Modified: qpid/site/docs/releases/qpid-trunk/java-broker/book/Java-Broker-Security-ACLs.html URL: http://svn.apache.org/viewvc/qpid/site/docs/releases/qpid-trunk/java-broker/book/Java-Broker-Security-ACLs.html?rev=1632181&r1=1632180&r2=1632181&view=diff ============================================================================== --- qpid/site/docs/releases/qpid-trunk/java-broker/book/Java-Broker-Security-ACLs.html (original) +++ qpid/site/docs/releases/qpid-trunk/java-broker/book/Java-Broker-Security-ACLs.html Wed Oct 15 21:29:55 2014 @@ -21,7 +21,7 @@ --> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> - <title>11.3. Access Control Lists - Apache Qpid™</title> + <title>8.3. Access Control Lists - Apache Qpid™</title> <meta http-equiv="X-UA-Compatible" content="IE=edge"/> <meta name="viewport" content="width=device-width, initial-scale=1.0"/> <link rel="stylesheet" href="/site.css" type="text/css" async="async"/> @@ -106,8 +106,8 @@ </div> <div id="-middle" class="panel"> - <ul id="-path-navigation"><li><a href="/releases/index.html">Releases</a></li><li><a href="/releases/qpid-trunk/index.html">Qpid Trunk</a></li><li><a href="/releases/qpid-trunk/java-broker/book/index.html">AMQP Messaging Broker (Java)</a></li><li>11.3. Access Control Lists</li></ul> - <div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">11.3. Access Control Lists</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="Java-Broker-Security-Group-Providers.html">Prev</a> </td><th align="center" width="60%">Chapter 11. Security</th><td align="right" width="20%"> <a accesskey="n" href="Java-Broker-Security-SSL.html">Next</a></td></tr></table><hr /></div><div class="section"><div class="titlepage"><div><div><h2 class="title"><a id="Java-Broker-Security-ACLs"></a>11.3. Access Control Lists</h2></div></div></div><p> + <ul id="-path-navigation"><li><a href="/releases/index.html">Releases</a></li><li><a href="/releases/qpid-trunk/index.html">Qpid Trunk</a></li><li><a href="/releases/qpid-trunk/java-broker/book/index.html">AMQP Messaging Broker (Java)</a></li><li>8.3. Access Control Lists</li></ul> + <div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">8.3. Access Control Lists</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="Java-Broker-Security-Group-Providers.html">Prev</a> </td><th align="center" width="60%">Chapter 8. Security</th><td align="right" width="20%"> <a accesskey="n" href="Java-Broker-Security-Configuration-Encryption.html">Next</a></td></tr></table><hr /></div><div class="section"><div class="titlepage"><div><div><h2 class="title"><a id="Java-Broker-Security-ACLs"></a>8.3. Access Control Lists</h2></div></div></div><p> In Qpid, Access Control Lists (ACLs) specify which actions can be performed by each authenticated user. To enable, an <span class="emphasis"><em>Access Control Provider</em></span> needs to be configured on the <span class="emphasis"><em>Broker</em></span>. The <span class="emphasis"><em>Access Control Provider</em></span> of type "AclFile" uses local file to specify the ACL rules. @@ -115,23 +115,23 @@ </p><p> A Group Provider can be configured with ACL to define the user groups which can be used in ACL to determine the ACL rules applicable to the entire group. The configuration details for the Group Providers are described in - <a class="xref" href="Java-Broker-Security-Group-Providers.html" title="11.2. Group Providers">Section 11.2, “Group Providers”</a>. On creation of ACL Provider with group rules, + <a class="xref" href="Java-Broker-Security-Group-Providers.html" title="8.2. Group Providers">Section 8.2, “Group Providers”</a>. On creation of ACL Provider with group rules, the Group Provider should be added first. Otherwise, if the individual ACL rules are not defined for the logged principal the following invocation of management operations could be denied due to absence of the required groups.</p><p>Only one <span class="emphasis"><em>Access Control Provider</em></span> can be used by the Broker. If several <span class="emphasis"><em>Access Control Providers</em></span> are configured on Broker level only one of them will be used (the latest one). </p><p> - The ACL Providers can be configured using <a class="link" href="Java-Broker-Configuring-And-Managing-HTTP-Management.html#Java-Broker-Configuring-And-Managing-REST-API" title="5.2.4. REST API">REST Management interfaces</a> - and <a class="link" href="Java-Broker-Configuring-And-Managing-HTTP-Management.html#Java-Broker-Configuring-And-Managing-Web-Console" title="5.2.2. Web Management Console">Web Management Console</a>. + The ACL Providers can be configured using <a class="link" href="Java-Broker-Management-Channel-REST-API.html" title="6.3. REST API">REST Management interfaces</a> + and <a class="link" href="Java-Broker-Management-Channel-Web-Console.html" title="6.2. Web Management Console">Web Management Console</a>. </p><p>The following ACL Provider managing operations are available from Web Management Console: </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>A new ACL Provider can be added by clicking onto "Add Access Control Provider" on the Broker tab.</p></li><li class="listitem"><p>An ACL Provider details can be viewed on the Access Control Provider tab. The tab is shown after clicking onto ACL Provider name in the Broker object tree or after clicking onto ACL Provider row in ACL Providers grid on the Broker tab.</p></li><li class="listitem"><p>An existing ACL Provider can be deleted by clicking onto buttons "Delete Access Control Provider" on the Broker tab or Access Control Provider tab.</p></li></ul></div><p> - </p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-ACLs-WriteACL"></a>11.3.1.  + </p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-ACLs-WriteACL"></a>8.3.1.  