http://git-wip-us.apache.org/repos/asf/qpid-site/blob/0e1f0cc4/content/releases/qpid-broker-j-7.0.0/book/Java-Broker-Runtime-Message-Compression.html ---------------------------------------------------------------------- diff --git a/content/releases/qpid-broker-j-7.0.0/book/Java-Broker-Runtime-Message-Compression.html b/content/releases/qpid-broker-j-7.0.0/book/Java-Broker-Runtime-Message-Compression.html new file mode 100644 index 0000000..b32b758 --- /dev/null +++ b/content/releases/qpid-broker-j-7.0.0/book/Java-Broker-Runtime-Message-Compression.html @@ -0,0 +1,158 @@ +<!DOCTYPE html> +<!-- + - + - Licensed to the Apache Software Foundation (ASF) under one + - or more contributor license agreements. See the NOTICE file + - distributed with this work for additional information + - regarding copyright ownership. The ASF licenses this file + - to you under the Apache License, Version 2.0 (the + - "License"); you may not use this file except in compliance + - with the License. You may obtain a copy of the License at + - + - http://www.apache.org/licenses/LICENSE-2.0 + - + - Unless required by applicable law or agreed to in writing, + - software distributed under the License is distributed on an + - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + - KIND, either express or implied. See the License for the + - specific language governing permissions and limitations + - under the License. + - +--> +<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> + <head> + <title>9.9. Message Compression - Apache Qpid™</title> + <meta http-equiv="X-UA-Compatible" content="IE=edge"/> + <meta name="viewport" content="width=device-width, initial-scale=1.0"/> + <link rel="stylesheet" href="/site.css" type="text/css" async="async"/> + <link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/> + <script type="text/javascript">var _deferredFunctions = [];</script> + <script type="text/javascript" src="/deferred.js" defer="defer"></script> + <!--[if lte IE 8]> + <link rel="stylesheet" href="/ie.css" type="text/css"/> + <script type="text/javascript" src="/html5shiv.js"></script> + <![endif]--> + + <!-- Redirects for `go get` and godoc.org --> + <meta name="go-import" + content="qpid.apache.org git https://git-wip-us.apache.org/repos/asf/qpid-proton.git"/> + <meta name="go-source" + content="qpid.apache.org +https://github.com/apache/qpid-proton/blob/go1/README.md +https://github.com/apache/qpid-proton/tree/go1{/dir} +https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> + </head> + <body> + <div id="-content"> + <div id="-top" class="panel"> + <a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a> + + <a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a> + + <ul id="-global-navigation"> + <li><a id="-logotype" href="/index.html">Apache Qpid<sup>™</sup></a></li> + <li><a href="/documentation.html">Documentation</a></li> + <li><a href="/download.html">Download</a></li> + <li><a href="/discussion.html">Discussion</a></li> + </ul> + </div> + + <div id="-menu" class="panel" style="display: none;"> + <div class="flex"> + <section> + <h3>Project</h3> + + <ul> + <li><a href="/overview.html">Overview</a></li> + <li><a href="/components/index.html">Components</a></li> + <li><a href="/releases/index.html">Releases</a></li> + </ul> + </section> + + <section> + <h3>Messaging APIs</h3> + + <ul> + <li><a href="/proton/index.html">Qpid Proton</a></li> + <li><a href="/components/jms/index.html">Qpid JMS</a></li> + <li><a href="/components/messaging-api/index.html">Qpid Messaging API</a></li> + </ul> + </section> + + <section> + <h3>Servers and tools</h3> + + <ul> + <li><a href="/components/broker-j/index.html">Broker-J</a></li> + <li><a href="/components/cpp-broker/index.html">C++ broker</a></li> + <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li> + </ul> + </section> + + <section> + <h3>Resources</h3> + + <ul> + <li><a href="/dashboard.html">Dashboard</a></li> + <li><a href="https://cwiki.apache.org/confluence/display/qpid/Index">Wiki</a></li> + <li><a href="/resources.html">More resources</a></li> + </ul> + </section> + </div> + </div> + + <div id="-search" class="panel" style="display: none;"> + <form action="http://www.google.com/search" method="get"> + <input type="hidden" name="sitesearch" value="qpid.apache.org"/> + <input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/> + <button