diff options
| author | Robert Gemmell <robbie@apache.org> | 2012-02-16 11:49:14 +0000 |
|---|---|---|
| committer | Robert Gemmell <robbie@apache.org> | 2012-02-16 11:49:14 +0000 |
| commit | cc5f1d0c341d10ebe47cc0ce36a9852c4f85146d (patch) | |
| tree | 5f8d801d8db91ad9c1cae16be426721e9ef51a19 /qpid/java/broker/etc | |
| parent | c41c4ed614a2ec7e015aa65d518e18afde4d91c2 (diff) | |
| download | qpid-python-cc5f1d0c341d10ebe47cc0ce36a9852c4f85146d.tar.gz | |
QPID-3844: allow queryMBeans to succeed without ACL checking, tools like JConsole / Qpid MC need this to function at all
Applied patch from Oleksandr Rudyy <orudyy@gmail.com>
git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@1244946 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'qpid/java/broker/etc')
| -rw-r--r-- | qpid/java/broker/etc/broker_example.acl | 25 |
1 files changed, 21 insertions, 4 deletions
diff --git a/qpid/java/broker/etc/broker_example.acl b/qpid/java/broker/etc/broker_example.acl index 93955bb7f9..aae4ee3162 100644 --- a/qpid/java/broker/etc/broker_example.acl +++ b/qpid/java/broker/etc/broker_example.acl @@ -24,15 +24,32 @@ #Define a 'messaging-users' group with users 'client' and 'server' in it GROUP messaging-users client server + ### MANAGEMENT #### -#Allow 'guest' to perform read operations on the Serverinformation mbean and view logger levels -ACL ALLOW-LOG guest ACCESS METHOD component="ServerInformation" -ACL ALLOW-LOG guest ACCESS METHOD component="LoggingManagement" name="viewEffectiveRuntimeLoggerLevels" +# Allow everyone to perform read operations on the ServerInformation mbean +# This is used for items such as querying the management API and broker release versions. +ACL ALLOW-LOG ALL ACCESS METHOD component="ServerInformation" -#Allow 'admin' all management operations +# Allow 'admin' all management operations ACL ALLOW-LOG admin ALL METHOD +# Deny access to Shutdown, UserManagement, ConfigurationManagement and LoggingManagement for all other users +# You could grant specific users access to these beans by adding ALLOW-LOG rules above for them +ACL DENY-LOG ALL ACCESS METHOD component="Shutdown" +ACL DENY-LOG ALL ACCESS METHOD component="UserManagement" +ACL DENY-LOG ALL ACCESS METHOD component="ConfigurationManagement" +ACL DENY-LOG ALL ACCESS METHOD component="LoggingManagement" + +# Allow 'guest' to view logger levels, and use getter methods on LoggingManagement +# These are examples of redundant rules! The DENY-LOG rule above will be invoked +# first and will deny the access to all methods of LoggingManagement for guest +ACL ALLOW-LOG guest ACCESS METHOD component="LoggingManagement" name="viewEffectiveRuntimeLoggerLevels" +ACL ALLOW-LOG guest ACCESS METHOD component="LoggingManagement" name="get*" + +# Allow everyone to perform all read operations on the mbeans not listened in the DENY-LOG rules above +ACL ALLOW-LOG ALL ACCESS METHOD + ### MESSAGING ### #Example permissions for request-response based messaging. |