Writing .acl files </h3></div></div></div><p> - The ACL file consists of a series of rules associating behaviour for a user or group. Use of groups can serve to make the ACL file more concise. See <a class="link" href="Java-Broker-Security-Group-Providers.html" title="11.2. Group Providers">Configuring Group Providers</a> for more information on defining groups. + The ACL file consists of a series of rules associating behaviour for a user or group. Use of groups can serve to make the ACL file more concise. See <a class="link" href="Java-Broker-Security-Group-Providers.html" title="8.2. Group Providers">Configuring Group Providers</a> for more information on defining groups. </p><p> Each ACL rule grants or denies a particular action on an object to a user/group. The rule may be augmented with one or more properties, restricting the rule's applicability. @@ -151,7 +151,7 @@ ACL DENY bob CREATE EXCHANGE name="myexch" ACL ALLOW bob ALL EXCHANGE </pre><p> - All ACL files end with an implict rule denying all operations to all users. It is as if each file ends with + All ACL files end with an implicit rule denying all operations to all users. It is as if each file ends with </p><pre class="programlisting">ACL DENY ALL ALL </pre><p> If instead you wish to <span class="emphasis"><em>allow</em></span> all operations other than those controlled by earlier rules, add </p><pre class="programlisting">ACL ALLOW ALL ALL</pre><p> to the bottom of the ACL file. @@ -166,13 +166,13 @@ at a certain level of abstraction (e.g. QUEUE) and apply them consistently across the whole system. </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> Some rules can be restricted to the virtual host if property virtualhost_name is specified. - </p><div class="example"><a id="idm233114628336"></a><p class="title"><strong>Example 11.1. Restrict rules to specific virtual hosts</strong></p><div class="example-contents"><pre class="programlisting"> + </p><div class="example"><a id="idp808832"></a><p class="title"><strong>Example 8.1. Restrict rules to specific virtual hosts</strong></p><div class="example-contents"><pre class="programlisting"> ACL ALLOW bob CREATE QUEUE virtualhost_name="test" ACL ALLOW bob ALL EXCHANGE virtualhost_name="prod" </pre></div></div><p><br class="example-break" /> In the example above the first rule allows user "bob" to create queues on virtual host "test" only. The second rule allows user "bob" any action with exchanges on virtual host "prod". - </p></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-ACLs-Syntax"></a>11.3.2.  + </p></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-ACLs-Syntax"></a>8.3.2.  Syntax </h3></div></div></div><p> ACL rules follow this syntax: @@ -185,8 +185,8 @@ ACL ALLOW admin CREATE ALL # Also a comment ACL DENY guest \ ALL ALL # A broken line - </pre></div><div class="table"><a id="table-Java-Broker-Security-ACLs-Syntax_permissions"></a><p class="title"><strong>Table 11.1. List of ACL permission</strong></p><div class="table-contents"><table border="1" summary="List of ACL permission"><colgroup><col /><col /></colgroup><tbody><tr><td><span class="command"><strong>ALLOW</strong></span></td><td><p>Allow the action</p></td></tr><tr><td><span class="command"><strong>ALLOW-LOG</strong></span></td><td><p> Allow the action and log the action in the log </p></td></tr><tr><td><span class="command"><strong>DENY</strong></span></td><td><p> Deny the action</p></td></tr><tr><td><span class="command"><strong>DENY-LOG</strong></span></td><td><p> Deny the action and log the action in the log</p></td></tr></tbody></table></div></div><br class="table-break" /><div class="table"><a id="table-Java-Broker-Security-ACLs-Syntax_actions"></a><p class="title"><strong>Table 11.2. List of ACL actions</strong></p><div class="t able-contents"><table border="1" summary="List of ACL actions"><colgroup><col /><col /><col /><col /></colgroup><thead><tr><th><p>Action</p></th><th><p>Description</p></th><th><p>Supported object types</p></th><th><p>Supported properties</p></th></tr></thead><tbody><tr><td> <span class="command"><strong>CONSUME</strong></span> </td><td> <p> Applied when subscriptions are created </p> </td><td><p>QUEUE</p></td><td><p>name, autodelete, temporary, durable, exclusive, alternate, owner, virtualhost_name</p></td></tr><tr><td> <span class="command"><strong>PUBLISH</strong></span> </td><td> <p> Applied on a per message basis on publish message transfers</p> </td><td><p>EXCHANGE</p></td><td><p>name, routingkey, immediate, virtualhost_name</p></td></tr><tr><td> <span class="command"><strong>CREATE</strong></span> </td><td> <p> Applied when an object is created, such as bindings, queues, exchanges</p> </td><td><p>EXCHANGE, QUEUE, USER, GROUP</p></td><td><p>see properties on the corresponding o bject type</p></td></tr><tr><td> <span class="command"><strong>ACCESS</strong></span> </td><td> <p> Applied when an object is read or accessed</p> </td><td><p>VIRTUALHOST, MANAGEMENT</p></td><td><p>name (for VIRTUALHOST only)</p></td></tr><tr><td> <span class="command"><strong>BIND</strong></span> </td><td> <p> Applied when queues are bound to exchanges</p> </td><td><p>EXCHANGE</p></td><td><p>name, routingKey, queuename, virtualhost_name, temporary, durable</p></td></tr><tr><td> <span class="command"><strong>UNBIND</strong></span> </td><td> <p> Applied when queues are unbound from exchanges</p> </td><td><p>EXCHANGE</p></td><td><p>name, routingKey, queuename, virtualhost_name, temporary, durable</p></td></tr><tr><td> <span class="command"><strong>DELETE</strong></span> </td><td> <p> Applied when objects are deleted </p> </td><td><p>EXCHANGE, QUEUE, USER, GROUP</p></td><td><p>see properties on the corresponding object type</p></td></tr><tr><td> <span class="command"><strong>PURGE</str ong></span> </td><td> - <p>Applied when purge the contents of a queue</p> </td><td><p>QUEUE</p></td><td><p> </p></td></tr><tr><td> <span class="command"><strong>UPDATE</strong></span> </td><td> <p> Applied when an object is updated </p> </td><td><p>EXCHANGE, QUEUE, USER, GROUP</p></td><td><p>see EXCHANGE and QUEUE properties</p></td></tr><tr><td> <span class="command"><strong>CONFIGURE</strong></span> </td><td> <p> Applied when an object is configured via REST management interfaces.</p> </td><td><p>BROKER</p></td><td><p> </p></td></tr><tr><td><span class="command"><strong>ACCESS_LOGS</strong></span> </td><td><p>Allows/denies to the specific user an operation to download broker log file(s) over REST interfaces</p> </td><td><p>BROKER</p></td><td><p> </p></td></tr></tbody></table></div></div><br class="table-break" /><div class="table"><a id="table-Java-Broker-Security-ACLs-Syntax_objects"></a><p class="title"><strong>Table 11.3. List of ACL objects</strong></p><div class="table-contents"> <table border="1" summary="List of ACL objects"><colgroup><col /><col /><col /><col /></colgroup><thead><tr><th><p>Object type</p></th><th><p>Description</p></th><th><p>Supported actions</p></th><th><p>Supported properties</p></th></tr></thead><tbody><tr><td> <span class="command"><strong>VIRTUALHOST</strong></span> </td><td> <p>A virtualhost</p> </td><td><p>ALL, ACCESS</p> </td><td><p>name</p> </td></tr><tr><td> <span class="command"><strong>MANAGEMENT </strong></span> </td><td> <p>Management - for web and JMX</p> </td><td><p>ALL, ACCESS</p> </td><td><p> </p></td></tr><tr><td> <span class="command"><strong>QUEUE</strong></span> </td><td> <p>A queue </p> </td><td><p>ALL, CREATE, DELETE, PURGE, CONSUME, UPDATE</p></td><td><p>name, autodelete, temporary, durable, exclusive, alternate, owner, virtualhost_name</p></td></tr><tr><td> <span class="command"><strong>EXCHANGE</strong></span> </td><td><p>An exchange</p></td><td><p>ALL, ACCESS, CREATE, DELETE, BIND, UNBIND, PUBLISH, UPDATE</p>< /td><td><p>name, autodelete, temporary, durable, type, virtualhost_name, queuename(only for BIND and UNBIND), routingkey(only for BIND and UNBIND, PUBLISH)</p></td></tr><tr><td> <span class="command"><strong>USER</strong></span> </td><td> <p>A user</p> </td><td><p>ALL, CREATE, DELETE, UPDATE</p></td><td><p>name</p></td></tr><tr><td> <span class="command"><strong>GROUP</strong></span> </td><td> <p>A group</p> </td><td><p>ALL, CREATE, DELETE, UPDATE</p></td><td><p>name</p></td></tr><tr><td> <span class="command"><strong>METHOD</strong></span> </td><td> <p>Management or agent or broker method</p> </td><td><p>ALL, ACCESS, UPDATE</p></td><td><p>name, component, virtualhost_name</p></td></tr><tr><td> <span class="command"><strong>BROKER</strong></span> </td><td> <p>The broker</p> </td><td><p>ALL, CONFIGURE, ACCESS_LOGS</p></td><td><p> </p></td></tr></tbody></table></div></div><br class="table-break" /><div class="table"><a id="table-Java-Broker-Security-ACLs-Syntax_properties"></a><p clas s="title"><strong>Table 11.4. List of ACL properties</strong></p><div class="table-contents"><table border="1" summary="List of ACL properties"><colgroup><col /><col /></colgroup><tbody><tr><td><span class="command"><strong>name</strong></span> </td><td> <p> String. Object name, such as a queue name, exchange name or JMX method name. </p> </td></tr><tr><td> <span class="command"><strong>durable</strong></span> </td><td> <p> Boolean. Indicates the object is durable </p> </td></tr><tr><td> <span class="command"><strong>routingkey</strong></span> </td><td> <p> String. Specifies routing key </p> </td></tr><tr><td> <span class="command"><strong>autodelete</strong></span> </td><td> <p> Boolean. Indicates whether or not the object gets deleted when the connection is closed </p> </td></tr><tr><td> <span class="command"><strong>exclusive</strong></span> </td><td> <p> Boolean. Indicates the presence of an <em class="parameter"><code>exclusive</code></em> flag </p> </td></tr><tr><td > <span class="command"><strong>temporary</strong></span> </td><td> <p> > Boolean. Indicates the presence of an <em > class="parameter"><code>temporary</code></em> flag </p> </td></tr><tr><td> > <span class="command"><strong>type</strong></span> </td><td> <p> String. > Type of object, such as topic, fanout, or xml </p> </td></tr><tr><td> <span > class="command"><strong>alternate</strong></span> </td><td> <p> String. Name > of the alternate exchange </p> </td></tr><tr><td> <span > class="command"><strong>queuename</strong></span> </td><td> <p> String. Name > of the queue (used only when the object is something other than <em > class="parameter"><code>queue</code></em> </p> </td></tr><tr><td> <span > class="command"><strong>component</strong></span> </td><td> <p> String. JMX > component name</p> </td></tr><tr><td> <span > class="command"><strong>from_network</strong></span> </td><td> + </pre></div><div class="table"><a id="table-Java-Broker-Security-ACLs-Syntax_permissions"></a><p class="title"><strong>Table 8.1. List of ACL permission</strong></p><div class="table-contents"><table border="1" summary="List of ACL permission"><colgroup><col /><col /></colgroup><tbody><tr><td><span class="command"><strong>ALLOW</strong></span></td><td><p>Allow the action</p></td></tr><tr><td><span class="command"><strong>ALLOW-LOG</strong></span></td><td><p> Allow the action and log the action in the log </p></td></tr><tr><td><span class="command"><strong>DENY</strong></span></td><td><p> Deny the action</p></td></tr><tr><td><span class="command"><strong>DENY-LOG</strong></span></td><td><p> Deny the action and log the action in the log</p></td></tr></tbody></table></div></div><br class="table-break" /><div class="table"><a id="table-Java-Broker-Security-ACLs-Syntax_actions"></a><p class="title"><strong>Table 8.2. List of ACL actions</strong></p><div class="tab le-contents"><table border="1" summary="List of ACL actions"><colgroup><col /><col /><col /><col /></colgroup><thead><tr><th><p>Action</p></th><th><p>Description</p></th><th><p>Supported object types</p></th><th><p>Supported properties</p></th></tr></thead><tbody><tr><td> <span class="command"><strong>CONSUME</strong></span> </td><td> <p> Applied when subscriptions are created </p> </td><td><p>QUEUE</p></td><td><p>name, autodelete, temporary, durable, exclusive, alternate, owner, virtualhost_name</p></td></tr><tr><td> <span class="command"><strong>PUBLISH</strong></span> </td><td> <p> Applied on a per message basis on publish message transfers</p> </td><td><p>EXCHANGE</p></td><td><p>name, routingkey, immediate, virtualhost_name</p></td></tr><tr><td> <span class="command"><strong>CREATE</strong></span> </td><td> <p> Applied when an object is created, such as bindings, queues, exchanges</p> </td><td><p>VIRTUALHOSTNODE, VIRTUALHOST, EXCHANGE, QUEUE, USER, GROUP</p></td><td><p>see prope rties on the corresponding object type</p></td></tr><tr><td> <span class="command"><strong>ACCESS</strong></span> </td><td> <p> Applied when an object is read or accessed</p> </td><td><p>VIRTUALHOST, MANAGEMENT</p></td><td><p>name (for VIRTUALHOST only)</p></td></tr><tr><td> <span class="command"><strong>BIND</strong></span> </td><td> <p> Applied when queues are bound to exchanges</p> </td><td><p>EXCHANGE</p></td><td><p>name, routingKey, queuename, virtualhost_name, temporary, durable</p></td></tr><tr><td> <span class="command"><strong>UNBIND</strong></span> </td><td> <p> Applied when queues are unbound from exchanges</p> </td><td><p>EXCHANGE</p></td><td><p>name, routingKey, queuename, virtualhost_name, temporary, durable</p></td></tr><tr><td> <span class="command"><strong>DELETE</strong></span> </td><td> <p> Applied when objects are deleted </p> </td><td><p>VIRTUALHOSTNODE, VIRTUALHOST, EXCHANGE, QUEUE, USER, GROUP</p></td><td><p>see properties on the corresponding object type</p>< /td></tr><tr><td> <span class="command"><strong>PURGE</strong></span> </td><td> + <p>Applied when purge the contents of a queue</p> </td><td><p>QUEUE</p></td><td><p> </p></td></tr><tr><td> <span class="command"><strong>UPDATE</strong></span> </td><td> <p> Applied when an object is updated </p> </td><td><p>VIRTUALHOSTNODE, VIRTUALHOST, EXCHANGE, QUEUE, USER, GROUP</p></td><td><p>see EXCHANGE and QUEUE properties</p></td></tr><tr><td> <span class="command"><strong>CONFIGURE</strong></span> </td><td> <p> Applied when an object is configured via REST management interfaces.