diff options
Diffstat (limited to 'qpid/doc/book/src/java-broker/security/Java-Broker-Security-ACLs.xml')
| -rw-r--r-- | qpid/doc/book/src/java-broker/security/Java-Broker-Security-ACLs.xml | 646 |
1 files changed, 0 insertions, 646 deletions
diff --git a/qpid/doc/book/src/java-broker/security/Java-Broker-Security-ACLs.xml b/qpid/doc/book/src/java-broker/security/Java-Broker-Security-ACLs.xml deleted file mode 100644 index 95d718df29..0000000000 --- a/qpid/doc/book/src/java-broker/security/Java-Broker-Security-ACLs.xml +++ /dev/null @@ -1,646 +0,0 @@ -<?xml version="1.0" encoding="utf-8"?> - -<!-- - - Licensed to the Apache Software Foundation (ASF) under one - or more contributor license agreements. See the NOTICE file - distributed with this work for additional information - regarding copyright ownership. The ASF licenses this file - to you under the Apache License, Version 2.0 (the - "License"); you may not use this file except in compliance - with the License. You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, - software distributed under the License is distributed on an - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - KIND, either express or implied. See the License for the - specific language governing permissions and limitations - under the License. - ---> - -<section id="Java-Broker-Security-ACLs"> - <title>Access Control Lists</title> - <para> - In Qpid, Access Control Lists (ACLs) specify which actions can be performed by each authenticated user. - To enable, an <emphasis>Access Control Provider</emphasis> needs to be configured on the <emphasis>Broker</emphasis>. - The <emphasis>Access Control Provider</emphasis> of type "AclFile" uses local file to specify the ACL rules. - By convention, this file should have a .acl extension. - </para> - - <para> - A Group Provider can be configured with ACL to define the user groups which can be used in ACL - to determine the ACL rules applicable to the entire group. The configuration details for the Group Providers are described in - <xref linkend="Java-Broker-Security-Group-Providers"/>. On creation of ACL Provider with group rules, - the Group Provider should be added first. Otherwise, if the individual ACL rules are not defined for the logged principal - the following invocation of management operations could be denied due to absence of the required groups.</para> - - <para>Only one <emphasis>Access Control Provider</emphasis> can be used by the Broker. - If several <emphasis>Access Control Providers</emphasis> are configured on Broker level - only one of them will be used (the latest one). - </para> - - <para> - The ACL Providers can be configured using <link linkend="Java-Broker-Management-Channel-REST-API">REST Management interfaces</link> - and <link linkend="Java-Broker-Management-Channel-Web-Console">Web Management Console</link>. - </para> - - <para>The following ACL Provider managing operations are available from Web Management Console: - <itemizedlist> - <listitem><para>A new ACL Provider can be added by clicking onto "Add Access Control Provider" on the Broker tab.</para></listitem> - <listitem><para>An ACL Provider details can be viewed on the Access Control Provider tab. - The tab is shown after clicking onto ACL Provider name in the Broker object tree or after clicking - onto ACL Provider row in ACL Providers grid on the Broker tab.</para></listitem> - <listitem><para>An existing ACL Provider can be deleted by clicking onto buttons "Delete Access Control Provider" - on the Broker tab or Access Control Provider tab.