Product SiteDocumentation Site

8.2. Authorization

Authorisation in MRG Messaging is achieved through the use of an Access Control List (ACL). This is a list that specifies which users are authorized to access the system.
Using ACL
  1. The ACL module is loaded by default. You can check that it is loaded by running the qpidd --help command and checking the output for ACL options: 
    $ qpidd --help
...[output truncated]...
ACL Options:
--acl-file FILE (policy.acl)  The policy file to load from, loaded from data dir
  2. To start using the ACL, you will need to specify the file to use. This is done by using the --acl-file command with a path and filename. The filename should have a .acl extension: 
    $ qpidd --acl-file ./aclfilename.acl
    You can now view the file with the cat command and edit it in your preferred text editor. If the path and filename is not found, qpidd will fail to start.
  3. These permissions can be used when creating the ACL file:
    allow
    Allow rule
    allow-log
    Allow rule and log the action in the event log
    deny
    Deny rule
    deny-log
    Deny rule and log the action in the event log
  4. The following actions are valid:
    consume
    Applied when subscriptions are created
    publish
    Applied on a per message basis on publish message transfers, this rule consumes the most resources
    create
    Applied when an object is created, such as bindings, queues, exchanges, links
    access
    Applied when an object is read or accessed
    bind
    Applied when objects are bound together
    unbind
    Applied when objects are unbound
    delete
    Applied when objects are deleted
    purge
    Similar to delete but the action is performed on more than one object
    update
    Applied when an object is updated
  5. The following object types are supported:
    queue
    A queue
    exchange
    An exchnage
    broker
    The broker
    link
    A federation or inter-broker link
    method
    Management or agent or broker method
  6. Wild cards can be used on properties that are a string. The following properties are supported:
    name
    String. Object name, such as a queue name or exchange name.
    durable
    Boolean. Indicates the object is durable
    routingkey
    Sring. Specifies routing key
    passive
    Boolean. Indicates the presence of a passive flag
    autodelete
    Boolean. Indicates whether or not the object gets deleted when the connection is closed
    exclusive
    Boolean. Indicates the presence of an exclusive flag
    type
    String. Type of object, such as topic, fanout, or xml
    alternate
    String. Name of the alternate exchange
    queuename
    String. Name of the queue (used only when the object is something other than queue
    schemapackage
    String. QMF schema package name
    schemaclass
    String. QMF schema class name
When editing the ACL file, the following rules apply:
  • A line starting with the # character is considered a comment and is ignored.
  • Empty lines and lines that contain only whitespace are ignored
  • All tokens are case sensitive. name1 is not the same as Name1 and create is not the same as CREATE
  • Group lists can be extended to the following line by terminating the line with the \ character
  • Additional whitespace - that is, where there is more than one whitespace character - between and after tokens is ignored. Group and ACL definitions must start with either group or acl and with no preceding whitespace.
  • All ACL rules are limited to a single line
  • Rules are interpreted from the top of the file down until the name match is obtained; at which point processing stops.
  • The keyword all matches all individuals, groups and actions
  • The last line of the file - whether present or not - will be assumed to be acl deny all all. If present in the file, all lines below it are ignored.
  • Names and group names may contain only a-z, A-Z, 0-9, - and _
  • Rules must be preceded by any group definitions they can use. Any name not defined as a group will be assumed to be that of an individual.
  • ACL rules must be on a single line and follow this syntax: 
    acl permission {<group-name>|<user-name>|"all"} {action|"all"} [object|"all"] [property=<property-value>]
    ACL rules can also include a single object name (or the keyword all) and one or more property name value pairs in the form property=value
This example demonstrates correctly formatted ACL entries.
Specifying groups: 
group admin ted@QPID martin@QPID
group user-consume martin@QPID ted@QPID
group group2 kim@QPID user-consume rob@QPID
group publisher group2 \
tom@QPID andrew@QPID debbie@QPID
Specifying rules: 
acl allow carlt@QPID create exchange name=carl.*
acl deny rob@QPID create queue
acl allow guest@QPID bind exchange name=amq.topic routingkey=stocks.rht.# 
acl allow user-consume create queue name=tmp.*

acl allow publisher publish all durable=false
acl allow publisher create queue name=RequestQueue
acl allow consumer consume queue durable=true
acl allow fred@QPID create all
acl allow bob@QPID all queue
acl allow admin all
cl allow all consume queue 
acl allow all bind exchange
Always include the last, default rule: 
acl deny all all
Do not allow guest to access and log some QMF management methods: 
group allUsers guest@QPID
....
acl deny-log allUsers create link
acl deny-log allUsers access method name=connect
acl deny-log allUsers access method name=echo
Example 8.1. An example ACL file