</p> </td><td><p>BROKER</p></td><td><p> </p></td></tr><tr><td><span class="command"><strong>ACCESS_LOGS</strong></span> </td><td><p>Allows/denies to the specific user an operation to download broker log file(s) over REST interfaces</p> </td><td><p>BROKER</p></td><td><p> </p></td></tr></tbody></table></div></div><br class="table-break" /><div class="table"><a id="table-Java-Broker-Security-ACLs-Syntax_objects"></a><p class="title"><strong>Table 8.3. List of ACL objects</strong></p ><div class="table-contents"><table border="1" summary="List of ACL >objects"><colgroup><col /><col /><col /><col >/></colgroup><thead><tr><th><p>Object >type</p></th><th><p>Description</p></th><th><p>Supported >actions</p></th><th><p>Supported >properties</p></th></tr></thead><tbody><tr><td> <span >class="command"><strong>VIRTUALHOSTNODE</strong></span> </td><td> <p>A >virtualhostnode or remote replication node</p> </td><td><p>ALL, CREATE, >UPDATE, DELETE</p> </td><td><p>name</p> </td></tr><tr><td> <span >class="command"><strong>VIRTUALHOST</strong></span> </td><td> <p>A >virtualhost</p> </td><td><p>ALL, CREATE, UPDATE, DELETE, ACCESS</p> ></td><td><p>name</p> </td></tr><tr><td> <span >class="command"><strong>MANAGEMENT </strong></span> </td><td> <p>Management - >for web and JMX</p> </td><td><p>ALL, ACCESS</p> </td><td><p> ></p></td></tr><tr><td> <span class="command"><strong>QUEUE</strong></span> ></td><td> <p>A queue </p> </td><td><p>ALL, CREATE, DELETE, PURGE, CONSUME, >UPDATE</p></td><td><p>na me, autodelete, temporary, durable, exclusive, alternate, owner, virtualhost_name</p></td></tr><tr><td> <span class="command"><strong>EXCHANGE</strong></span> </td><td><p>An exchange</p></td><td><p>ALL, ACCESS, CREATE, DELETE, BIND, UNBIND, PUBLISH, UPDATE</p></td><td><p>name, autodelete, temporary, durable, type, virtualhost_name, queuename(only for BIND and UNBIND), routingkey(only for BIND and UNBIND, PUBLISH)</p></td></tr><tr><td> <span class="command"><strong>USER</strong></span> </td><td> <p>A user</p> </td><td><p>ALL, CREATE, DELETE, UPDATE</p></td><td><p>name</p></td></tr><tr><td> <span class="command"><strong>GROUP</strong></span> </td><td> <p>A group</p> </td><td><p>ALL, CREATE, DELETE, UPDATE</p></td><td><p>name</p></td></tr><tr><td> <span class="command"><strong>METHOD</strong></span> </td><td> <p>Management or agent or broker method</p> </td><td><p>ALL, ACCESS, UPDATE</p></td><td><p>name, component, virtualhost_name</p></td></tr><tr><td> <span class="command"><strong>BR OKER</strong></span> </td><td> <p>The broker</p> </td><td><p>ALL, CONFIGURE, ACCESS_LOGS</p></td><td><p> </p></td></tr></tbody></table></div></div><br class="table-break" /><div class="table"><a id="table-Java-Broker-Security-ACLs-Syntax_properties"></a><p class="title"><strong>Table 8.4. List of ACL properties</strong></p><div class="table-contents"><table border="1" summary="List of ACL properties"><colgroup><col /><col /></colgroup><tbody><tr><td><span class="command"><strong>name</strong></span> </td><td> <p> String. Object name, such as a queue name, exchange name or JMX method name. </p> </td></tr><tr><td> <span class="command"><strong>durable</strong></span> </td><td> <p> Boolean. Indicates the object is durable </p> </td></tr><tr><td> <span class="command"><strong>routingkey</strong></span> </td><td> <p> String. Specifies routing key </p> </td></tr><tr><td> <span class="command"><strong>autodelete</strong></span> </td><td> <p> Boolean. Indicates whether or not the object gets deleted when the connection is closed </p> </td></tr><tr><td> <span class="command"><strong>exclusive</strong></span> </td><td> <p> Boolean. Indicates the presence of an <em class="parameter"><code>exclusive</code></em> flag </p> </td></tr><tr><td> <span class="command"><strong>temporary</strong></span> </td><td> <p> Boolean. Indicates the presence of an <em class="parameter"><code>temporary</code></em> flag </p> </td></tr><tr><td> <span class="command"><strong>type</strong></span> </td><td> <p> String. Type of object, such as topic, fanout, or xml </p> </td></tr><tr><td> <span class="command"><strong>alternate</strong></span> </td><td> <p> String. Name of the alternate exchange </p> </td></tr><tr><td> <span class="command"><strong>queuename</strong></span> </td><td> <p> String. Name of the queue (used only when the object is something other than <em class="parameter"><code>queue</code></em> </p> </td></tr><tr><td> <span class="command"><strong>component</strong></span> </td><td> <p> String. JMX component name</p> </td></tr><tr><td> <span class="command"><strong>from_network</strong></span> </td><td> <p> Comma-separated strings representing IPv4 address ranges. </p> @@ -232,12 +232,12 @@ <p> Boolean. A property can be used to restrict PUBLISH action to publishing only messages with given immediate flag. </p> - </td></tr></tbody></table></div></div><br class="table-break" /><div class="table"><a id="table-Java-Broker-Security-ACLs-Syntax_javacomponents"></a><p class="title"><strong>Table 11.5. List of ACL JMX Components</strong></p><div class="table-contents"><table border="1" summary="List of ACL JMX Components"><colgroup><col /><col /></colgroup><tbody><tr><td> <span class="command"><strong>UserManagement</strong></span> </td><td> <p>User maintainance; create/delete/view users, change passwords etc</p> </td></tr><tr><td> <span class="command"><strong>ConfigurationManagement</strong></span> </td><td> <p>Dynammically reload configuration from disk.</p> </td></tr><tr><td> <span class="command"><strong>LoggingManagement</strong></span> </td><td> <p>Dynammically control Qpid logging level</p> </td></tr><tr><td> <span class="command"><strong>ServerInformation</strong></span> </td><td> <p>Read-only information regarding the Qpid: version number etc</p> </td></tr><tr><td> <sp an class="command"><strong>VirtualHost.Queue</strong></span> </td><td> <p>Queue maintainance; copy/move/purge/view etc</p> </td></tr><tr><td> <span class="command"><strong>VirtualHost.Exchange</strong></span> </td><td> <p>Exchange maintenance; bind/unbind queues to exchanges</p> </td></tr><tr><td> <span class="command"><strong>VirtualHost.VirtualHost</strong></span> </td><td> <p>Virtual host maintainace; create/delete exchanges, queues etc</p> </td></tr></tbody></table></div></div><br class="table-break" /><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-ACLs-WorkedExamples"></a>11.3.3.  + </td></tr></tbody></table></div></div><br class="table-break" /><div class="table"><a id="table-Java-Broker-Security-ACLs-Syntax_javacomponents"></a><p class="title"><strong>Table 8.5. List of ACL JMX Components</strong></p><div class="table-contents"><table border="1" summary="List of ACL JMX Components"><colgroup><col /><col /></colgroup><tbody><tr><td> <span class="command"><strong>UserManagement</strong></span> </td><td> <p>User maintenance; create/delete/view users, change passwords etc</p> </td></tr><tr><td> <span class="command"><strong>ConfigurationManagement</strong></span> </td><td> <p>Dynamically reload configuration from disk.</p> </td></tr><tr><td> <span class="command"><strong>LoggingManagement</strong></span> </td><td> <p>Dynamically control Qpid logging level</p> </td></tr><tr><td> <span class="command"><strong>ServerInformation</strong></span> </td><td> <p>Read-only information regarding the Qpid: version number etc</p> </td></tr><tr><td> <span c lass="command"><strong>VirtualHost.Queue</strong></span> </td><td> <p>Queue maintenance; copy/move/purge/view etc</p> </td></tr><tr><td> <span class="command"><strong>VirtualHost.Exchange</strong></span> </td><td> <p>Exchange maintenance; bind/unbind queues to exchanges</p> </td></tr><tr><td> <span class="command"><strong>VirtualHost.VirtualHost</strong></span> </td><td> <p>Virtual host maintenace; create/delete exchanges, queues etc</p> </td></tr></tbody></table></div></div><br class="table-break" /><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-ACLs-WorkedExamples"></a>8.3.3.  Worked Examples </h3></div></div></div><p> Here are some example ACLs illustrating common use cases. In addition, note that the Java broker provides a complete example ACL file, located at etc/broker_example.acl. - </p><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="Java-Broker-Security-ACLs-WorkedExample1"></a>11.3.3.1.  + </p><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="Java-Broker-Security-ACLs-WorkedExample1"></a>8.3.3.1.  Worked example 1 - Management rights </h4></div></div></div><p> Suppose you wish to permission two users: a user 'operator' must be able to perform all Management operations, and @@ -256,12 +256,12 @@ ACL ALLOW readonly ACCESS ALL ... # Explicitly deny all (log) to eveyone ACL DENY-LOG ALL ALL - </pre></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="Java-Broker-Security-ACLs-WorkedExample2"></a>11.3.3.2.  + </pre></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="Java-Broker-Security-ACLs-WorkedExample2"></a>8.3.3.2.  Worked example 2 - User maintainer group </h4></div></div></div><p> Suppose you wish to restrict User Management operations to users belonging to a - <a class="link" href="Java-Broker-Security-Group-Providers.html" title="11.2. Group Providers">group</a> 'usermaint'. No other user - is allowed to perform user maintainence This example illustrates the permissioning of an individual component. + <a class="link" href="Java-Broker-Security-Group-Providers.html" title="8.2. Group Providers">group</a> 'usermaint'. No other user + is allowed to perform user maintenance This example illustrates the permissioning of an individual component. </p><pre class="programlisting"> # Give usermaint access to management and permission to execute all JMX Methods on the # UserManagement MBean and perform all actions for USER objects @@ -274,7 +274,7 @@ ACL DENY ALL ALL USER ... rules for other users ... ACL DENY-LOG ALL ALL - </pre></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="Java-Broker-Security-ACLs-WorkedExample3"></a>11.3.3.3.  + </pre></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="Java-Broker-Security-ACLs-WorkedExample3"></a>8.3.3.3.  Worked example 3 - Request/Response messaging </h4></div></div></div><p> Suppose you wish to permission a system using a request/response paradigm. Two users: 'client' publishes requests; @@ -305,7 +305,7 @@ ACL ALLOW server BIND EXCHANGE ACL ALLOW server PUBLISH EXCHANGE name="amq.direct" routingKey="TempQueue*" ACL DENY-LOG all all - </pre></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="Java-Broker-Security-ACLs-WorkedExample4"></a>11.3.3.4.  + </pre></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="Java-Broker-Security-ACLs-WorkedExample4"></a>8.3.3.4.  Worked example 4 - firewall-like access control </h4></div></div></div><p> This example illustrates how to set up an ACL that restricts the IP addresses and hostnames @@ -336,18 +336,24 @@ ACL DENY-LOG messaging-users ACCESS VIRT from_network="192.169.1.*,192.169.2.*" ACL DENY-LOG all all - </pre></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="Java-Broker-Security-ACLs-WorkedExample5"></a>11.3.3.5.  + </pre></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="Java-Broker-Security-ACLs-WorkedExample5"></a>8.3.3.5.  Worked example 5 - REST management ACL example </h4></div></div></div><p> This example illustrates how to set up an ACL that restricts usage of REST management interfaces. </p><pre class="programlisting"> # allow to the users from webadmins group to change broker model # this rule allows adding/removing/editing of Broker level objects: -# Broker, Virtual Host, Group Provider, Authentication Provider, Port, Access Control Provider etc +# Broker, Group Provider, Authentication Provider, Port, Access Control Provider etc ACL ALLOW-LOG webadmins CONFIGURE BROKER # allow to the users from webadmins group to perform -# create/update/delete on Virtual Host children +# create/update/delete on virtualhost node and children +ACL ALLOW-LOG webadmins CREATE VIRTUALHOSTNODE +ACL ALLOW-LOG webadmins UPDATE VIRTUALHOSTNODE +ACL ALLOW-LOG webadmins DELETE VIRTUALHOSTNODE +ACL ALLOW-LOG webadmins CREATE VIRTUALHOST +ACL ALLOW-LOG webadmins UPDATE VIRTUALHOST +ACL ALLOW-LOG webadmins DELETE VIRTUALHOST ACL ALLOW-LOG webadmins CREATE QUEUE ACL ALLOW-LOG webadmins UPDATE QUEUE ACL ALLOW-LOG webadmins DELETE QUEUE @@ -367,7 +373,7 @@ ACL ALLOW-LOG webadmins CREATE USER ACL ALLOW-LOG webadmins DELETE USER ACL ALLOW-LOG webadmins UPDATE USER -# allow to the users from webadmins group to move, copy and delete messagaes +# allow to the users from webadmins group to move, copy, delete messagaes, and clear the queue # using REST management interfaces ACL ALLOW-LOG webadmins UPDATE METHOD @@ -375,9 +381,10 @@ ACL ALLOW-LOG webadmins UPDATE METHOD #ACL ALLOW-LOG webadmins UPDATE METHOD component="VirtualHost.Queue" name="moveMessages" #ACL ALLOW-LOG webadmins UPDATE METHOD component="VirtualHost.Queue" name="copyMessages" #ACL ALLOW-LOG webadmins UPDATE METHOD component="VirtualHost.Queue" name="deleteMessages" +#ACL ALLOW-LOG webadmins UPDATE METHOD component="VirtualHost.Queue" name="clearQueue" ACL DENY-LOG all all - </pre></div></div></div><div class="navfooter"><hr /><table summary="Navigation footer" width="100%"><tr><td align="left" width="40%"><a