Hi, I'm implementing an access control list (ACL) for an internal Qpid cluster. Most of the ACL is nice and straight-forward. However, I'm wondering what the best way is to enabled QMF agents and clients to work (we have our own custom QMF agents and clients using QMF2, plus of the standard Qpid tools).
When I said "best" above, I'm meaning: * minimum extraneous access (ie not giving away more access than required); and * most maintainable (ie small number of clear, concise rules). I've seen the rules at https://github.com/matahari/matahari/wiki/QMF-Access-Control-Policy and they look pretty good. They seem to have been based on Qpid 0.12, and I vaguely recall reading plans to improve this aspect of ACL some time ago... So, is the following the best there is, or can I do better with Qpid 0.16? (I've intentionally skipped the declaration of the agents and consoles groups) acl allow agents bind exchange name=qmf.default.topic routingkey=direct-agent.*acl allow agents bind exchange name=qmf.default.topic routingkey=console.*acl allow agents publish exchange name=qmf.default.topic routingkey=direct-console.*acl allow agents publish exchange name=qmf.default.topic routingkey=agent.*acl allow agents create linkacl allow agents create queueacl allow agents create exchange name=qmf.default.topicacl allow agents access exchange name=qmf.default.topicacl allow agents consume acl allow consoles create exchange name=qmf.default.directacl allow consoles access exchange name=qmf.default.directacl allow consoles bind exchange name=qmf.default.topic routingkey=direct-console.*acl allow consoles bind exchange name=qmf.default.topic routingkey=agent.*acl allow consoles publish exchange name=qmf.default.topic routingkey=direct-agent.*acl allow consoles publish exchange name=qmf.default.topic routingkey=console.*acl allow consoles publish exchange name=qmf.default.direct routingkey=brokeracl allow consoles create queueacl allow consoles create exchange name=qmf.default.topicacl allow consoles access exchange name=qmf.default.topicacl allow consoles consume acl deny-log all all Thanks! :) Paul ---- http://colby.id.au