type="submit">Search</button> + <a href="/search.html">More ways to search</a> + </form> + </div> + + <div id="-middle" class="panel"> + <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li><a href="/releases/index.html">Releases</a></li><li><a href="/releases/qpid-broker-j-7.0.0/index.html">Qpid Broker-J 7.0.0</a></li><li><a href="/releases/qpid-broker-j-7.0.0/book/index.html">Apache Qpid Broker-J</a></li><li>9.9. Message Compression</li></ul> + + <div id="-middle-content"> + <div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">9.9. Message Compression</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="Java-Broker-Runtime-Background-Recovery.html">Prev</a> </td><th align="center" width="60%">Chapter 9. Runtime</th><td align="right" width="20%"> <a accesskey="n" href="Java-Broker-Runtime-Connection-Limit.html">Next</a></td></tr></table><hr /></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Java-Broker-Runtime-Message-Compression"></a>9.9. Message Compression</h2></div></div></div><p>The Apache Qpid Broker-J supports<a class="footnote" href="#ftn.d0e6087" id="d0e6087"><sup class="footnote">[10]</sup></a> message compression. This feature works in co-operation with Qpid + Clients implementing the same feature.</p><p>Once the feature is enabled (using Broker context variable + <span class="emphasis"><em>broker.messageCompressionEnabled</em></span>), the Broker will advertise support for the + message compression feature to the client at connection time. This allows clients to opt to turn + on message compression, allowing message payload sizes to be reduced.</p><p>If the Broker has connections from clients who have message compression enabled and others who + do not, it will internally, on-the-fly, decompress compressed messages when sending to clients + without support and conversely, compress uncomressed messages when sending to clients who do.</p><p>The Broker has a threshold below which it will not consider compressing a message, this is + controlled by Broker content variable + (<code class="literal">connection.messageCompressionThresholdSize</code>) and expresses a size in bytes.</p><p>This feature <span class="emphasis"><em>may</em></span> have a beneficial effect on performance by:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>Reducing the number of bytes transmitted over the wire, both between Client and Broker, and + in the HA case, Broker to Broker, for replication purposes.</p></li><li class="listitem"><p>Reducing storage space when data is at rest within the Broker, both on disk and in + memory.</p></li></ul></div><p>Of course, compression and decompression is computationally expensive. Turning on the feature + may have a negative impact on CPU utilization on Broker and/or Client. Also for small messages + payloads, message compression may increase the message size. It is recommended to test the feature + with representative data.</p><div class="footnotes"><br /><hr style="width:100; text-align:left;margin-left: 0" /><div class="footnote" id="ftn.d0e6087"><p><a class="para" href="#d0e6087"><sup class="para">[10] </sup></a>Message compression is not yet supported for the 1.0 + protocol.</p></div></div></div><div class="navfooter"><hr /><table summary="Navigation footer" width="100%"><tr><td align="left" width="40%"><a accesskey="p" href="Java-Broker-Runtime-Background-Recovery.html">Prev</a> </td><td align="center" width="20%"><a accesskey="u" href="Java-Broker-Runtime.html">Up</a></td><td align="right" width="40%"> <a accesskey="n" href="Java-Broker-Runtime-Connection-Limit.html">Next</a></td></tr><tr><td align="left" valign="top" width="40%">9.8. Background Recovery </td><td align="center" width="20%"><a accesskey="h" href="Apache-Qpid-Broker-J-Book.html">Home</a></td><td align="right" valign="top" width="40%"> 9.10. Connection Limits</td></tr></table></div></div> + + <hr/> + + <ul id="-apache-navigation"> + <li><a href="http://www.apache.org/">Apache</a></li> + <li><a href="http://www.apache.org/licenses/">License</a></li> + <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li> + <li><a href="http://www.apache.org/foundation/thanks.html">Thanks!