accesskey="p" href="Java-Broker-Security-Group-Providers.html">Prev</a> </td><td align="center" width="20%"><a accesskey="u" href="Java-Broker-Security.html">Up</a></td><td align="right" width="40%"> <a accesskey="n" href="Java-Broker-Security-SSL.html">Next</a></td></tr><tr><td align="left" valign="top" width="40%">11.2. Group Providers </td><td align="center" width="20%"><a accesskey="h" href="index.html">Home</a></td><td align="right" valign="top" width="40%"> 11.4. SSL</td></tr></table></div></div> + </pre></div></div></div><div class="navfooter"><hr /><table summary="Navigation footer" width="100%"><tr><td align="left" width="40%"><a accesskey="p" href="Java-Broker-Security-Group-Providers.html">Prev</a> </td><td align="center" width="20%"><a accesskey="u" href="Java-Broker-Security.html">Up</a></td><td align="right" width="40%"> <a accesskey="n" href="Java-Broker-Security-Configuration-Encryption.html">Next</a></td></tr><tr><td align="left" valign="top" width="40%">8.2. Group Providers </td><td align="center" width="20%"><a accesskey="h" href="index.html">Home</a></td><td align="right" valign="top" width="40%"> 8.4. Configuration Encryption</td></tr></table></div></div> <hr/>
Added: qpid/site/docs/releases/qpid-trunk/java-broker/book/Java-Broker-Security-Configuration-Encryption.html URL: http://svn.apache.org/viewvc/qpid/site/docs/releases/qpid-trunk/java-broker/book/Java-Broker-Security-Configuration-Encryption.html?rev=1632181&view=auto ============================================================================== --- qpid/site/docs/releases/qpid-trunk/java-broker/book/Java-Broker-Security-Configuration-Encryption.html (added) +++ qpid/site/docs/releases/qpid-trunk/java-broker/book/Java-Broker-Security-Configuration-Encryption.html Wed Oct 15 21:29:55 2014 @@ -0,0 +1,165 @@ +<!DOCTYPE html> +<!-- + - + - Licensed to the Apache Software Foundation (ASF) under one + - or more contributor license agreements. See the NOTICE file + - distributed with this work for additional information + - regarding copyright ownership. The ASF licenses this file + - to you under the Apache License, Version 2.0 (the + - "License"); you may not use this file except in compliance + - with the License. You may obtain a copy of the License at + - + - http://www.apache.org/licenses/LICENSE-2.0 + - + - Unless required by applicable law or agreed to in writing, + - software distributed under the License is distributed on an + - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + - KIND, either express or implied. See the License for the + - specific language governing permissions and limitations + - under the License. + - +--> +<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> + <head> + <title>8.4. Configuration Encryption - Apache Qpid™</title> + <meta http-equiv="X-UA-Compatible" content="IE=edge"/> + <meta name="viewport" content="width=device-width, initial-scale=1.0"/> + <link rel="stylesheet" href="/site.css" type="text/css" async="async"/> + <link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/> + <script type="text/javascript">var _deferredFunctions = [];</script> + <script type="text/javascript" src="/deferred.js" defer="defer"></script> + <!--[if lte IE 8]> + <link rel="stylesheet" href="/ie.css" type="text/css"/> + <script type="text/javascript" src="/html5shiv.js"></script> + <![endif]--> + </head> + <body> + <div id="-content"> + <div id="-top" class="panel"> + <a id="-menu-link"><img width="16" height="16" src="data:image/png;base64," alt="Menu"/></a> + + <a id="-search-link"><img width="22" height="16" src="data:image/png;base64," alt="Search"/></a> + + <ul id="-global-navigation"> + <li><a id="-logotype" href="/index.html">Apache Qpid<sup>™</sup></a></li> + <li><a href="/download.html">Download</a></li> + <li><a href="/documentation.html">Documentation</a></li> + <li><a href="/discussion.html">Discussion</a></li> + <li><a href="/issues.html">Issues</a></li> + <li><a href="/source-code.html">Source Code</a></li> + <li><a href="/resources.html">More Resources</a></li> + </ul> + </div> + + <div id="-menu" class="panel" style="display: none;"> + <section> + <h3>Project</h3> + + <ul> + <li><a href="/overview.html">Overview</a></li> + <li><a href="/proton/index.html">Qpid Proton</a></li> + <li><a href="/contributors.html">Contributors</a></li> + <li><a href="/get-involved.html">Get involved</a></li> + </ul> + </section> + + <section> + <h3>Software</h3> + + <ul> + <li><a href="/download.html">Download</a></li> + <li><a href="/documentation.html">Documentation</a></li> + <li><a href="/components/index.html">Components</a></li> + <li><a href="/releases/index.html">Releases</a></li> + </ul> + </section> + + <section> + <h3>Resources</h3> + + <ul> + <li><a href="/discussion.html">Discussion</a></li> + <li><a href="/issues.html">Issues</a></li> + <li><a href="/source-code.html">Source code</a></li> + <li><a href="/resources.html">More resources</a></li> + </ul> + </section> + + <section> + <h3>More</h3> + + <ul> + <li><a href="/amqp.html">AMQP</a></li> + <li><a href="/developer.html">Developer central</a></li> + <li><a href="https://cwiki.apache.org/confluence/display/qpid/">Wiki</a></li> + </ul> + </section> + </div> + + <div id="-search" class="panel" style="display: none;"> + <form action="http://www.google.com/search" method="get"> + <input type="hidden" name="sitesearch" value="qpid.apache.org"/> + <input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/> + <button type="submit">Search</button> + <p><a href="/search.html">More ways to search</a></p> + </form> + </div> + + <div id="-middle" class="panel"> + <ul id="-path-navigation"><li><a href="/releases/index.html">Releases</a></li><li><a href="/releases/qpid-trunk/index.html">Qpid Trunk</a></li><li><a href="/releases/qpid-trunk/java-broker/book/index.html">AMQP Messaging Broker (Java)</a></li><li>8.4. Configuration Encryption</li></ul> + <div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">8.4. Configuration Encryption</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="Java-Broker-Security-ACLs.html">Prev</a> </td><th align="center" width="60%">Chapter 8. Security</th><td align="right" width="20%"> <a accesskey="n" href="Java-Broker-Runtime.html">Next</a></td></tr></table><hr /></div><div class="section"><div class="titlepage"><div><div><h2 class="title"><a id="Java-Broker-Security-Configuration-Encryption"></a>8.4. Configuration Encryption</h2></div></div></div><p> The Broker is capable of encrypting passwords and other security items stored in the + Broker's configuration. This is means that items such as keystore/truststore passwords, JDBC + passwords, and LDAP passwords can be stored in the configure in a form that is difficult to + read.