[CONF] Apache Qpid: ACL (page edited)

confluence Tue, 27 Jan 2009 03:28:35 -0800

Page Edited : qpid : ACL

ACL has been edited by Martin Ritchie (Jan 27, 2009).

Content:

v2 ACL file format for brokers

This new ACL implementation has been designed for implementation and interoperability on all Qpid brokers. It is currently supported in the following brokers:

Broker	Version
C++	M4 onward
Java	M5 anticipated

Contents

v2 ACL file format for brokers
Design Documentation
- Mapping of ACL traps to action and type
v2 ACL User Guide

Specification

Notes on file formats

A line starting with the character '#' will be considered a comment, and are ignored.
Since the '#' char (and others that are commonly used for comments) are commonly found in routing keys and other AMQP literals, it is simpler (for now) to hold off on allowing trailing comments (ie comments in which everything following a '#' is considered a comment). This could be reviewed later once the rest of the format is finalized.
Empty lines ("") and lines that contain only whitespace (any combination of ' ', '\f', '\n', '\r', '\t', '\v') are ignored.
All tokens are case sensitive. "name1" != "Name1" and "create" != "CREATE".

Group lists may be extended to the following line by terminating the line with the '\' character. However, this may only occur after the group name or any of the names following the group name. Empty extension lines (ie just a '\' character) are not permitted.

# Examples of extending group lists using a trailing '\' character


group group1 name1 name2 \
             name3 name4 \
             name5

group group2 \
             group1 \
             name6

# The following are illegal:

# '\' must be after group name
group \
      group3 name7 name8

# No empty extension lines
group group4 name9 \
                   \
             name10

Additional whitespace (ie more than one whitespace char) between and after tokens is ignored. However group and acl definitions must start with "group" or "acl" respectively and with no preceding whitespace.
All acl rules are limited to a single line.
Rules are interpreted from the top of the file down until the name match is obtained; at which point processing stops.
The keyword "all" is reserved, and matches all individuals, groups and actions. It may be used in place of a group or individual name and/or an action - eg "acl allow all all", "acl deny all all" or "acl deny user1 all".
The last line of the file (whether present or not) will be assumed to be "acl deny all all". If present in the file, any lines below this one are ignored.
Names and group names may contain only a-z, A-Z, 0-9, '-','_'.
Rules must be preceded by any group definitions they may use; any name not previously defined as a group will be assumed to be that of an individual.
ACL rules must have the following tokens in order on a single line:
- The string literal "acl";
- The permission;
- The name of a single group or individual or the keyword "all";
- The name of an action or the keyword "all";
- Optionally, a single object name or the keyword "all";
- If the object is present, then optionally one or more property name-value pair(s) (in the form property=value).

user = userna...@domain[/realm]]
user-list = user1 user2 user3 ...
group-name-list = group1 group2 group3 ...

group <group-name> = [user-list] [group-name-list]


permission = [allow|allow-log|deny|deny-log]
action = ""
object = [virtualhost|queue|exchange|broker|link|route|method]
property = [name|durable|owner|routingkey|passive|autodelete|exclusive|type|alternate|queuename|schemapackage|schemaclass]

acl permission {<group-name>|<user-name>|"all"} {action|"all"} [object|"all"] [property=<property-value>]

Validation

The new ACL file format needs to perform validation on the acl rules. The validation should be performed depending on the set value:

strict-acl-validation=none
The default setting should be 'warn'

On validation of this acl the following checks would be expected:

acl allow client publish routingkey=exampleQueue exchange=amq.direct

The If the user 'client' cannot be found, if the authentication mechanism cannot be queried then a 'user' value should be added to the file.
There is an exchange called 'amq.direct'
There is a queue bound to 'exampleQueue' on 'amq.direct'

Each of these checks that fail will result in a log statement being generated.

In the case of a fatal logging the full file will be validated before the broker shuts down.

