasis>
+ and <emphasis>bind</emphasis> methods and include
these rules in the ACL file
+ before the rules for the
<emphasis>query</emphasis> method.
+ <!-- The exact sequence of calling these methods
is a product of the client
+ library. The user might not know anything
about a 'declare' or a 'query' or
+ a passive declaration. -->
+ </para>
+ <table
id="tabl-Messaging_User_Guide-ACL_Syntax-ACL_ActionObject_properties">
+ <title>ACL Properties Allowed for each Action and
Object</title>
+ <tgroup cols="4">
+ <thead>
+ <row>
+ <entry>Action</entry>
+ <entry>Object</entry>
+ <entry>Properties</entry>
+ <entry>Method</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>access</entry>
+ <entry>broker</entry>
+ <entry></entry>
+ <entry>Broker:: getTimestampConfig</entry>
+ </row>
+ <row>
+ <entry>access</entry>
+ <entry>exchange</entry>
+ <entry></entry>
+ <entry>ExchangeHandlerImpl:: query</entry>
+ </row>
+ <row>
+ <entry>access</entry>
+ <entry>exchange</entry>
+ <entry></entry>
+ <entry>Authorise:: access</entry>
+ </row>
+ <row>
+ <entry>access</entry>
+ <entry>exchange</entry>
+ <entry>type alternate durable autodelete
</entry>
+ <entry>ExchangeHandlerImpl:: declare</entry>
+ </row>
+ <row>
+ <entry>access</entry>
+ <entry>exchange</entry>
+ <entry>queuename routingkey </entry>
+ <entry>ExchangeHandlerImpl:: bound</entry>
+ </row>
+ <row>
+ <entry>access</entry>
+ <entry>exchange</entry>
+ <entry>type durable </entry>
+ <entry>Authorise:: access</entry>
+ </row>
+ <row>
+ <entry>access</entry>
+ <entry>method</entry>
+ <entry>schemapackage schemaclass </entry>
+ <entry>ManagementAgent::
handleMethodRequest</entry>
+ </row>
+ <row>
+ <entry>access</entry>
+ <entry>method</entry>
+ <entry>schemapackage schemaclass </entry>
+ <entry>ManagementAgent::
authorizeAgentMessage</entry>
+ </row>
+ <row>
+ <entry>access</entry>
+ <entry>query</entry>
+ <entry>schemaclass </entry>
+ <entry>ManagementAgent::
handleGetQuery</entry>
+ </row>
+ <row>
+ <entry>access</entry>
+ <entry>queue</entry>
+ <entry></entry>
+ <entry>Authorise:: access</entry>
+ </row>
+ <row>
+ <entry>access</entry>
+ <entry>queue</entry>
+ <entry></entry>
+ <entry>QueueHandlerImpl:: query</entry>
+ </row>
+ <row>
+ <entry>access</entry>
+ <entry>queue</entry>
+ <entry></entry>
+ <entry>Broker:: queryQueue</entry>
+ </row>
+ <row>
+ <entry>access</entry>
+ <entry>queue</entry>
+ <entry>alternate durable exclusive
autodelete policytype queuemaxcountlowerlimit queuemaxcountupperlimit
queuemaxsizelowerlimit queuemaxsizeupperlimit </entry>
+ <entry>QueueHandlerImpl:: declare</entry>
+ </row>
+ <row>
+ <entry>access</entry>
+ <entry>queue</entry>
+ <entry>alternate durable exclusive
autodelete policytype queuemaxcountlowerlimit queuemaxcountupperlimit
queuemaxsizelowerlimit queuemaxsizeupperlimit </entry>
+ <entry>Authorise:: access</entry>
+ </row>
+ <row>
+ <entry>bind</entry>
+ <entry>exchange</entry>
+ <entry>queuename routingkey </entry>
+ <entry>Broker:: bind</entry>
+ </row>
+ <row>
+ <entry>bind</entry>
+ <entry>exchange</entry>
+ <entry>queuename routingkey </entry>
+ <entry>Authorise:: outgoing</entry>
+ </row>
+ <row>
+ <entry>consume</entry>
+ <entry>queue</entry>
+ <entry></entry>
+ <entry>MessageHandlerImpl::
subscribe</entry>
+ </row>
+ <row>
+ <entry>consume</entry>
+ <entry>queue</entry>