</a></li> + <li><a href="/security.html">Security</a></li> + <li><a href="http://www.apache.org/"><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li> + </ul> + + <p id="-legal"> + Apache Qpid, Messaging built on AMQP; Copyright © 2015 + The Apache Software Foundation; Licensed under + the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache + License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton, + Proton, Apache, the Apache feather logo, and the Apache Qpid + project logo are trademarks of The Apache Software + Foundation; All other marks mentioned may be trademarks or + registered trademarks of their respective owners + </p> + </div> + </div> + </div> + </body> +</html>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/0e1f0cc4/content/releases/qpid-broker-j-7.0.0/book/Java-Broker-Runtime-Producer-Transaction-Timeout.html ---------------------------------------------------------------------- diff --git a/content/releases/qpid-broker-j-7.0.0/book/Java-Broker-Runtime-Producer-Transaction-Timeout.html b/content/releases/qpid-broker-j-7.0.0/book/Java-Broker-Runtime-Producer-Transaction-Timeout.html new file mode 100644 index 0000000..84dbcaa --- /dev/null +++ b/content/releases/qpid-broker-j-7.0.0/book/Java-Broker-Runtime-Producer-Transaction-Timeout.html @@ -0,0 +1,203 @@ +<!DOCTYPE html> +<!-- + - + - Licensed to the Apache Software Foundation (ASF) under one + - or more contributor license agreements. See the NOTICE file + - distributed with this work for additional information + - regarding copyright ownership. The ASF licenses this file + - to you under the Apache License, Version 2.0 (the + - "License"); you may not use this file except in compliance + - with the License. You may obtain a copy of the License at + - + - http://www.apache.org/licenses/LICENSE-2.0 + - + - Unless required by applicable law or agreed to in writing, + - software distributed under the License is distributed on an + - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + - KIND, either express or implied. See the License for the + - specific language governing permissions and limitations + - under the License. + - +--> +<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> + <head> + <title>9.3. Producer Transaction Timeout - Apache Qpid™</title> + <meta http-equiv="X-UA-Compatible" content="IE=edge"/> + <meta name="viewport" content="width=device-width, initial-scale=1.0"/> + <link rel="stylesheet" href="/site.css" type="text/css" async="async"/> + <link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/> + <script type="text/javascript">var _deferredFunctions = [];</script> + <script type="text/javascript" src="/deferred.js" defer="defer"></script> + <!--[if lte IE 8]> + <link rel="stylesheet" href="/ie.css" type="text/css"/> + <script type="text/javascript" src="/html5shiv.js"></script> + <![endif]--> + + <!-- Redirects for `go get` and godoc.org --> + <meta name="go-import" + content="qpid.apache.org git https://git-wip-us.apache.org/repos/asf/qpid-proton.git"/> + <meta name="go-source" + content="qpid.apache.org +https://github.com/apache/qpid-proton/blob/go1/README.md +https://github.com/apache/qpid-proton/tree/go1{/dir} +https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> + </head> + <body> + <div id="-content"> + <div id="-top" class="panel"> + <a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a> + + <a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a> + + <ul id="-global-navigation"> + <li><a id="-logotype" href="/index.html">Apache Qpid<sup>™</sup></a></li> + <li><a href="/documentation.html">Documentation</a></li> + <li><a href="/download.html">Download</a></li> + <li><a href="/discussion.html">Discussion</a></li> + </ul> + </div> + + <div id="-menu" class="panel" style="display: none;"> + <div class="flex"> + <section> + <h3>Project</h3> + + <ul> + <li><a href="/overview.html">Overview</a></li> + <li><a href="/components/index.html">Components</a></li> + <li><a href="/releases/index.html">Releases</a></li> + </ul> + </section> + + <section> + <h3>Messaging APIs</h3> + + <ul> + <li><a href="/proton/index.html">Qpid Proton</a></li> + <li><a href="/components/jms/index.html">Qpid JMS</a></li> + <li><a href="/components/messaging-api/index.html">Qpid Messaging API</a></li> + </ul> + </section> + + <section> + <h3>Servers and tools</h3> + + <ul> + <li><a href="/components/broker-j/index.html">Broker-J</a></li> + <li><a href="/components/cpp-broker/index.html">C++ broker</a></li> + <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li> + </ul> + </section> + + <section> + <h3>Resources</h3> + + <ul> + <li><a href="/dashboard.html">Dashboard</a></li> + <li><a href="https://cwiki.apache.org/confluence/display/qpid/Index">Wiki</a></li> + <li><a href="/resources.html">More resources</a></li> + </ul> + </section> + </div> + </div> + + <div id="-search" class="panel" style="display: none;"> + <form action="http://www.google.com/search" method="get"> + <input type="hidden" name="sitesearch" value="qpid.apache.org"/> + <input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/> + <button type="submit">Search</button> + <a href="/search.html">More ways to search</a> + </form> + </div> + + <div id="-middle" class="panel"> + <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li><a href="/releases/index.html">Releases</a></li><li><a href="/releases/qpid-broker-j-7.0.0/index.html">Qpid Broker-J 7.0.0</a></li><li><a href="/releases/qpid-broker-j-7.0.0/book/index.html">Apache Qpid Broker-J</a></li><li>9.3. Producer Transaction Timeout</li></ul> + + <div id="-middle-content"> + <div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">9.3. Producer Transaction Timeout</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="Java-Broker-Runtime-Disk-Space-Management.html">Prev</a> </td><th align="center" width="60%">Chapter 9. Runtime</th><td align="right" width="20%"> <a accesskey="n" href="Java-Broker-Runtime-Handling-Undeliverable-Messages.html">Next</a></td></tr></table><hr /></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Java-Broker-Runtime-Producer-Transaction-Timeout"></a>9.3. Producer Transaction Timeout</h2></div></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Runtime-Producer-Transaction-Timeout-GeneralInformation"></a>9.3.1. General Information</h3></div></div></div><div class="note" style="margin-left: 0.5in; margi n-right: 0.5in;"><h3 class="title">Note</h3><p> + This feature is not implemented for producing applications using AMQP 1.0. If a long running transaction is suspected + examine the connection statistic <code class="literal">oldestTransactionStartTime</code> to confirm if this is the case. + </p></div><p> The transaction timeout mechanism is used to control broker resources when clients + producing messages using transactional sessions hang or otherwise become unresponsive, or simply + begin a transaction and keep using it without ever calling <a class="link" href="http://docs.oracle.com/javaee/6/api/javax/jms/Session.html#commit" target="_top">Session#commit()</a>.</p><p>Users can choose to configure an idleWarn or openWarn threshold, after which the identified + transaction should be logged as a WARN level alert as well as (more importantly) an idleClose or + openClose threshold after which the transaction and the connection it applies to will be + closed.</p><p>This feature is particularly useful in environments where the owner of the broker does not + have full control over the implementation of clients, such as in a shared services + deployment.</p><p>The following section provide more details on this feature and its use.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Runtime-Producer-Transaction-Timeout-Purpose"></a>9.3.2. Purpose</h3></div></div></div><p> This feature has been introduced to address the scenario where an open transaction on the + broker holds an open transaction on the persistent store. This can have undesirable consequences + if the store does not time out or close long-running transactions, such as with BDB. This can can + result in a rapid increase in disk usage size, bounded only by available space, due to growth of + the transaction log. </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Runtime-Producer-Transaction-Timeout-Scope"></a>9.3.3. Scope</h3></div></div></div><p>Note that only <a class="link" href="http://docs.oracle.com/javaee/6/api/javax/jms/MessageProducer.html" target="_top">MessageProducer</a> clients will be affected by a transaction timeout, since store + transaction lifespan on a consumer only spans the execution of the call to Session#commit() and + there is no scope for a long-lived transaction to arise.</p><p>It is also important to note that the transaction timeout mechanism is purely a JMS + transaction timeout, and unrelated to any other timeouts in the Qpid client library and will have + no impact on any RDBMS your application may utilise.