</para></listitem> - </itemizedlist> - </para> - - <section role="h3" id="Java-Broker-Security-ACLs-WriteACL"> - <title> - Writing .acl files - </title> - - <para> - The ACL file consists of a series of rules associating behaviour for a user or group. Use of groups can serve to make the ACL file more concise. See <link linkend="Java-Broker-Security-Group-Providers">Configuring Group Providers</link> for more information on defining groups. - </para> - <para> - Each ACL rule grants or denies a particular action on an object to a user/group. The rule may be augmented with one or more properties, restricting - the rule's applicability. - </para> - <programlisting> - ACL ALLOW alice CREATE QUEUE # Grants alice permission to create all queues. - ACL DENY bob CREATE QUEUE name="myqueue" # Denies bob permission to create a queue called "myqueue" - </programlisting> - <para> - The ACL is considered in strict line order with the first matching rule taking precedence over all those that follow. In the following - example, if the user bob tries to create an exchange "myexch", the operation will be allowed by the first rule. The second rule will - never be considered. - </para> - <programlisting> - ACL ALLOW bob ALL EXCHANGE - ACL DENY bob CREATE EXCHANGE name="myexch" # Dead rule - </programlisting> - <para> - If the desire is to allow bob to create all exchanges except "myexch", order of the rules must be reversed: - </para> - <programlisting> - ACL DENY bob CREATE EXCHANGE name="myexch" - ACL ALLOW bob ALL EXCHANGE - </programlisting> - <para> - All ACL files end with an implicit rule denying all operations to all users. It is as if each file ends with - <programlisting>ACL DENY ALL ALL </programlisting> - If instead you wish to <emphasis>allow</emphasis> all operations other than those controlled by earlier rules, - add <programlisting>ACL ALLOW ALL ALL</programlisting> to the bottom of the ACL file. - </para> - <para> - When writing a new ACL, a good approach is to begin with an .acl file containing only <programlisting>ACL DENY-LOG ALL ALL</programlisting> - which will cause the Broker to deny all operations with details of the denial logged to the Qpid log file. Build up the ACL rule by rule, - gradually working through the use-cases of your system. Once the ACL is complete, consider switching the DENY-LOG actions to DENY - to improve performamce and reduce log noise. - </para> - <para> - ACL rules are very powerful: it is possible to write very granular rules specifying many broker objects and their - properties. Most projects probably won't need this degree of flexibility. A reasonable approach is to choose to apply permissions - at a certain level of abstraction (e.g. QUEUE) and apply them consistently across the whole system. - </para> - <note> - <para> - Some rules can be restricted to the virtual host if property virtualhost_name is specified. - <example> - <title>Restrict rules to specific virtual hosts</title> - <programlisting> - ACL ALLOW bob CREATE QUEUE virtualhost_name="test" - ACL ALLOW bob ALL EXCHANGE virtualhost_name="prod" - </programlisting> - </example> - In the example above the first rule allows user "bob" to create queues on virtual host "test" only. - The second rule allows user "bob" any action with exchanges on virtual host "prod". - </para> - </note> - </section> - - <section role="h4" id="Java-Broker-Security-ACLs-Syntax"> - <title> - Syntax - </title> - - <para> - ACL rules follow this syntax: - </para> - <programlisting> - ACL {permission} {<group-name>|<user-name>|ALL} {action|ALL} [object|ALL] [property="<property-value>"] - </programlisting> - - <para> - Comments may be introduced with the hash (#) character and are ignored. Long lines can be broken with the slash (\) character. - </para> - <programlisting> - # A comment - ACL ALLOW admin CREATE ALL # Also a comment - ACL DENY guest \ - ALL ALL # A broken line - </programlisting> - </section> - <table id="table-Java-Broker-Security-ACLs-Syntax_permissions"> - <title>List of ACL permission</title> - <tgroup