Thanks Ted, I'll use the matahari example as a starting point then.
Though I can confirm that it is insufficient for me with Qpid 0.16... for example, one of my QMF2 agents also requires: acl allow agents create exchange name=qmf.default.direct (Of course the matahari example would still work, if my agent happened to also be a console member, but its not in my case). Thanks again, pc ---- http://colby.id.au On Thu, May 31, 2012 at 1:29 AM, Ted Ross <[email protected]> wrote: > Hi Paul, > > This aspect of ACL is the same in 0.16 as it is in 0.14. That matahari > web link is very up-to-date. > > -Ted > > > On 05/30/2012 12:09 AM, Paul Colby wrote: > >> Hi, >> >> I'm implementing an access control list (ACL) for an internal Qpid >> cluster. >> Most of the ACL is nice and straight-forward. However, I'm wondering >> what >> the best way is to enabled QMF agents and clients to work (we have our own >> custom QMF agents and clients using QMF2, plus of the standard Qpid >> tools). >> >> When I said "best" above, I'm meaning: >> * minimum extraneous access (ie not giving away more access than >> required); >> and >> * most maintainable (ie small number of clear, concise rules). >> >> I've seen the rules at >> https://github.com/matahari/**matahari/wiki/QMF-Access-**Control-Policy<https://github.com/matahari/matahari/wiki/QMF-Access-Control-Policy>and >> they look pretty good. They seem to have been based on Qpid 0.12, and I >> vaguely recall reading plans to improve this aspect of ACL some time >> ago... >> >> So, is the following the best there is, or can I do better with Qpid 0.16? >> (I've intentionally skipped the declaration of the agents and consoles >> groups) >> >> acl allow agents bind exchange name=qmf.default.topic >> routingkey=direct-agent.*acl allow agents bind exchange >> name=qmf.default.topic routingkey=console.*acl allow agents publish >> exchange name=qmf.default.topic routingkey=direct-console.*acl allow >> agents publish exchange name=qmf.default.topic routingkey=agent.*acl >> allow agents create linkacl allow agents create queueacl allow agents >> create exchange name=qmf.default.topicacl allow agents access exchange >> name=qmf.default.topicacl allow agents consume >> >> >> acl allow consoles create exchange name=qmf.default.directacl allow >> consoles access exchange name=qmf.default.directacl allow consoles >> >> bind exchange name=qmf.default.topic routingkey=direct-console.*acl >> allow consoles bind exchange name=qmf.default.topic >> routingkey=agent.*acl allow consoles publish exchange >> name=qmf.default.topic routingkey=direct-agent.*acl allow consoles >> publish exchange name=qmf.default.topic routingkey=console.*acl allow >> >> consoles publish exchange name=qmf.default.direct routingkey=brokeracl >> allow consoles create queueacl allow consoles create exchange >> name=qmf.default.topicacl allow consoles access exchange >> name=qmf.default.topicacl allow consoles consume >> >> >> acl deny-log all all >> >> Thanks! :) >> >> Paul >> ---- >> http://colby.id.au >> >> > > ------------------------------**------------------------------**--------- > To unsubscribe, e-mail: > [email protected].**org<[email protected]> > For additional commands, e-mail: [email protected] > >