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Runtime-Producer-Transaction-Timeout-Effect"></a>9.3.4. Effect</h3></div></div></div><p>Full details of configuration options are provided in the sections that follow. This section + gives a brief overview of what the Transaction Timeout feature can do.</p><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="Java-Broker-Runtime-Producer-Transaction-Timeout-Effect-Broker-Side"></a>9.3.4.1. Broker Logging and Connection Close</h4></div></div></div><p>When the openWarn or idleWarn specified threshold is exceeded, the broker will log a WARN + level alert with details of the connection and channel on which the threshold has been exceeded, + along with the age of the transaction.</p><p>When the openClose or idleClose specified threshold value is exceeded, the broker will + throw an exception back to the client connection via the <a class="link" href="http://docs.oracle.com/javaee/6/api/javax/jms/ExceptionListener.html" target="_top">ExceptionListener</a>, log the + action and then close the connection.</p><p>The example broker log output shown below is where the idleWarn threshold specified is + lower than the idleClose threshold and the broker therefore logs the idle transaction 3 times + before the close threshold is triggered and the connection closed out.</p><pre class="screen">CHN-1008 : Idle Transaction : 13,116 ms +CHN-1008 : Idle Transaction : 14,116 ms +CHN-1008 : Idle Transaction : 15,118 ms +CHN-1003 : Close + </pre><p>The second example broker log output shown below illustrates the same mechanism operating + on an open transaction.</p><pre class="screen"> +CHN-1007 : Open Transaction : 12,406 ms +CHN-1007 : Open Transaction : 13,406 ms +CHN-1007 : Open Transaction : 14,406 ms +CHN-1003 : Close + </pre></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="Java-Broker-Runtime-Producer-Transaction-Timeout-Effect-Client-Side"></a>9.3.4.2. Client Side Effect</h4></div></div></div><p>After a Close threshold has been exceeded, the trigger client will receive this exception + on its <a class="link" href="http://docs.oracle.com/javaee/6/api/javax/jms/ExceptionListener.html" target="_top">exception + listener</a>, prior to being disconnected:</p><code class="computeroutput">org.apache.qpid.AMQConnectionClosedException: Error: Idle transaction timed out + [error code 506: resource error]</code><p>Any later attempt to use the connection will result in this exception being thrown:</p><pre class="screen">Producer: Caught an Exception: javax.jms.IllegalStateException: Object org.apache.qpid.client.AMQSession_0_8@129b0e1 has been closed + javax.jms.IllegalStateException: Object org.apache.qpid.client.AMQSession_0_8@129b0e1 has been closed + at org.apache.qpid.client.Closeable.checkNotClosed(Closeable.java:70) + at org.apache.qpid.client.AMQSession.checkNotClosed(AMQSession.java:555) + at org.apache.qpid.client.AMQSession.createBytesMessage(AMQSession.java:573) + </pre><p>Thus clients must be able to handle this case successfully, reconnecting where required and + registering an exception listener on all connections. This is critical, and must be communicated + to client applications by any broker owner switching on transaction timeouts.</p></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Runtime-Producer-Transaction-Timeout-Configuration"></a>9.3.5. Configuration</h3></div></div></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="Java-Broker-Runtime-Producer-Transaction-Timeout-Configuration-Overview"></a>9.3.5.1. Configuration</h4></div></div></div><p>The transaction timeouts can be specified when a new virtualhost is created or an exiting + virtualhost is edited.</p><p>We would recommend that only warnings are configured at first, which should allow broker + administrators to obtain an idea of the distribution of transaction lengths on their systems, + and configure production settings appropriately for both warning and closure. Ideally + establishing thresholds should be achieved in a representative UAT environment, with clients and + broker running, prior to any production deployment.</p><p>It is impossible to give suggested values, due to the large variation in usage depending on + the applications using a broker. However, clearly transactions should not span the expected + lifetime of any client application as this would indicate a hung client.