cols="2"> - <tbody> - <row> - <entry><command>ALLOW</command></entry> - <entry><para>Allow the action</para></entry> - </row> - <row> - <entry><command>ALLOW-LOG</command></entry> - <entry><para> Allow the action and log the action in the log </para></entry> - </row> - <row> - <entry><command>DENY</command></entry> - <entry><para> Deny the action</para></entry> - </row> - <row> - <entry><command>DENY-LOG</command></entry> - <entry><para> Deny the action and log the action in the log</para></entry> - </row> - </tbody> - </tgroup> - </table> - <table id="table-Java-Broker-Security-ACLs-Syntax_actions"> - <title>List of ACL actions</title> - <tgroup cols="4"> - <thead> - <row> - <entry><para>Action</para></entry> - <entry><para>Description</para></entry> - <entry><para>Supported object types</para></entry> - <entry><para>Supported properties</para></entry> - </row> - </thead> - <tbody> - <row> - <entry> <command>CONSUME</command> </entry> - <entry> <para> Applied when subscriptions are created </para> </entry> - <entry><para>QUEUE</para></entry> - <entry><para>name, autodelete, temporary, durable, exclusive, alternate, owner, virtualhost_name</para></entry> - </row> - <row> - <entry> <command>PUBLISH</command> </entry> - <entry> <para> Applied on a per message basis on publish message transfers</para> </entry> - <entry><para>EXCHANGE</para></entry> - <entry><para>name, routingkey, immediate, virtualhost_name</para></entry> - </row> - <row> - <entry> <command>CREATE</command> </entry> - <entry> <para> Applied when an object is created, such as bindings, queues, exchanges</para> </entry> - <entry><para>VIRTUALHOSTNODE, VIRTUALHOST, EXCHANGE, QUEUE, USER, GROUP</para></entry> - <entry><para>see properties on the corresponding object type</para></entry> - </row> - <row> - <entry> <command>ACCESS</command> </entry> - <entry> <para> Applied when an object is read or accessed</para> </entry> - <entry><para>VIRTUALHOST, MANAGEMENT</para></entry> - <entry><para>name (for VIRTUALHOST only)</para></entry> - </row> - <row> - <entry> <command>BIND</command> </entry> - <entry> <para> Applied when queues are bound to exchanges</para> </entry> - <entry><para>EXCHANGE</para></entry> - <entry><para>name, routingKey, queuename, virtualhost_name, temporary, durable</para></entry> - </row> - <row> - <entry> <command>UNBIND</command> </entry> - <entry> <para> Applied when queues are unbound from exchanges</para> </entry> - <entry><para>EXCHANGE</para></entry> - <entry><para>name, routingKey, queuename, virtualhost_name, temporary, durable</para></entry> - </row> - <row> - <entry> <command>DELETE</command> </entry> - <entry> <para> Applied when objects are deleted </para> </entry> - <entry><para>VIRTUALHOSTNODE, VIRTUALHOST, EXCHANGE, QUEUE, USER, GROUP</para></entry> - <entry><para>see properties on the corresponding object type</para></entry> - </row> - <row> - <entry> <command>PURGE</command> </entry> <entry> - <para>Applied when purge the contents of a queue</para> </entry> - <entry><para>QUEUE</para></entry> - <entry><para> </para></entry> - </row> - <row> - <entry> <command>UPDATE</command> </entry> - <entry> <para> Applied when an object is updated </para> </entry> - <entry><para>VIRTUALHOSTNODE, VIRTUALHOST, EXCHANGE, QUEUE, USER, GROUP</para></entry> - <entry><para>see EXCHANGE and QUEUE properties</para></entry> - </row> - <row> - <entry> <command>CONFIGURE</command> </entry> - <entry> <para> Applied when an object is configured via REST management interfaces.