</p><p>The Broker ships with an encryptor implementation called <code class="literal">AESKeyFile</code>. This + uses a securely generated random key of 256bit<a class="footnote" href="#ftn.idp1757152" id="idp1757152"><sup class="footnote">[11]</sup></a> to encrypt the secrets stored within a key + file. Of course, the key itself must be guarded carefully, otherwise the passwords encrypted + with it may be compromised. For this reason, the Broker that the file's permissions allow the + file to be read exclusively by the user account used for running the Broker.</p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p>If the keyfile is lost or corrupted, the secrets will be irrecoverable.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-Configuration-Encryption-Configuration"></a>8.4.1. Configuration</h3></div></div></div><p>To use <code class="literal">AESKeyFile</code>, first stop the Broker, then edit the Broker's + configuration file ${QPID_WORK}/config.json. Insert a Broker attribute called + <code class="literal">confidentialConfigurationEncryptionProvider</code> with value + <code class="literal">AESKeyFile</code>. On restarting the Broker, it will generate a keyfile in + location <code class="literal">${QPID_WORK}/.keys/</code>. Any existing passwords contained with the + configuration will be automatically encrypted, as will any new or changed ones in + future.</p><div class="example"><a id="idp1762832"></a><p class="title"><strong>Example 8.2. Enanbling password encryption</strong></p><div class="example-contents"><pre class="screen"> + { + "id" : "3f183a59-abc3-40ad-8e14-0cac9de2cac4", + "name" : "${broker.name}", + "confidentialConfigurationEncryptionProvider" : "AESKeyFile", + .... + } + </pre></div></div><br class="example-break" /><p>Note that passwords stored by the Authentication Providers PlainPasswordFile and. + PlainPasswordFile + with the external password files are <span class="emphasis"><em>not</em></span> encrypted by the key. Use the + Scram Authentication Managers instead; these make use of the Configuration Encryption when + storing the users' passwords. </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-Configuration-Encryption-Alternate-Implementations"></a>8.4.2. Alternate Implementations</h3></div></div></div><p>If the <code class="literal">AESKeyFile</code> encryptor implementation does not meet the needs of + the user, perhaps owing to the security standards of their institution, the + <code class="literal">ConfigurationSecretEncrypter</code> interface is designed as an extension point. + Users may implement their own implementation of ConfigurationSecretEncrypter perhaps to employ + stronger encryption or delegating the storage of the key to an Enterprise Password Safe.</p></div><div class="footnotes"><br /><hr align="left" width="100" /><div class="footnote" id="ftn.idp1757152"><p><a class="para" href="#idp1757152"><sup class="para">[11] </sup></a>Java Cryptography Extension (JCE) + Unlimited Strength required</p></div></div></div><div class="navfooter"><hr /><table summary="Navigation footer" width="100%"><tr><td align="left" width="40%"><a accesskey="p" href="Java-Broker-Security-ACLs.html">Prev</a> </td><td align="center" width="20%"><a accesskey="u" href="Java-Broker-Security.html">Up</a></td><td align="right" width="40%"> <a accesskey="n" href="Java-Broker-Runtime.html">Next</a></td></tr><tr><td align="left" valign="top" width="40%">8.3. Access Control Lists </td><td align="center" width="20%"><a accesskey="h" href="index.html">Home</a></td><td align="right" valign="top" width="40%"> Chapter 9. Runtime</td></tr></table></div></div> + + <hr/> + + <ul id="-apache-navigation"> + <li><a href="http://www.apache.org/">Apache</a></li> + <li><a href="http://www.apache.org/licenses/">License</a></li> + <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li> + <li><a href="http://www.apache.org/foundation/thanks.html">Thanks!</a></li> + <li><a href="http://www.apache.org/security/">Security</a></li> + <li><a href="http://www.apache.org/"><img id="-apache-feather" width="48" height="14" src="data:image/png;base64," alt="Apache"/></a></li> + </ul> + + <p id="-legal"> + Apache Qpid, Messaging built on AMQP; Copyright © 2013 + The Apache Software Foundation; Licensed under + the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache + License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton, + Proton, Apache, the Apache feather logo, and the Apache Qpid + project logo are trademarks of The Apache Software + Foundation; All other marks mentioned may be trademarks or + registered trademarks of their respective owners + </p> + </div> + </div> + </body> +</html> Modified: qpid/site/docs/releases/qpid-trunk/java-broker/book/Java-Broker-Security-Group-Providers.html URL: http://svn.apache.org/viewvc/qpid/site/docs/releases/qpid-trunk/java-broker/book/Java-Broker-Security-Group-Providers.html?rev=1632181&r1=1632180&r2=1632181&view=diff ============================================================================== --- qpid/site/docs/releases/qpid-trunk/java-broker/book/Java-Broker-Security-Group-Providers.html (original) +++ qpid/site/docs/releases/qpid-trunk/java-broker/book/Java-Broker-Security-Group-Providers.html Wed Oct 15 21:29:55 2014 @@ -21,7 +21,7 @@ --> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> - <title>11.2. Group Providers - Apache Qpid™</title> + <title>8.2. Group Providers - Apache Qpid™</title> <meta http-equiv="X-UA-Compatible" content="IE=edge"/> <meta name="viewport" content="width=device-width, initial-scale=1.0"/> <link rel="stylesheet" href="/site.css" type="text/css" async="async"/> @@ -106,30 +106,23 @@ </div> <div id="-middle" class="panel"> - <ul id="-path-navigation"><li><a href="/releases/index.html">Releases</a></li><li><a href="/releases/qpid-trunk/index.html">Qpid Trunk</a></li><li><a href="/releases/qpid-trunk/java-broker/book/index.html">AMQP Messaging Broker (Java)</a></li><li>11.2. Group Providers</li></ul> - <div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">11.2. Group Providers</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="Java-Broker-Security.html">Prev</a> </td><th align="center" width="60%">Chapter 11. Security</th><td align="right" width="20%"> <a accesskey="n" href="Java-Broker-Security-ACLs.html">Next</a></td></tr></table><hr /></div><div class="section"><div class="titlepage"><div><div><h2 class="title"><a id="Java-Broker-Security-Group-Providers"></a>11.2. Group Providers</h2></div></div></div><p> - The Java broker utilises GroupProviders