</p><p>When configuring warning and closure timeouts, it should be noted that these only apply to + message producers that are connected to the broker, but that a timeout will cause the connection + to be closed - this disconnecting all producers and consumers created on that connection.</p><p>This should not be an issue for environments using Mule or Spring, where connection + factories can be configured appropriately to manage a single MessageProducer object per JMS + Session and Connection. Clients that use the JMS API directly should be aware that sessions + managing both consumers and producers, or multiple producers, will be affected by a single + producer hanging or leaving a transaction idle or open, and closed, and must take appropriate + action to handle that scenario.</p></div></div></div><div class="navfooter"><hr /><table summary="Navigation footer" width="100%"><tr><td align="left" width="40%"><a accesskey="p" href="Java-Broker-Runtime-Disk-Space-Management.html">Prev</a> </td><td align="center" width="20%"><a accesskey="u" href="Java-Broker-Runtime.html">Up</a></td><td align="right" width="40%"> <a accesskey="n" href="Java-Broker-Runtime-Handling-Undeliverable-Messages.html">Next</a></td></tr><tr><td align="left" valign="top" width="40%">9.2. Disk Space Management </td><td align="center" width="20%"><a accesskey="h" href="Apache-Qpid-Broker-J-Book.html">Home</a></td><td align="right" valign="top" width="40%"> 9.4. Handing Undeliverable Messages</td></tr></table></div></div> + + <hr/> + + <ul id="-apache-navigation"> + <li><a href="http://www.apache.org/">Apache</a></li> + <li><a href="http://www.apache.org/licenses/">License</a></li> + <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li> + <li><a href="http://www.apache.org/foundation/thanks.html">Thanks!</a></li> + <li><a href="/security.html">Security</a></li> + <li><a href="http://www.apache.org/"><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li> + </ul> + + <p id="-legal"> + Apache Qpid, Messaging built on AMQP; Copyright © 2015 + The Apache Software Foundation; Licensed under + the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache + License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton, + Proton, Apache, the Apache feather logo, and the Apache Qpid + project logo are trademarks of The Apache Software + Foundation; All other marks mentioned may be trademarks or + registered trademarks of their respective owners + </p> + </div> + </div> + </div> + </body> +</html> http://git-wip-us.apache.org/repos/asf/qpid-site/blob/0e1f0cc4/content/releases/qpid-broker-j-7.0.0/book/Java-Broker-Runtime.html ---------------------------------------------------------------------- diff --git a/content/releases/qpid-broker-j-7.0.0/book/Java-Broker-Runtime.html b/content/releases/qpid-broker-j-7.0.0/book/Java-Broker-Runtime.html new file mode 100644 index 0000000..7f5ad19 --- /dev/null +++ b/content/releases/qpid-broker-j-7.0.0/book/Java-Broker-Runtime.html @@ -0,0 +1,240 @@ +<!DOCTYPE html> +<!-- + - + - Licensed to the Apache Software Foundation (ASF) under one + - or more contributor license agreements. See the NOTICE file + - distributed with this work for additional information + - regarding copyright ownership. The ASF licenses this file + - to you under the Apache License, Version 2.0 (the + - "License"); you may not use this file except in compliance + - with the License. You may obtain a copy of the License at + - + - http://www.apache.org/licenses/LICENSE-2.0 + - + - Unless required by applicable law or agreed to in writing, + - software distributed under the License is distributed on an + - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + - KIND, either express or implied. See the License for the + - specific language governing permissions and limitations + - under the License. + - +--> +<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> + <head> + <title>Chapter 9. Runtime - Apache Qpid™</title> + <meta http-equiv="X-UA-Compatible" content="IE=edge"/> + <meta name="viewport" content="width=device-width, initial-scale=1.0"/> + <link rel="stylesheet" href="/site.css" type="text/css" async="async"/> + <link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/> + <script type="text/javascript">var _deferredFunctions = [];</script> + <script type="text/javascript" src="/deferred.js" defer="defer"></script> + <!