diff options
Diffstat (limited to 'qpid/doc/book/src/java-broker/security/Java-Broker-Security-ACLs.xml')
| -rw-r--r-- | qpid/doc/book/src/java-broker/security/Java-Broker-Security-ACLs.xml | 646 |
1 files changed, 646 insertions, 0 deletions
diff --git a/qpid/doc/book/src/java-broker/security/Java-Broker-Security-ACLs.xml b/qpid/doc/book/src/java-broker/security/Java-Broker-Security-ACLs.xml new file mode 100644 index 0000000000..95d718df29 --- /dev/null +++ b/qpid/doc/book/src/java-broker/security/Java-Broker-Security-ACLs.xml @@ -0,0 +1,646 @@ +<?xml version="1.0" encoding="utf-8"?> + +<!-- + + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. + +--> + +<section id="Java-Broker-Security-ACLs"> + <title>Access Control Lists</title> + <para> + In Qpid, Access Control Lists (ACLs) specify which actions can be performed by each authenticated user. + To enable, an <emphasis>Access Control Provider</emphasis> needs to be configured on the <emphasis>Broker</emphasis>. + The <emphasis>Access Control Provider</emphasis> of type "AclFile" uses local file to specify the ACL rules. + By convention, this file should have a .acl extension. + </para> + + <para> + A Group Provider can be configured with ACL to define the user groups which can be used in ACL + to determine the ACL rules applicable to the entire group. The configuration details for the Group Providers are described in + <xref linkend="Java-Broker-Security-Group-Providers"/>. On creation of ACL Provider with group rules, + the Group Provider should be added first. Otherwise, if the individual ACL rules are not defined for the logged principal + the following invocation of management operations could be denied due to absence of the required groups.</para> + + <para>Only one <emphasis>Access Control Provider</emphasis> can be used by the Broker. + If several <emphasis>Access Control Providers</emphasis> are configured on Broker level + only one of them will be used (the latest one). + </para> + + <para> + The ACL Providers can be configured using <link linkend="Java-Broker-Management-Channel-REST-API">REST Management interfaces</link> + and <link linkend="Java-Broker-Management-Channel-Web-Console">Web Management Console</link>. + </para> + + <para>The following ACL Provider managing operations are available from Web Management Console: + <itemizedlist> + <listitem><para>A new ACL Provider can be added by clicking onto "Add Access Control Provider" on the Broker tab.</para></listitem> + <listitem><para>An ACL Provider details can be viewed on the Access Control Provider tab. + The tab is shown after clicking onto ACL Provider name in the Broker object tree or after clicking + onto ACL Provider row in ACL Providers grid on the Broker tab.</para></listitem> + <listitem><para>An existing ACL Provider can be deleted by clicking onto buttons "Delete Access Control Provider" + on the Broker tab or Access Control Provider tab.</para></listitem> + </itemizedlist> + </para> + + <section role="h3" id="Java-Broker-Security-ACLs-WriteACL"> + <title> + Writing .acl files + </title> + + <para> + The ACL file consists of a series of rules associating behaviour for a user or group. Use of groups can serve to make the ACL file more concise. See <link linkend="Java-Broker-Security-Group-Providers">Configuring Group Providers</link> for more information on defining groups. + </para> + <para> + Each ACL rule grants or denies a particular action on an object to a user/group. The rule may be augmented with one or more properties, restricting + the rule's applicability. + </para> + <programlisting> + ACL ALLOW alice CREATE QUEUE # Grants alice permission to create all queues. + ACL DENY bob CREATE QUEUE name="myqueue" # Denies bob permission