You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 30 Next »

ACL file format for brokers.

 Notes on file formats

  • A line starting with the character '#' will be considered a comment, and are ignored.
  • Since the '#' char (and others that are commonly used for comments) are commonly found in routing keys and other AMQP literals, it is simpler (for now) to hold off on allowing trailing comments (ie comments in which everything following a '#' is considered a comment). This could be reviewed later once the rest of the format is finalized.
  • Empty lines ("") and lines that contain only whitespace (any combination of ' ', '\f', '\n', '\r', '\t', '\v') are ignored.
  • All tokens are case sensitive. "name1" != "Name1" and "create" != "CREATE".
  • Group lists may be extended to the following line by terminating the line with the '\' character. However, this may only occur after the group name or any of the names following the group name. Empty extension lines (ie just a '\' character) are not permitted. 
    # Examples of extending group lists using a trailing '\' character

group group1 name1 name2 \
             name3 name4 \
             name5

group group2 \
             group1 \
             name6

# The following are illegal:

# '\' must be after group name
group \
      group3 name7 name8

# No empty extension lines
group group4 name9 \
                   \
             name10
  • Additional whitespace (ie more than one whitespace char) between and after tokens is ignored. However group and acl definitions must start with "group" or "acl" respectively and with no preceding whitespace.
  • All acl rules are limited to a single line.
  • Rules are interpreted from the top of the file down until the name match is obtained; at which point processing stops.
  • The keyword "all" is reserved, and matches all individuals, groups and actions. It may be used in place of a group or individual name and/or an action - eg "acl allow all all", "acl deny all all" or "acl deny user1 all".
  • The last line of the file (whether present or not) will be assumed to be "acl deny all". If present in the file, any lines below this one are ignored.
  • Names and group names may contain only a-z, A-Z, 0-9, '-','_'.
  • Rules must be preceded by any group definitions they may use; any name not previously defined as a group will be assumed to be that of an individual.
  • ACL rules must have the following tokens in order on a single line:
    • The string literal "acl";
    • The permission;
    • The name of a single group or individual or the keyword "all";
    • The name of an action or the keyword "all";
    • Optionally, a single object name-value pair (in the form object=value);
    • If the object is present, then optionally one or more property name-value pair(s) (in the form object=value).
user-list = user1 user2 user3 ...
group-name-list = group1 group2 group3 ...

group <group-name> = [user-list] [group-name-list]


permission = [allow|allow-log|deny|deny-log]
action = [consume|publish|create|access|bind|unbind|delete|purge|update]
object = [queue|exchange|broker|link|route]
property = [temporary|durable|owner|routingkey|passive|autodelete|]

acl permission {<group-name>|<user-name>|"all"} {action|"all"} [object=<object-name>] [property=<property-value>]

Notes: ?? do we care about passive & autodelete as properties in ACL ??

Example file:

# Some groups
group admin ted martin
group user-consume martin ted
group group2 kim user-consume rob
group publisher group2 \
                tom andrew debbie

# Some rules
acl allow carlt create exchange=carl.*
acl deny rob create queue
acl allow guest bind exchange=amq.topic routingkey=stocks.ibm.#  owner=self
acl allow user-consume create queue=tmp.*

acl allow publisher publish temporary=true
acl allow publisher create queue=RequestQueue
acl allow consumer consume temporary=true
acl allow consumer create temporary=true

# Rules using "all" keyword - may be used in place of user/group name and/or action
acl allow admin all
acl deny kim all
acl allow all consume owner=self
acl allow all bind owner=self

# Last (default) rule
acl deny all all

Mapping of ACL traps to action and type

The C++ broker maps the ACL traps in the follow way for AMQP 0-10

Trap

Action

Object

ExchangeHandlerImpl::declare

Create

Exchange

ExchangeHandlerImpl::delete

Delete

Exchange

ExchangeHandlerImpl::query

Access

Exchange

ExchangeHandlerImpl::bind

Bind

Exchange

ExchangeHandlerImpl::unbind

Unbind

Exchange

ExchangeHandlerImpl::bound

Access

Exchange

QueueHandlerImpl::query

Access

Queue

QueueHandlerImpl::declare

Create

Queue

QueueHandlerImpl::purge

Purge

Queue

QueueHandlerImpl::delete

Delete

Queue

MessageHandlerImpl::transfer

Publish

Exchange

MessageHandlerImpl::subscribe

Consume

Queue

ManagementProperty::set

Update

<Object>

ManagementProperty::read

Access

<Object>

Management::connect

Create

Link

Management::Queue::purge

Purge

Queue

Management:: -createFederationRoute-

Create

Route

Management:: -deleteFederationRoute-

Delete

Route

Management actions that are not specified will get mapped with the command as the Trap name, if the action is 'W' Action will be update, if 'R' Action will be Access.

for example, if joinCluster was not mapped it will be mapped in ACL file as

joinCluster

Update

Broker
  • No labels