+ <entry></entry>
+ <entry>Authorise:: outgoing</entry>
+ </row>
+ <row>
+ <entry>create</entry>
+ <entry>connection</entry>
+ <entry>host</entry>
+ <entry>Connection creation</entry>
+ </row>
+ <row>
+ <entry>create</entry>
+ <entry>exchange</entry>
+ <entry>type alternate durable autodelete
</entry>
+ <entry>Broker:: createExchange</entry>
+ </row>
+ <row>
+ <entry>create</entry>
+ <entry>link</entry>
+ <entry></entry>
+ <entry>ConnectionHandler:: Handler::
open</entry>
+ </row>
+ <row>
+ <entry>create</entry>
+ <entry>link</entry>
+ <entry></entry>
+ <entry>Authorise:: interlink</entry>
+ </row>
+ <row>
+ <entry>create</entry>
+ <entry>queue</entry>
+ <entry>alternate durable exclusive
autodelete policytype paging pageslowerlimit pagesupperlimit
pagefactorlowerlimit pagefactorupperlimit queuemaxcountlowerlimit
queuemaxcountupperlimit queuemaxsizelowerlimit queuemaxsizeupperlimit
filemaxcountlowerlimit filemaxcountupperlimit filemaxsizelowerlimit
filemaxsizeupperlimit </entry>
+ <entry>Broker:: createQueue</entry>
+ </row>
+ <row>
+ <entry>delete</entry>
+ <entry>exchange</entry>
+ <entry>type alternate durable </entry>
+ <entry>Broker:: deleteExchange</entry>
+ </row>
+ <row>
+ <entry>delete</entry>
+ <entry>queue</entry>
+ <entry>alternate durable exclusive
autodelete policytype </entry>
+ <entry>Broker:: deleteQueue</entry>
+ </row>
+ <row>
+ <entry>move</entry>
+ <entry>queue</entry>
+ <entry>queuename</entry>
+ <entry>Broker:: queueMoveMessages</entry>
+ </row>
+ <row>
+ <entry>publish</entry>
+ <entry>exchange</entry>
+ <entry></entry>
+ <entry>Authorise:: incoming</entry>
+ </row>
+ <row>
+ <entry>publish</entry>
+ <entry>exchange</entry>
+ <entry>routingkey </entry>
+ <entry>SemanticState:: route</entry>
+ </row>
+ <row>
+ <entry>publish</entry>
+ <entry>exchange</entry>
+ <entry>routingkey </entry>
+ <entry>Authorise:: route</entry>
+ </row>
+ <row>
+ <entry>purge</entry>
+ <entry>queue</entry>
+ <entry></entry>
+ <entry>QueueHandlerImpl:: purge</entry>
+ </row>
+ <row>
+ <entry>purge</entry>
+ <entry>queue</entry>
+ <entry></entry>
+ <entry>Queue:: ManagementMethod</entry>
+ </row>
+ <row>
+ <entry>redirect</entry>
+ <entry>queue</entry>
+ <entry></entry>
+ <entry>Broker:: queueRedirect</entry>
+ </row>
+ <row>
+ <entry>reroute</entry>
+ <entry>queue</entry>
+ <entry>exchangename </entry>
+ <entry>Queue:: ManagementMethod</entry>
+ </row>
+ <row>
+ <entry>unbind</entry>
+ <entry>exchange</entry>
+ <entry>queuename routingkey </entry>
+ <entry>Broker:: unbind</entry>
+ </row>
+ <row>
+ <entry>update</entry>
+ <entry>broker</entry>
+ <entry></entry>
+ <entry>Broker:: setTimestampConfig</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+ <para>
+
+ </para>
+ </section>
+ </section>
<section
id="sect-Messaging_User_Guide-Authorization-ACL_Syntactic_Conventions">
<title>ACL Syntactic Conventions</title>
@@ -1497,6 +1555,27 @@ com.sun.security.jgss.initiate {
#
]]></programlisting>
</para>
+ <para>
+ Referring to <link
linkend="tabl-Messaging_User_Guide-ACL_Syntax-ACL_ActionObject_properties">ACL
Properties Allowed for each Action and Object table</link> observe that some
Action/Object pairs have different sets of allowed properties. For example
different broker ACL lookups for <emphasis>access exchange</emphasis> have
different property subsets.