to create a queue called "myqueue" + </programlisting> + <para> + The ACL is considered in strict line order with the first matching rule taking precedence over all those that follow. In the following + example, if the user bob tries to create an exchange "myexch", the operation will be allowed by the first rule. The second rule will + never be considered. + </para> + <programlisting> + ACL ALLOW bob ALL EXCHANGE + ACL DENY bob CREATE EXCHANGE name="myexch" # Dead rule + </programlisting> + <para> + If the desire is to allow bob to create all exchanges except "myexch", order of the rules must be reversed: + </para> + <programlisting> + ACL DENY bob CREATE EXCHANGE name="myexch" + ACL ALLOW bob ALL EXCHANGE + </programlisting> + <para> + All ACL files end with an implicit rule denying all operations to all users. It is as if each file ends with + <programlisting>ACL DENY ALL ALL </programlisting> + If instead you wish to <emphasis>allow</emphasis> all operations other than those controlled by earlier rules, + add <programlisting>ACL ALLOW ALL ALL</programlisting> to the bottom of the ACL file. + </para> + <para> + When writing a new ACL, a good approach is to begin with an .acl file containing only <programlisting>ACL DENY-LOG ALL ALL</programlisting> + which will cause the Broker to deny all operations with details of the denial logged to the Qpid log file. Build up the ACL rule by rule, + gradually working through the use-cases of your system. Once the ACL is complete, consider switching the DENY-LOG actions to DENY + to improve performamce and reduce log noise. + </para> + <para> + ACL rules are very powerful: it is possible to write very granular rules specifying many broker objects and their + properties. Most projects probably won't need this degree of flexibility. A reasonable approach is to choose to apply permissions + at a certain level of abstraction (e.g. QUEUE) and apply them consistently across the whole system. + </para> + <note> + <para> + Some rules can be restricted to the virtual host if property virtualhost_name is specified. + <example> + <title>Restrict rules to specific virtual hosts</title> + <programlisting> + ACL ALLOW bob CREATE QUEUE virtualhost_name="test" + ACL ALLOW bob ALL EXCHANGE virtualhost_name="prod" + </programlisting> + </example> + In the example above the first rule allows user "bob" to create queues on virtual host "test" only. + The second rule allows user "bob" any action with exchanges on virtual host "prod". + </para> + </note> + </section> + + <section role="h4" id="Java-Broker-Security-ACLs-Syntax"> + <title> + Syntax + </title> + + <para> + ACL rules follow this syntax: + </para> + <programlisting> + ACL {permission} {<group-name>|<user-name>|ALL} {action|ALL} [object|ALL] [property="<property-value>"] + </programlisting> + + <para> + Comments may be introduced with the hash (#) character and are ignored. Long lines can be broken with the slash (\) character. + </para> + <programlisting> + # A comment + ACL ALLOW admin CREATE ALL # Also a comment + ACL DENY guest \ + ALL ALL # A broken line + </programlisting> + </section> + <table id="table-Java-Broker-Security-ACLs-Syntax_permissions"> + <title>List of ACL permission</title> + <tgroup cols="2"> + <tbody> + <row> + <entry><command>ALLOW</command></entry> + <entry><para>Allow the action</para></entry> + </row> + <row> + <entry><command>ALLOW-LOG</command></entry> + <entry><para> Allow the action and log the action in the log </para></entry> + </row> + <row> + <entry><command>DENY</command></entry> + <entry><para> Deny the action</para></entry> + </row> + <row> + <entry><command>DENY-LOG</command></entry> + <entry><para> Deny the action and log the action in the