--[if lte IE 8]> + <link rel="stylesheet" href="/ie.css" type="text/css"/> + <script type="text/javascript" src="/html5shiv.js"></script> + <![endif]--> + + <!-- Redirects for `go get` and godoc.org --> + <meta name="go-import" + content="qpid.apache.org git https://git-wip-us.apache.org/repos/asf/qpid-proton.git"/> + <meta name="go-source" + content="qpid.apache.org +https://github.com/apache/qpid-proton/blob/go1/README.md +https://github.com/apache/qpid-proton/tree/go1{/dir} +https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> + </head> + <body> + <div id="-content"> + <div id="-top" class="panel"> + <a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a> + + <a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a> + + <ul id="-global-navigation"> + <li><a id="-logotype" href="/index.html">Apache Qpid<sup>™</sup></a></li> + <li><a href="/documentation.html">Documentation</a></li> + <li><a href="/download.html">Download</a></li> + <li><a href="/discussion.html">Discussion</a></li> + </ul> + </div> + + <div id="-menu" class="panel" style="display: none;"> + <div class="flex"> + <section> + <h3>Project</h3> + + <ul> + <li><a href="/overview.html">Overview</a></li> + <li><a href="/components/index.html">Components</a></li> + <li><a href="/releases/index.html">Releases</a></li> + </ul> + </section> + + <section> + <h3>Messaging APIs</h3> + + <ul> + <li><a href="/proton/index.html">Qpid Proton</a></li> + <li><a href="/components/jms/index.html">Qpid JMS</a></li> + <li><a href="/components/messaging-api/index.html">Qpid Messaging API</a></li> + </ul> + </section> + + <section> + <h3>Servers and tools</h3> + + <ul> + <li><a href="/components/broker-j/index.html">Broker-J</a></li> + <li><a href="/components/cpp-broker/index.html">C++ broker</a></li> + <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li> + </ul> + </section> + + <section> + <h3>Resources</h3> + + <ul> + <li><a href="/dashboard.html">Dashboard</a></li> + <li><a href="https://cwiki.apache.org/confluence/display/qpid/Index">Wiki</a></li> + <li><a href="/resources.html">More resources</a></li> + </ul> + </section> + </div> + </div> + + <div id="-search" class="panel" style="display: none;"> + <form action="http://www.google.com/search" method="get"> + <input type="hidden" name="sitesearch" value="qpid.apache.org"/> + <input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/> + <button type="submit">Search</button> + <a href="/search.html">More ways to search</a> + </form> + </div> + + <div id="-middle" class="panel"> + <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li><a href="/releases/index.html">Releases</a></li><li><a href="/releases/qpid-broker-j-7.0.0/index.html">Qpid Broker-J 7.0.0</a></li><li><a href="/releases/qpid-broker-j-7.0.0/book/index.html">Apache Qpid Broker-J</a></li><li>Chapter 9. Runtime</li></ul> + + <div id="-middle-content"> + <div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">Chapter 9. Runtime</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="Java-Broker-Security-Configuration-Encryption.html">Prev</a> </td><th align="center" width="60%"> </th><td align="right" width="20%"> <a accesskey="n" href="Java-Broker-Runtime-Disk-Space-Management.html">Next</a></td></tr></table><hr /></div><div class="chapter"><div class="titlepage"><div><div><h1 class="title"><a id="Java-Broker-Runtime"></a>Chapter 9. Runtime</h1></div></div></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="Java-Broker-Runtime.html#Java-Broker-Runtime-Logging">9.1. Logging</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Runtime.html#Java-Broker-Runtime-Logging-Concepts">9.1.1. Concepts</a></span></dt><dt><span class="section" ><a >href="Java-Broker-Runtime.html#Java-Broker-Runtime-Logging-Default-Configuration">9.1.2. > Default Configuration</a></span></dt><dt><span class="section"><a >href="Java-Broker-Runtime.html#Java-Broker-Runtime-Logging-Loggers">9.1.3. >Loggers</a></span></dt><dt><span class="section"><a >href="Java-Broker-Runtime.html#Java-Broker-Runtime-Logging-InclusionRules">9.1.4. > Inclusion Rules</a></span></dt><dt><span class="section"><a >href="Java-Broker-Runtime.html#Java-Broker-Runtime-Logging-Management">9.1.5. >Logging