+ </para>
+
+<programlisting>
+ access exchange
+ access exchange type alternate durable autodelete
+ access exchange queuename routingkey
+ access exchange type durable
+</programlisting>
+
+ <para>
+ If an ACL rule specifies the
<emphasis>autodelete</emphasis> property then it can possibly match only the
second case above. It can never match cases 1, 3, and 4 because the broker
calls to ACL will not present the autodelete property for matching. To get
proper matching the ACL rule must have only the properties of the intended
lookup case.
+ </para>
+
+<programlisting>
+ acl allow bob access exchange alternate=other ! may match pattern 2 only
+ acl allow bob access exchange queuename=other ! may match pattern 3 only
+ acl allow bob access exchange durable=true ! may match patterns 2
and 4 only
+ acl deny bob access exchange ! may match all patterns
+</programlisting>
</section>
@@ -1574,7 +1653,7 @@ com.sun.security.jgss.initiate {
The ACL module enforces various quotas and thereby limits user
activity.
<section
id="sect-Messaging_User_Guide-Authorization-Specifying_ACL_Connection_Limits">
- <title>Connection Limits</title>
+ <title>Connection Count Limits</title>
<para>
The ACL module creates broker command line switches that
set limits on the number of concurrent connections allowed per user or per
client host address. These settings are not specified in the ACL file.
</para>
@@ -1641,6 +1720,51 @@ com.sun.security.jgss.initiate {
</para>
</section>
+ <section
id="sect-Messaging_User_Guide-Authorization-Specifying_ACL_Connection_Host_Limits">
+ <title>Connection Limits by Host Name</title>
+ <para>
+ The 0.30 C++ Broker ACL module adds the ability to create
allow and deny lists of the TCP/IP hosts from which users may connect. The rule
accepts two forms:
+ </para>
+ <para>
+ <programlisting>
+ acl allow user create connection host=host1
+ acl allow user create connection host=host1,host2
+ </programlisting>
+ </para>
+ <para>
+ Using the form <command>host=host1</command> specifies a
single host. With a single host the name may resolve to multiple TCP/IP
addresses. For example <emphasis>localhost</emphasis> resolves to both
<emphasis>127.0.0.1</emphasis> and <emphasis>::1</emphasis> and possibly many
other addresses. A connection from any of the addresses associated with this
host match the rule and the connection is allowed or denied accordingly.
+ </para>
+ <para>
+ Using the form <command>host=host1,host2</command>
specifies a range of TCP/IP addresses. With a host range each host must resolve
to a single TCP/IP address and the second address must be numerically larger
than the first. A connection from any host where host >= host1 and host
<= host2 match the rule and the connection is allowed or denied accordingly.
+ </para>
+ <para>
+ Connection denial is only applied to incoming TCP/IP
connections. Other socket types are not subjected to nor denied by range checks.
+ </para>
+ <para>
+ The following example illustrates how this feature can be
used.
+ </para>
+ <para>
+ <programlisting>
+ group admins alice bob chuck
+ group Company1 c1_usera c1_userb
+ group Company2 c2_userx c2_usery c2_userz
+ acl allow admins create connection host=localhost
+ acl allow admins create connection host=10.0.0.0,10.255.255.255
+ acl allow admins create connection host=192.168.0.0,192.168.255.255
+ acl allow Company1 create connection host=company1.com
+ acl allow Company2 create connection host=company2.com
+ acl deny all create connection host=company1.com
+ acl deny all create connection host=company2.com
+ acl deny all create connection host=10.0.0.0,10.255.255.255
+ acl deny all create connection host=192.168.0.0,192.168.255.255
+ acl deny all create connection host=localhost
+ </programlisting>
+ </para>
+ <para>
+ In this example admins may connect from localhost or from
any system on the 10.0.0.0/24 and 192.168.0.0/16 subnets. Company1 users may
connect only from company1.com while admins and Company2 users are blocked.
Similarly Company2 users may connect only from company2.com while admins and
Company1 users are blocked.
+ </para>
+ </section>
+
<section
id="sect-Messaging_User_Guide-Authorization-Specifying_ACL_Queue_Limits">
<title>Queue Limits</title>
<para>
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@qpid.apache.org
For additional commands, e-mail: commits-h...@qpid.apache.org