Example file:

# Some Users
user t...@qpid
user mar...@qpid
user k...@qpid
user r...@qpid
user t...@qpid
user and...@qpid
user deb...@qpid

# Some groups
group admin t...@qpid mar...@qpid
group user-consume mar...@qpid t...@qpid
group group2 k...@qpid user-consume r...@qpid
group publisher group2 \
                t...@qpid and...@qpid deb...@qpid

# Some rules
acl allow ca...@qpid create exchange name=carl.*
acl deny r...@qpid create queue
acl allow gu...@qpid bind exchange name=amq.topic routingkey=stocks.ibm.#  owner=self
acl allow user-consume create queue name=tmp.*

acl allow publisher publish all durable=false
acl allow publisher create queue name=RequestQueue
acl allow consumer consume queue durable=true
acl allow f...@qpid create all
acl allow b...@qpid all queue
acl allow admin all
acl deny k...@qpid all
acl allow all consume queue owner=self
acl allow all bind exchange owner=self

# Last (default) rule
acl deny all all

Design Documentation

Mapping of ACL traps to action and type

The C++ broker maps the ACL traps in the follow way for AMQP 0-10:
The Java broker currently only performs ACLs on the AMQP connection not on management functions:

Object	Action	Properties	Trap C++	Trap Java
Exchange	Create	name type alternate passive durable	ExchangeHandlerImpl::declare	ExchangeDeclareHandler
Exchange	Delete	name	ExchangeHandlerImpl::delete	ExchangeDeleteHandler
Exchange	Access	name	ExchangeHandlerImpl::query
Exchange	Bind	name routingkey queuename owner	ExchangeHandlerImpl::bind	QueueBindHandler
Exchange	Unbind	name routingkey	ExchangeHandlerImpl::unbind	ExchangeUnbindHandler
Exchange	Access	name queuename routingkey	ExchangeHandlerImpl::bound
Exchange	Publish	name routingKey	SemanticState::route	BasicPublishMethodHandler
Queue	Access	name	QueueHandlerImpl::query
Queue	Create	name alternate passive durable exclusive autodelete	QueueHandlerImpl::declare	QueueDeclareHandler
Queue	Purge	name	QueueHandlerImpl::purge	QueuePurgeHandler
Queue	Purge	name	Management::Queue::purge
Queue	Delete	name	QueueHandlerImpl::delete	QueueDeleteHandler
Queue	Consume	name (possibly add in future?)	MessageHandlerImpl::subscribe	BasicConsumeMethodHandler BasicGetMethodHandler
<Object>	Update		ManagementProperty::set
<Object>	Access		ManagementProperty::read
Link	Create		Management::connect
Route	Create		Management:: -~~createFederationRoute~~-
Route	Delete		Management:: -~~deleteFederationRoute~~-
Virtualhost	Access	name	TBD	ConnectionOpenMethodHandler

Management actions that are not explicitly given a name property it will default the name property to management method name, if the action is 'W' Action will be 'Update', if 'R' Action will be 'Access'.

for example, if the mgnt method 'joinCluster' was not mapped in schema it will be mapped in ACL file as follows

Object	Action	Property
Broker	Update	name=joinCluster

v2 ACL User Guide

Writing Good/Fast ACL

The file gets read top down and rule get passed based on the first match. In the following example the first rule is a dead rule. I.e. the second rule is wider than the first rule. DON'T do this, it will force extra analysis, worst case if the parser does not kill the dead rule you might get a false deny.

allow pe...@qpid create queue name=tmp <-- dead rule!!
allow pe...@qpid create queue
deny all all

By default files end with

deny all all

the mode of the ACL engine can be swapped to be allow based by putting the following at the end of the file

allow all all

Note that 'allow' based file will be a LOT faster for message transfer. This is because the AMQP specification does not allow for creating subscribes on publish, so the ACL is executed on every message transfer. Also, ACL's rules using less properties on publish will in general be faster.

Getting ACL to Log

In order to get log messages from ACL actions use allow-log and deny-log for example

allow-log j...@qpid all all
deny-log gu...@qpid all all

User Id / domains running with C++ broker

The user-id used for ACL is taken from the connection user-id. Thus in order to use ACL the broker authentication has to be setup. i.e. (if --auth no is used in combination with ACL the broker will deny everything)

The user id in the ACL file is of the form <user-id>@<domain> The Domain is configured via the SASL configuration for the broker, and the domain/realm for qpidd is set using --realm and default to 'QPID'.

To load the ACL module use, load the acl module cmd line or via the config file

./src/qpidd --load-module src/.libs/acl.so

The ACL plugin provides the following option '--acl-file'. If do ACL file is supplied the broker will not enforce ACL. If an ACL file name is supplied, and the file does not exist or is invalid the broker will not start.

ACL Options:
  --acl-file FILE       The policy file to load from, loaded from data dir

Powered by Atlassian Confluence (Version: 2.2.9 Build:#527 Sep 07, 2006) - Bug/feature request

Unsubscribe or edit your notifications preferences

--------------------------------------------------------------------- Apache Qpid - AMQP Messaging Implementation Project: http://qpid.apache.org Use/Interact: mailto:commits-subscr...@qpid.apache.org