log</para></entry> + </row> + </tbody> + </tgroup> + </table> + <table id="table-Java-Broker-Security-ACLs-Syntax_actions"> + <title>List of ACL actions</title> + <tgroup cols="4"> + <thead> + <row> + <entry><para>Action</para></entry> + <entry><para>Description</para></entry> + <entry><para>Supported object types</para></entry> + <entry><para>Supported properties</para></entry> + </row> + </thead> + <tbody> + <row> + <entry> <command>CONSUME</command> </entry> + <entry> <para> Applied when subscriptions are created </para> </entry> + <entry><para>QUEUE</para></entry> + <entry><para>name, autodelete, temporary, durable, exclusive, alternate, owner, virtualhost_name</para></entry> + </row> + <row> + <entry> <command>PUBLISH</command> </entry> + <entry> <para> Applied on a per message basis on publish message transfers</para> </entry> + <entry><para>EXCHANGE</para></entry> + <entry><para>name, routingkey, immediate, virtualhost_name</para></entry> + </row> + <row> + <entry> <command>CREATE</command> </entry> + <entry> <para> Applied when an object is created, such as bindings, queues, exchanges</para> </entry> + <entry><para>VIRTUALHOSTNODE, VIRTUALHOST, EXCHANGE, QUEUE, USER, GROUP</para></entry> + <entry><para>see properties on the corresponding object type</para></entry> + </row> + <row> + <entry> <command>ACCESS</command> </entry> + <entry> <para> Applied when an object is read or accessed</para> </entry> + <entry><para>VIRTUALHOST, MANAGEMENT</para></entry> + <entry><para>name (for VIRTUALHOST only)</para></entry> + </row> + <row> + <entry> <command>BIND</command> </entry> + <entry> <para> Applied when queues are bound to exchanges</para> </entry> + <entry><para>EXCHANGE</para></entry> + <entry><para>name, routingKey, queuename, virtualhost_name, temporary, durable</para></entry> + </row> + <row> + <entry> <command>UNBIND</command> </entry> + <entry> <para> Applied when queues are unbound from exchanges</para> </entry> + <entry><para>EXCHANGE</para></entry> + <entry><para>name, routingKey, queuename, virtualhost_name, temporary, durable</para></entry> + </row> + <row> + <entry> <command>DELETE</command> </entry> + <entry> <para> Applied when objects are deleted </para> </entry> + <entry><para>VIRTUALHOSTNODE, VIRTUALHOST, EXCHANGE, QUEUE, USER, GROUP</para></entry> + <entry><para>see properties on the corresponding object type</para></entry> + </row> + <row> + <entry> <command>PURGE</command> </entry> <entry> + <para>Applied when purge the contents of a queue</para> </entry> + <entry><para>QUEUE</para></entry> + <entry><para> </para></entry> + </row> + <row> + <entry> <command>UPDATE</command> </entry> + <entry> <para> Applied when an object is updated </para> </entry> + <entry><para>VIRTUALHOSTNODE, VIRTUALHOST, EXCHANGE, QUEUE, USER, GROUP</para></entry> + <entry><para>see EXCHANGE and QUEUE properties</para></entry> + </row> + <row> + <entry> <command>CONFIGURE</command> </entry> + <entry> <para> Applied when an object is configured via REST management interfaces.</para> </entry> + <entry><para>BROKER</para></entry> + <entry><para> </para></entry> + </row> + <row> + <entry><command>ACCESS_LOGS</command> </entry> + <entry><para>Allows/denies to the specific user an operation to download broker log file(s) over REST interfaces</para> </entry> + <entry><para>BROKER</para></entry> + <entry><para> </para></entry> + </row> + </tbody> + </tgroup> + </table> + <table id="table-Java-Broker-Security-ACLs-Syntax_objects"> + <title>List of ACL objects</title> + <tgroup cols="4"> + <thead> + <row> + <entry><para>Object type</para></entry> + <entry><para>Description</para></entry> + <entry><para>Supported actions</para></entry> + <entry><para>Supported