</para> </entry> - <entry><para>BROKER</para></entry> - <entry><para> </para></entry> - </row> - <row> - <entry><command>ACCESS_LOGS</command> </entry> - <entry><para>Allows/denies to the specific user an operation to download broker log file(s) over REST interfaces</para> </entry> - <entry><para>BROKER</para></entry> - <entry><para> </para></entry> - </row> - </tbody> - </tgroup> - </table> - <table id="table-Java-Broker-Security-ACLs-Syntax_objects"> - <title>List of ACL objects</title> - <tgroup cols="4"> - <thead> - <row> - <entry><para>Object type</para></entry> - <entry><para>Description</para></entry> - <entry><para>Supported actions</para></entry> - <entry><para>Supported properties</para></entry> - </row> - </thead> - <tbody> - <row> - <entry> <command>VIRTUALHOSTNODE</command> </entry> - <entry> <para>A virtualhostnode or remote replication node</para> </entry> - <entry><para>ALL, CREATE, UPDATE, DELETE</para> </entry> - <entry><para>name</para> </entry> - </row> - <row> - <entry> <command>VIRTUALHOST</command> </entry> - <entry> <para>A virtualhost</para> </entry> - <entry><para>ALL, CREATE, UPDATE, DELETE, ACCESS</para> </entry> - <entry><para>name</para> </entry> - </row> - <row> - <entry> <command>MANAGEMENT </command> </entry> - <entry> <para>Management - for web and JMX</para> </entry> - <entry><para>ALL, ACCESS</para> </entry> - <entry><para> </para></entry> - </row> - <row> - <entry> <command>QUEUE</command> </entry> - <entry> <para>A queue </para> </entry> - <entry><para>ALL, CREATE, DELETE, PURGE, CONSUME, UPDATE</para></entry> - <entry><para>name, autodelete, temporary, durable, exclusive, alternate, owner, virtualhost_name</para></entry> - </row> - <row> - <entry> <command>EXCHANGE</command> </entry> - <entry><para>An exchange</para></entry> - <entry><para>ALL, ACCESS, CREATE, DELETE, BIND, UNBIND, PUBLISH, UPDATE</para></entry> - <entry><para>name, autodelete, temporary, durable, type, virtualhost_name, queuename(only for BIND and UNBIND), routingkey(only for BIND and UNBIND, PUBLISH)</para></entry> - </row> - <row> - <entry> <command>USER</command> </entry> - <entry> <para>A user</para> </entry> - <entry><para>ALL, CREATE, DELETE, UPDATE</para></entry> - <entry><para>name</para></entry> - </row> - <row> - <entry> <command>GROUP</command> </entry> - <entry> <para>A group</para> </entry> - <entry><para>ALL, CREATE, DELETE, UPDATE</para></entry> - <entry><para>name</para></entry> - </row> - <row> - <entry> <command>METHOD</command> </entry> - <entry> <para>Management or agent or broker method</para> </entry> - <entry><para>ALL, ACCESS, UPDATE</para></entry> - <entry><para>name, component, virtualhost_name</para></entry> - </row> - <row> - <entry> <command>BROKER</command> </entry> - <entry> <para>The broker</para> </entry> - <entry><para>ALL, CONFIGURE, ACCESS_LOGS</para></entry> - <entry><para> </para></entry> - </row> - </tbody> - </tgroup> - </table> - <table id="table-Java-Broker-Security-ACLs-Syntax_properties"> - <title>List of ACL properties</title> - <tgroup cols="2"> - <tbody> - <row> - <entry><command>name</command> </entry> - <entry> <para> String. Object name, such as a queue name, exchange name or JMX method name. </para> </entry> - </row> - <row> - <entry> <command>durable</command> </entry> - <entry> <para> Boolean. Indicates the object is durable </para> </entry> - </row> - <row> - <entry> <command>routingkey</command> </entry> - <entry> <para> String. Specifies routing key </para> </entry> - </row> - <row> - <entry> <command>autodelete</command> </entry> - <entry> <para> Boolean. Indicates whether or not the object gets deleted when the connection is closed </para> </entry> - </row> - <row> - <entry> <command>exclusive</command> </entry> - <entry> <para> Boolean. Indicates the presence of an <parameter>exclusive</parameter> flag </para> </entry> - </row> - <row> - <entry> <command>temporary</command> </entry> - <entry> <para> Boolean. Indicates the presence of an <parameter>temporary</parameter> flag </para> </entry> - </row> - <row> - <entry> <command>type</command> </entry> - <entry> <para> String. Type of object, such as topic, fanout, or xml </para> </entry> - </row> - <row> - <entry> <command>alternate</command> </entry> - <entry> <para> String. Name of the alternate exchange </para> </entry> - </row> - <row> - <entry> <command>queuename</command> </entry> - <entry> <para> String. Name of the queue (used only when the object is something other than <parameter>queue</parameter> </para> </entry> - </row> - <row> - <entry> <command>component</command> </entry> - <entry> <para> String. JMX component name</para> </entry> - </row> - <row> - <entry> <command>from_network</command> </entry> - <entry> - <para> - Comma-separated strings representing IPv4 address ranges. - </para> - <para> - Intended for use in ACCESS VIRTUALHOST rules to apply firewall-like restrictions. - </para> - <para> - The rule matches if any of the address ranges match the IPv4 address of the messaging client. - The address ranges are specified using either Classless Inter-Domain Routing notation - (e.g. 192.168.1.0/24; see <ulink url="http://tools.ietf.org/html/rfc4632">RFC 4632</ulink>) - or wildcards (e.g. 192.169.1.*). - </para> - </entry> - </row> - <row> - <entry> <command>from_hostname</command> </entry> - <entry> - <para> - Comma-separated strings representing hostnames, specified using Perl-style regular - expressions, e.g. .*\.example\.company\.com - </para> - <para> - Intended for use in ACCESS VIRTUALHOST rules to apply firewall-like restrictions. - </para> - <para> - The rule matches if any of the patterns match the hostname of the messaging client. - </para> - <para> - To look up the client's hostname, Qpid uses Java's DNS support, which internally caches its results. - </para> - <para> - You can modify the time-to-live of cached results using the *.ttl properties described on the - Java <ulink url="http://docs.oracle.com/javase/6/docs/technotes/guides/net/properties.html">Networking - Properties</ulink> page. - </para> - <para> - For example, you can either set system property sun.net.inetaddr.ttl from the command line - (e.g. export QPID_OPTS="-Dsun.net.inetaddr.ttl=0") or networkaddress.cache.ttl in - $JAVA_HOME/lib/security/java.security. The latter is preferred because it is JVM - vendor-independent. - </para> - </entry> - </row> - <row> - <entry><command>virtualhost_name</command></entry> - <entry> - <para> - String. A name of virtual host to which the rule is applied. - </para> - </entry> - </row> - <row> - <entry><command>immediate</command></entry> - <entry> - <para> - Boolean. A property can be used to restrict PUBLISH action to publishing only messages with given immediate flag. - </para> - </entry> - </row> - </tbody> - </tgroup> - </table> - <table id="table-Java-Broker-Security-ACLs-Syntax_javacomponents"> - <title>List of ACL JMX Components</title> - <tgroup cols="2"> - <tbody> - <row> - <entry> <command>UserManagement</command> </entry> - <entry> <para>User maintenance; create/delete/view users, change passwords etc</para> </entry> - </row> - <row> - <entry> <command>ConfigurationManagement</command> </entry> - <entry> <para>Dynamically reload configuration from disk.</para> </entry> - </row> - <row> - <entry> <command>LoggingManagement</command> </entry> - <entry> <para>Dynamically control Qpid logging level</para> </entry> - </row> - <row> - <entry> <command>ServerInformation</command> </entry> - <entry> <para>Read-only information regarding the Qpid: version number etc</para> </entry> - </row> - <row> - <entry> <command>VirtualHost.Queue</command> </entry> - <entry> <para>Queue maintenance; copy/move/purge/view etc</para> </entry> - </row> - <row> - <entry> <command>VirtualHost.Exchange</command> </entry> - <entry> <para>Exchange maintenance; bind/unbind queues to exchanges</para> </entry> - </row> - <row> - <entry> <command>VirtualHost.VirtualHost</command> </entry> - <entry> <para>Virtual host maintenace; create/delete