Hello Jacub, this helps a lot.
Thank you! Andreas On Fri, Nov 10, 2017 at 4:59 PM, Jakub Scholz <ja...@scholz.cz> wrote: > Hi Andreas, > > The problem is that in qpidd you never publish directly to queue or read > directly from an exchange. You always publish to exchange and read from a > queue. In reality what you see as publishing directly to an queue is > sending the message to an exchange named "" (as in empty string) with a > routing key which should be the name of your queue. The same when you try > to read directly from an exchange the client acutally creates a queue and a > binding to the exchange for you. That is why the ACL rules such as "publish > queue" or "consume exchange" do not exist. > > In your case ... if your group wants to publish to queue name QU1, you > should add a rule which looks something like this: > acl allow group1 publish exchange name=amq.default routingkey=QU1 > where the exchange name "amq.default" will be substituted for the exchange > without name (as per https://issues.apache.org/jira/browse/QPID-4727) > > To read directly from an exchange you need several ACL rights: > - to create a queue > acl allow group1 create queue name=* > - to delete a queue when you are closing the connection > acl allow group1 delete queue name=* > - to consume from the queue > acl allow group1 consume queue name=* > - to bind the exchange > acl allow group1 bind exchange name=EX1 > > Depending on your client you might be able to specify the queue name in > more detail. For example the qpid-receive client (using the old Qpid C++ > API) would create the queue named similar to > "EX1_8f4ea08f-d211-41c0-97cf-652cd5ef9a11". But different clients might do > it differently. > > Hope this helps. > > Jakub > > > On Fri, Nov 10, 2017 at 3:46 PM, andi welchlin <andi.welch...@gmail.com> > wrote: > > > Hello everyone, > > > > I looked into ACL documentation of Qpid C++ broker (1.36.0) and tested > it a > > bit. > > > > > > I would like to allow for one usergroup to write to a queue with a > specific > > name, but deny it for all other users. > > > > But I saw that i can not do the following: > > > > acl allow group1 publish queue name=QU1 > > > > > > I understood that the publish keyword can only be used for exchanges. > > > > > > I also would like to restrict reading from an exchange with a specific > name > > and allow it only for one usergroup. > > > > But the following seems also not to be allowed: > > > > acl allow group1 consume exchange name=EX1 > > > > > > "consume" is only allowed for queues. > > > > > > How can I reach these two requirements? > > > > > > Kind Regards, > > Andreas > > >