properties</para></entry> + </row> + </thead> + <tbody> + <row> + <entry> <command>VIRTUALHOSTNODE</command> </entry> + <entry> <para>A virtualhostnode or remote replication node</para> </entry> + <entry><para>ALL, CREATE, UPDATE, DELETE</para> </entry> + <entry><para>name</para> </entry> + </row> + <row> + <entry> <command>VIRTUALHOST</command> </entry> + <entry> <para>A virtualhost</para> </entry> + <entry><para>ALL, CREATE, UPDATE, DELETE, ACCESS</para> </entry> + <entry><para>name</para> </entry> + </row> + <row> + <entry> <command>MANAGEMENT </command> </entry> + <entry> <para>Management - for web and JMX</para> </entry> + <entry><para>ALL, ACCESS</para> </entry> + <entry><para> </para></entry> + </row> + <row> + <entry> <command>QUEUE</command> </entry> + <entry> <para>A queue </para> </entry> + <entry><para>ALL, CREATE, DELETE, PURGE, CONSUME, UPDATE</para></entry> + <entry><para>name, autodelete, temporary, durable, exclusive, alternate, owner, virtualhost_name</para></entry> + </row> + <row> + <entry> <command>EXCHANGE</command> </entry> + <entry><para>An exchange</para></entry> + <entry><para>ALL, ACCESS, CREATE, DELETE, BIND, UNBIND, PUBLISH, UPDATE</para></entry> + <entry><para>name, autodelete, temporary, durable, type, virtualhost_name, queuename(only for BIND and UNBIND), routingkey(only for BIND and UNBIND, PUBLISH)</para></entry> + </row> + <row> + <entry> <command>USER</command> </entry> + <entry> <para>A user</para> </entry> + <entry><para>ALL, CREATE, DELETE, UPDATE</para></entry> + <entry><para>name</para></entry> + </row> + <row> + <entry> <command>GROUP</command> </entry> + <entry> <para>A group</para> </entry> + <entry><para>ALL, CREATE, DELETE, UPDATE</para></entry> + <entry><para>name</para></entry> + </row> + <row> + <entry> <command>METHOD</command> </entry> + <entry> <para>Management or agent or broker method</para> </entry> + <entry><para>ALL, ACCESS, UPDATE</para></entry> + <entry><para>name, component, virtualhost_name</para></entry> + </row> + <row> + <entry> <command>BROKER</command> </entry> + <entry> <para>The broker</para> </entry> + <entry><para>ALL, CONFIGURE, ACCESS_LOGS</para></entry> + <entry><para> </para></entry> + </row> + </tbody> + </tgroup> + </table> + <table id="table-Java-Broker-Security-ACLs-Syntax_properties"> + <title>List of ACL properties</title> + <tgroup cols="2"> + <tbody> + <row> + <entry><command>name</command> </entry> + <entry> <para> String. Object name, such as a queue name, exchange name or JMX method name. </para> </entry> + </row> + <row> + <entry> <command>durable</command> </entry> + <entry> <para> Boolean. Indicates the object is durable </para> </entry> + </row> + <row> + <entry> <command>routingkey</command> </entry> + <entry> <para> String. Specifies routing key </para> </entry> + </row> + <row> + <entry> <command>autodelete</command> </entry> + <entry> <para> Boolean. Indicates whether or not the object gets deleted when the connection is closed </para> </entry> + </row> + <row> + <entry> <command>exclusive</command> </entry> + <entry> <para> Boolean. Indicates the presence of an <parameter>exclusive</parameter> flag </para> </entry> + </row> + <row> + <entry> <command>temporary</command> </entry> + <entry> <para> Boolean. Indicates the presence of an <parameter>temporary</parameter> flag </para> </entry> + </row> + <row> + <entry> <command>type</command> </entry> + <entry> <para> String. Type of object, such as topic, fanout, or xml </para> </entry> + </row> + <row> + <entry> <command>alternate</command> </entry> + <entry> <para> String. Name of the alternate exchange </para> </entry> + </row> + <row> + <entry> <command>queuename</command> </entry> + <entry> <para> String. Name of the queue (used only when the object is