exchanges, queues etc</para> </entry> - </row> - </tbody> - </tgroup> - </table> - <section role="h4" id="Java-Broker-Security-ACLs-WorkedExamples"> - <title> - Worked Examples - </title> - <para> - Here are some example ACLs illustrating common use cases. - In addition, note that the Java broker provides a complete example ACL file, located at etc/broker_example.acl. - </para> - <section role="h4" id="Java-Broker-Security-ACLs-WorkedExample1"> - <title> - Worked example 1 - Management rights - </title> - <para> - Suppose you wish to permission two users: a user 'operator' must be able to perform all Management operations, and - a user 'readonly' must be enable to perform only read-only functions. Neither 'operator' nor 'readonly' - should be allowed to connect clients for messaging. - </para> - <programlisting> -# Deny (loggged) operator/readonly permission to connect messaging clients. -ACL DENY-LOG operator ACCESS VIRTUALHOST -ACL DENY-LOG readonly ACCESS VIRTUALHOST -# Give operator permission to perfom all other actions -ACL ALLOW operator ALL ALL -# Give readonly permission to execute only read-only actions -ACL ALLOW readonly ACCESS ALL -... -... rules for other users -... -# Explicitly deny all (log) to eveyone -ACL DENY-LOG ALL ALL - </programlisting> - </section> - <section role="h4" id="Java-Broker-Security-ACLs-WorkedExample2"> - <title> - Worked example 2 - User maintainer group - </title> - <para> - Suppose you wish to restrict User Management operations to users belonging to a - <link linkend="Java-Broker-Security-Group-Providers">group</link> 'usermaint'. No other user - is allowed to perform user maintenance This example illustrates the permissioning of an individual component. - </para> - <programlisting> -# Give usermaint access to management and permission to execute all JMX Methods on the -# UserManagement MBean and perform all actions for USER objects -ACL ALLOW usermaint ACCESS MANAGEMENT -ACL ALLOW usermaint ALL METHOD component="UserManagement" -ACL ALLOW usermaint ALL USER -ACL DENY ALL ALL METHOD component="UserManagement" -ACL DENY ALL ALL USER -... -... rules for other users -... -ACL DENY-LOG ALL ALL - </programlisting> - </section> - <section role="h4" id="Java-Broker-Security-ACLs-WorkedExample3"> - <title> - Worked example 3 - Request/Response messaging - </title> - <para> - Suppose you wish to permission a system using a request/response paradigm. Two users: 'client' publishes requests; - 'server' consumes the requests and generates a response. This example illustrates the permissioning of AMQP exchanges - and queues. - </para> - <programlisting> -# Allow client and server to connect to the virtual host. -ACL ALLOW client ACCESS VIRTUALHOST -ACL ALLOW server ACCESS VIRTUALHOST - -# Client side -# Allow the 'client' user to publish requests to the request queue. As is the norm for the request/response paradigm, the client -# is required to create a temporary queue on which the server will respond. Consequently, there are rules to allow the creation -# of the temporary queues and consumption of messages from it. -ACL ALLOW client CREATE QUEUE temporary="true" -ACL ALLOW client CONSUME QUEUE temporary="true" -ACL ALLOW client DELETE QUEUE temporary="true" -ACL ALLOW client BIND EXCHANGE name="amq.direct" temporary="true" -ACL ALLOW client UNBIND EXCHANGE name="amq.direct" temporary="true" -ACL ALLOW client PUBLISH EXCHANGE name="amq.direct" routingKey="example.RequestQueue" - -# Server side -# Allow the 'server' user to consume from the request queue and publish a response to the temporary response queue created by -# client. We also allow the server to create the request queue. -ACL ALLOW server CREATE QUEUE name="example.RequestQueue" -ACL ALLOW server CONSUME QUEUE name="example.RequestQueue" -ACL ALLOW server BIND EXCHANGE -ACL ALLOW server PUBLISH EXCHANGE name="amq.direct" routingKey="TempQueue*" - -ACL DENY-LOG all all - </programlisting> - </section> - <section role="h4" id="Java-Broker-Security-ACLs-WorkedExample4"> - <title> - Worked example 4 - firewall-like access control - </title> - <para> - This example illustrates how to set up an ACL that restricts the IP addresses and hostnames - of messaging clients that can access a virtual host. - </para> - <programlisting> -################ -# Hostname rules -################ - -# Allow messaging clients from company1.com and company1.co.uk to connect -ACL ALLOW all ACCESS VIRTUALHOST from_hostname=".*\.company1\.com,.*\.company1\.co\.uk" - -# Deny messaging clients from hosts within the dev subdomain -ACL DENY-LOG all ACCESS VIRTUALHOST from_hostname=".*\.dev\.company1\.com" - -################## -# IP address rules -################## - -# Deny access to all users in the IP ranges 192.168.1.0-192.168.1.255 and 192.168.2.0-192.168.2.255, -# using the notation specified in RFC 4632, "Classless Inter-domain Routing (CIDR)" -ACL DENY-LOG messaging-users ACCESS VIRTUALHOST \ - from_network="192.168.1.0/24,192.168.2.0/24" - -# Deny access to all users in the IP ranges 192.169.1.0-192.169.1.255 and 192.169.2.0-192.169.2.255, -# using wildcard notation. -ACL DENY-LOG messaging-users ACCESS VIRTUALHOST \ - from_network="192.169.1.*,192.169.2.*" - -ACL DENY-LOG all all - </programlisting> - </section> - <section role="h4" id="Java-Broker-Security-ACLs-WorkedExample5"> - <title> - Worked example 5 - REST management ACL example - </title> - <para> - This example illustrates how to set up an ACL that restricts usage of REST management interfaces. - </para> - <programlisting> -# allow to the users from webadmins group to change broker model -# this rule allows adding/removing/editing of Broker level objects: -# Broker, Group Provider, Authentication Provider, Port, Access Control Provider etc -ACL ALLOW-LOG webadmins CONFIGURE BROKER - -# allow to the users from webadmins group to perform -# create/update/delete on virtualhost node and children -ACL ALLOW-LOG webadmins CREATE VIRTUALHOSTNODE -ACL ALLOW-LOG webadmins UPDATE VIRTUALHOSTNODE -ACL ALLOW-LOG webadmins DELETE VIRTUALHOSTNODE -ACL ALLOW-LOG webadmins CREATE VIRTUALHOST -ACL ALLOW-LOG webadmins UPDATE VIRTUALHOST -ACL ALLOW-LOG webadmins DELETE VIRTUALHOST -ACL ALLOW-LOG webadmins CREATE QUEUE -ACL ALLOW-LOG webadmins UPDATE QUEUE -ACL ALLOW-LOG webadmins DELETE QUEUE -ACL ALLOW-LOG webadmins PURGE QUEUE -ACL ALLOW-LOG webadmins CREATE EXCHANGE -ACL ALLOW-LOG webadmins DELETE EXCHANGE -ACL ALLOW-LOG webadmins BIND EXCHANGE -ACL ALLOW-LOG webadmins UNBIND EXCHANGE - -# allow to the users from webadmins group to create/update/delete groups on Group Providers -ACL ALLOW-LOG webadmins CREATE GROUP -ACL ALLOW-LOG webadmins DELETE GROUP -ACL ALLOW-LOG webadmins UPDATE GROUP - -# allow to the users from webadmins group to create/update/delete users for Authentication Providers -ACL ALLOW-LOG webadmins CREATE USER -ACL ALLOW-LOG webadmins DELETE USER -ACL ALLOW-LOG webadmins UPDATE USER - -# allow to the users from webadmins group to move, copy, delete messagaes, and clear the queue -# using REST management interfaces -ACL ALLOW-LOG webadmins UPDATE METHOD - -# at the moment only the following UPDATE METHOD rules are supported by web management console -#ACL ALLOW-LOG webadmins UPDATE METHOD component="VirtualHost.Queue" name="moveMessages" -#ACL ALLOW-LOG webadmins UPDATE METHOD component="VirtualHost.Queue" name="copyMessages" -#ACL ALLOW-LOG webadmins UPDATE METHOD component="VirtualHost.Queue" name="deleteMessages" -#ACL ALLOW-LOG webadmins UPDATE METHOD component="VirtualHost.Queue" name="clearQueue" - -ACL DENY-LOG all all - </programlisting> - </section> - </section> -</section> |