to allow assigning users to groups for use in <a class="link" href="Java-Broker-Security-ACLs.html" title="11.3. Access Control Lists">ACLs</a>. - Following authentication by a given <a class="link" href="Java-Broker-Security.html#Java-Broker-Security-Authentication-Providers" title="11.1. Authentication Providers">Authentication Provider</a>, + <ul id="-path-navigation"><li><a href="/releases/index.html">Releases</a></li><li><a href="/releases/qpid-trunk/index.html">Qpid Trunk</a></li><li><a href="/releases/qpid-trunk/java-broker/book/index.html">AMQP Messaging Broker (Java)</a></li><li>8.2. Group Providers</li></ul> + <div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">8.2. Group Providers</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="Java-Broker-Security.html">Prev</a> </td><th align="center" width="60%">Chapter 8. Security</th><td align="right" width="20%"> <a accesskey="n" href="Java-Broker-Security-ACLs.html">Next</a></td></tr></table><hr /></div><div class="section"><div class="titlepage"><div><div><h2 class="title"><a id="Java-Broker-Security-Group-Providers"></a>8.2. Group Providers</h2></div></div></div><p> + The Java broker utilises GroupProviders to allow assigning users to groups for use in <a class="link" href="Java-Broker-Security-ACLs.html" title="8.3. Access Control Lists">ACLs</a>. + Following authentication by a given <a class="link" href="Java-Broker-Security.html#Java-Broker-Security-Authentication-Providers" title="8.1. Authentication Providers">Authentication Provider</a>, the configured Group Providers are consulted allowing the assignment of GroupPrincipals for a given authenticated user. Any number of Group Providers can be added into the Broker. All of them will be checked for the presence of the groups for a given authenticated user. - </p><p>The <span class="emphasis"><em>Group Provider</em></span> can be configured using <a class="link" href="Java-Broker-Configuring-And-Managing-HTTP-Management.html#Java-Broker-Configuring-And-Managing-REST-API" title="5.2.4. REST API"> - REST Management interfaces</a> and <a class="link" href="Java-Broker-Configuring-And-Managing-HTTP-Management.html#Java-Broker-Configuring-And-Managing-Web-Console" title="5.2.2. Web Management Console">Web Management Console</a>.</p><p>The following <span class="emphasis"><em>Group Provider</em></span> managing operations are available from Web Management Console: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>A new Group Provider can be added by clicking onto "Add Group Provider" button on a Broker tab.</p></li><li class="listitem"><p>An existing providers can be removed by pressing "Delete Group Provider" button - on Broker tab or Group Provider tab.</p></li><li class="listitem"><p>On clicking onto provider name in the Group Providers grid or Broker object tree, - the tab for the Group Provider is displayed.</p></li><li class="listitem"><p>A new group can be added into the Group Provider by clicking onto "Add Group" button on provider tab.</p></li><li class="listitem"><p>An existing group can be deleted from the Group Provider by clicking onto "Delete Group" button on provider tab.</p></li><li class="listitem"><p>On clicking onto group name in the groups grid, the tab with the list of existing - group members is displayed for the Group.</p></li><li class="listitem"><p>From the Group tab a new member can be added into a group or existing members can be deleted - from a group by clicking on "Add Group Member" or "Remove Group Members" accordingly.</p></li></ul></div><p> - </p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="File-Group-Manager"></a>11.2.1. GroupFile Provider</h3></div></div></div><p> + </p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="File-Group-Manager"></a>8.2.1. GroupFile Provider</h3></div></div></div><p> The <span class="emphasis"><em>GroupFile</em></span> Provider allows specifying group membership in a flat file on disk. On adding a new GroupFile Provider the path to the groups file is required to be specified. If file does not exist an empty file is created automatically. On deletion of GroupFile Provider the groups file is deleted as well. Only one instance of "GroupFile" Provider per groups file location can be created. On attempt to create another GroupFile Provider pointing to the same location the error will be displayed and the creation will be aborted. - </p><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="File-Group-Manager-FileFormat"></a>11.2.1.1. File Format</h4></div></div></div><p> + </p><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="File-Group-Manager-FileFormat"></a>8.2.1.1. File Format</h4></div></div></div><p> The groups file has the following format: </p><pre class="programlisting"> - # <GroupName>.users = <comma deliminated user list> + # <GroupName>.users = <comma delimited user list> # For example: administrators.users = admin,manager @@ -137,7 +130,7 @@ Only users can be added to a group currently, not other groups. Usernames can't contain commas. </p><p> Lines starting with a '#' are treated as comments when opening the file, but these are not preserved when the broker updates the file due to changes made through the management interface. - </p></div></div></div><div class="navfooter"><hr /><table summary="Navigation footer" width="100%"><tr><td align="left" width="40%"><a accesskey="p" href="Java-Broker-Security.html">Prev</a> </td><td align="center" width="20%"><a accesskey="u" href="Java-Broker-Security.html">Up</a></td><td align="right" width="40%"> <a accesskey="n" href="Java-Broker-Security-ACLs.html">Next</a></td></tr><tr><td align="left" valign="top" width="40%">Chapter 11. Security </td><td align="center" width="20%"><a accesskey="h" href="index.html">Home</a></td><td align="right" valign="top" width="40%"> 11.3. Access Control Lists</td></tr></table></div></div> + </p></div></div></div><div class="navfooter"><hr /><table summary="Navigation footer" width="100%"><tr><td align="left" width="40%"><a accesskey="p" href="Java-Broker-Security.html">Prev</a> </td><td align="center" width="20%"><a accesskey="u" href="Java-Broker-Security.html">Up</a></td><td align="right" width="40%"> <a accesskey="n" href="Java-Broker-Security-ACLs.html">Next</a></td></tr><tr><td align="left" valign="top" width="40%">Chapter 8. Security </td><td align="center" width="20%"><a accesskey="h" href="index.html">Home</a></td><td align="right" valign="top" width="40%"> 8.3. Access Control Lists</td></tr></table></div></div> <hr/> --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@qpid.apache.org For additional commands, e-mail: commits-h...@qpid.apache.org