something other than <parameter>queue</parameter> </para> </entry> + </row> + <row> + <entry> <command>component</command> </entry> + <entry> <para> String. JMX component name</para> </entry> + </row> + <row> + <entry> <command>from_network</command> </entry> + <entry> + <para> + Comma-separated strings representing IPv4 address ranges. + </para> + <para> + Intended for use in ACCESS VIRTUALHOST rules to apply firewall-like restrictions. + </para> + <para> + The rule matches if any of the address ranges match the IPv4 address of the messaging client. + The address ranges are specified using either Classless Inter-Domain Routing notation + (e.g. 192.168.1.0/24; see <ulink url="http://tools.ietf.org/html/rfc4632">RFC 4632</ulink>) + or wildcards (e.g. 192.169.1.*). + </para> + </entry> + </row> + <row> + <entry> <command>from_hostname</command> </entry> + <entry> + <para> + Comma-separated strings representing hostnames, specified using Perl-style regular + expressions, e.g. .*\.example\.company\.com + </para> + <para> + Intended for use in ACCESS VIRTUALHOST rules to apply firewall-like restrictions. + </para> + <para> + The rule matches if any of the patterns match the hostname of the messaging client. + </para> + <para> + To look up the client's hostname, Qpid uses Java's DNS support, which internally caches its results. + </para> + <para> + You can modify the time-to-live of cached results using the *.ttl properties described on the + Java <ulink url="http://docs.oracle.com/javase/6/docs/technotes/guides/net/properties.html">Networking + Properties</ulink> page. + </para> + <para> + For example, you can either set system property sun.net.inetaddr.ttl from the command line + (e.g. export QPID_OPTS="-Dsun.net.inetaddr.ttl=0") or networkaddress.cache.ttl in + $JAVA_HOME/lib/security/java.security. The latter is preferred because it is JVM + vendor-independent. + </para> + </entry> + </row> + <row> + <entry><command>virtualhost_name</command></entry> + <entry> + <para> + String. A name of virtual host to which the rule is applied. + </para> + </entry> + </row> + <row> + <entry><command>immediate</command></entry> + <entry> + <para> + Boolean. A property can be used to restrict PUBLISH action to publishing only messages with given immediate flag. + </para> + </entry> + </row> + </tbody> + </tgroup> + </table> + <table id="table-Java-Broker-Security-ACLs-Syntax_javacomponents"> + <title>List of ACL JMX Components</title> + <tgroup cols="2"> + <tbody> + <row> + <entry> <command>UserManagement</command> </entry> + <entry> <para>User maintenance; create/delete/view users, change passwords etc</para> </entry> + </row> + <row> + <entry> <command>ConfigurationManagement</command> </entry> + <entry> <para>Dynamically reload configuration from disk.</para> </entry> + </row> + <row> + <entry> <command>LoggingManagement</command> </entry> + <entry> <para>Dynamically control Qpid logging level</para> </entry> + </row> + <row> + <entry> <command>ServerInformation</command> </entry> + <entry> <para>Read-only information regarding the Qpid: version number etc</para> </entry> + </row> + <row> + <entry> <command>VirtualHost.Queue</command> </entry> + <entry> <para>Queue maintenance; copy/move/purge/view etc</para> </entry> + </row> + <row> + <entry> <command>VirtualHost.Exchange</command> </entry> + <entry> <para>Exchange maintenance; bind/unbind queues to exchanges</para> </entry> + </row> + <row> + <entry> <command>VirtualHost.VirtualHost</command> </entry> + <entry> <para>Virtual host maintenace; create/delete exchanges, queues etc</para> </entry> + </row> + </tbody> + </tgroup> + </table> + <section role="h4" id="Java-Broker-Security-ACLs-WorkedExamples"> + <title> + Worked Examples + </title> + <para> + Here are some example ACLs illustrating common use cases. + In addition, note that the Java broker provides a complete example ACL file, located at etc/broker_example.acl. + </para> + <section role="h4" id="Java-Broker-Security-ACLs-WorkedExample1"> + <title> + Worked example 1 - Management rights + </title> + <para> + Suppose you wish to permission two users: a user 'operator' must be able to perform all Management operations, and + a user 'readonly' must be enable to perform only read-only functions. Neither 'operator' nor 'readonly' + should be allowed to connect clients for messaging. + </para> + <programlisting> +# Deny (loggged) operator/readonly permission to connect messaging clients. +ACL DENY-LOG operator ACCESS VIRTUALHOST +ACL DENY-LOG readonly ACCESS VIRTUALHOST +# Give operator permission to perfom all other actions +ACL ALLOW operator ALL ALL +# Give readonly permission to execute only read-only actions +ACL ALLOW readonly ACCESS ALL +... +... rules for other users +... +# Explicitly deny all (log) to eveyone +ACL DENY-LOG ALL ALL + </programlisting> + </section> + <section role="h4" id="Java-Broker-Security-ACLs-WorkedExample2"> + <title> + Worked example 2 - User maintainer group + </title> + <para> + Suppose you wish to restrict User Management operations to users belonging to a + <link linkend="Java-Broker-Security-Group-Providers">group</link> 'usermaint'. No other user + is allowed to perform user maintenance This example illustrates the permissioning of an individual component. + </para> + <programlisting> +# Give usermaint access to management and permission to execute all JMX Methods on the +# UserManagement MBean and perform all actions for USER objects +ACL ALLOW usermaint ACCESS MANAGEMENT +ACL ALLOW usermaint ALL METHOD component="UserManagement" +ACL ALLOW usermaint ALL USER +ACL DENY ALL ALL METHOD component="UserManagement" +ACL DENY ALL ALL USER +... +... rules for other users +... +ACL DENY-LOG ALL ALL + </programlisting> + </section> + <section role="h4" id="Java-Broker-Security-ACLs-WorkedExample3"> + <title> + Worked example 3 - Request/Response messaging + </title> + <para> + Suppose you wish to permission a system using a request/response paradigm. Two users: 'client' publishes requests; + 'server' consumes the requests and generates a response. This example illustrates the permissioning of AMQP exchanges + and queues. + </para> + <programlisting> +# Allow client and server to connect to the virtual host. +ACL ALLOW client ACCESS VIRTUALHOST +ACL ALLOW server ACCESS VIRTUALHOST + +# Client side +# Allow the 'client' user to publish requests to the request queue. As is the norm for the request/response paradigm, the client +# is required to create a temporary queue on which the server will respond. Consequently, there are rules to allow the creation +# of the temporary queues and consumption of messages from it. +ACL ALLOW client CREATE QUEUE temporary="true" +ACL ALLOW client CONSUME QUEUE temporary="true" +ACL ALLOW client DELETE QUEUE temporary="true" +ACL ALLOW client BIND EXCHANGE name="amq.direct" temporary="true" +ACL ALLOW client UNBIND EXCHANGE name="amq.direct" temporary="true" +ACL ALLOW client PUBLISH EXCHANGE name="amq.direct" routingKey="example.RequestQueue" + +# Server side +# Allow the 'server' user to consume from the request queue and publish a response to the temporary response queue created by +# client. We also allow the server to create the request queue. +ACL ALLOW server CREATE QUEUE name="example.RequestQueue" +ACL ALLOW server CONSUME QUEUE name="example.RequestQueue" +ACL ALLOW server BIND EXCHANGE +ACL ALLOW server PUBLISH EXCHANGE name="amq.direct" routingKey="TempQueue*" + +ACL DENY-LOG all all + </programlisting> + </section> + <section role="h4" id="Java-Broker-Security-ACLs-WorkedExample4"> + <title> + Worked example 4 - firewall-like access control + </title> + <para> + This example illustrates how to set up an ACL that restricts the IP addresses and hostnames + of messaging clients that can access a virtual host. + </para> + <programlisting> +################ +# Hostname rules +################ + +# Allow messaging clients from company1.com and company1.co.uk to connect +ACL ALLOW all ACCESS VIRTUALHOST from_hostname=".*\.company1\.com,.*\.company1\.co\.uk" + +# Deny messaging clients from hosts within the dev subdomain +ACL DENY-LOG all ACCESS VIRTUALHOST from_hostname=".*\.dev\.company1\.com" + +################## +# IP address rules +################## + +# Deny access to all users in the IP ranges 192.168.1.0-192.168.1.255 and 192.168.2.0-192.168.2.255, +# using the notation specified in RFC 4632, "Classless Inter-domain Routing (CIDR)" +ACL DENY-LOG messaging-users ACCESS VIRTUALHOST \ + from_network="192.168.1.0/24,192.168.2.0/24" + +# Deny access to all users in the IP ranges 192.169.1.0-192.169.1.255 and 192.169.2.0-192.169.2.255, +# using wildcard notation. +ACL DENY-LOG messaging-users ACCESS VIRTUALHOST \ + from_network="192.169.1.*,192.169.2.*" + +ACL DENY-LOG all all + </programlisting> + </section> + <section role="h4" id="Java-Broker-Security-ACLs-WorkedExample5"> + <title> + Worked example 5 - REST management ACL example + </title> + <para> + This example illustrates how to set up an ACL that restricts usage of REST management interfaces. + </para> + <programlisting> +# allow to the users from webadmins group to change broker model +# this rule allows adding/removing/editing of Broker level objects: +# Broker, Group Provider, Authentication Provider, Port, Access Control Provider etc +ACL ALLOW-LOG webadmins CONFIGURE BROKER + +# allow to the users from webadmins group to perform +# create/update/delete on virtualhost node and children +ACL ALLOW-LOG webadmins CREATE VIRTUALHOSTNODE +ACL ALLOW-LOG webadmins UPDATE VIRTUALHOSTNODE +ACL ALLOW-LOG webadmins DELETE VIRTUALHOSTNODE +ACL ALLOW-LOG webadmins CREATE VIRTUALHOST +ACL ALLOW-LOG webadmins UPDATE VIRTUALHOST +ACL ALLOW-LOG webadmins DELETE VIRTUALHOST +ACL ALLOW-LOG webadmins CREATE QUEUE +ACL ALLOW-LOG webadmins UPDATE QUEUE +ACL ALLOW-LOG webadmins DELETE QUEUE +ACL ALLOW-LOG webadmins PURGE QUEUE +ACL ALLOW-LOG webadmins CREATE EXCHANGE +ACL ALLOW-LOG webadmins DELETE EXCHANGE +ACL ALLOW-LOG webadmins BIND EXCHANGE +ACL ALLOW-LOG webadmins UNBIND EXCHANGE + +# allow to the users from webadmins group to create/update/delete groups on Group Providers +ACL ALLOW-LOG webadmins CREATE GROUP +ACL ALLOW-LOG webadmins DELETE GROUP +ACL ALLOW-LOG webadmins UPDATE GROUP + +# allow to the users from webadmins group to create/update/delete users for Authentication Providers +ACL ALLOW-LOG webadmins CREATE USER +ACL ALLOW-LOG webadmins DELETE USER +ACL ALLOW-LOG webadmins UPDATE USER + +# allow to the users from webadmins group to move, copy, delete messagaes, and clear the queue +# using REST management interfaces +ACL ALLOW-LOG webadmins UPDATE METHOD + +# at the moment only the following UPDATE METHOD rules are supported by web management console +#ACL ALLOW-LOG webadmins UPDATE METHOD component="VirtualHost.Queue" name="moveMessages" +#ACL ALLOW-LOG webadmins UPDATE METHOD component="VirtualHost.Queue" name="copyMessages" +#ACL ALLOW-LOG webadmins UPDATE METHOD component="VirtualHost.Queue" name="deleteMessages" +#ACL ALLOW-LOG webadmins UPDATE METHOD component="VirtualHost.Queue" name="clearQueue" + +ACL DENY-LOG all all + </programlisting> + </section> + </section> +</section> |