Management</a></span></dt></dl></dd><dt><span class="section"><a >href="Java-Broker-Runtime-Disk-Space-Management.html">9.2. Disk Space >Management</a></span></dt><dd><dl><dt><span class="section"><a >href="Java-Broker-Runtime-Disk-Space-Management.html#Java-Broker-Runtime-Disk-Space-Management-Producer-Flow-Control">9.2.1. > Disk quota-based flow control</a></span></dt></dl></dd><dt><span >class="section"><a >href="Java-Broker-Runtime-Producer-Transaction-Timeout.html">9.3. Producer T ransaction Timeout</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Runtime-Producer-Transaction-Timeout.html#Java-Broker-Runtime-Producer-Transaction-Timeout-GeneralInformation">9.3.1. General Information</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Producer-Transaction-Timeout.html#Java-Broker-Runtime-Producer-Transaction-Timeout-Purpose">9.3.2. Purpose</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Producer-Transaction-Timeout.html#Java-Broker-Runtime-Producer-Transaction-Timeout-Scope">9.3.3. Scope</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Producer-Transaction-Timeout.html#Java-Broker-Runtime-Producer-Transaction-Timeout-Effect">9.3.4. Effect</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Producer-Transaction-Timeout.html#Java-Broker-Runtime-Producer-Transaction-Timeout-Configuration">9.3.5. Configuration</a></span></dt></dl></dd><dt><span class="section"><a hr ef="Java-Broker-Runtime-Handling-Undeliverable-Messages.html">9.4. Handing Undeliverable Messages</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Runtime-Handling-Undeliverable-Messages.html#Java-Broker-Runtime-Handling-Undeliverable-Messages-Introduction">9.4.1. Introduction</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Handling-Undeliverable-Messages.html#Java-Broker-Runtime-Handling-Undeliverable-Messages-Maximum-Delivery-Count">9.4.2. Maximum Delivery Count</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Handling-Undeliverable-Messages.html#Java-Broker-Runtime-Handling-Undeliverable-Messages-Dead-Letter-Queues">9.4.3. Alternate Binding</a></span></dt></dl></dd><dt><span class="section"><a href="Java-Broker-Runtime-Close-Connection-When-No-Route.html">9.5. Closing client connections on unroutable mandatory messages</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Runtime-Close-Connection-When -No-Route.html#Java-Broker-Runtime-Close-Connection-When-No-Route-Summary">9.5.1. Summary</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Close-Connection-When-No-Route.html#Java-Broker-Runtime-Close-Connection-When-No-Route-Configuration">9.5.2. Configuring + <span class="emphasis"><em>closeWhenNoRoute</em></span> + </a></span></dt></dl></dd><dt><span class="section"><a href="Java-Broker-Runtime-Flow-To-Disk.html">9.6. Flow to Disk</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Consumers.html">9.7. Consumers</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Runtime-Consumers.html#Java-Broker-Runtime-Consumers-Prioirty">9.7.1. Priority</a></span></dt></dl></dd><dt><span class="section"><a href="Java-Broker-Runtime-Background-Recovery.html">9.8. Background Recovery</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Message-Compression.html">9.9. Message Compression</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Connection-Limit.html">9.10. Connection Limits</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Memory.html">9.11. Memory</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Runtime-Memory.html#Java-Broker-Runtime-Memory-Introduction">9.11.1. Introduction</a></spa n></dt><dt><span class="section"><a href="Java-Broker-Runtime-Memory.html#Java-Broker-Runtime-Memory-Types">9.11.2. Types of Memory</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Memory.html#Java-Broker-Runtime-Memory-Usage">9.11.3. Memory Usage in the Broker</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Memory.html#Java-Broker-Runtime-Memory-Low-Memory">9.11.4. Low Memory Conditions</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Memory.html#Java-Broker-Runtime-Memory-Defaults">9.11.5. Defaults</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Memory.html#Java-Broker-Runtime-Memory-Tuning">9.11.6. Memory Tuning the Broker</a></span></dt></dl></dd></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Java-Broker-Runtime-Logging"></a>9.1. Logging</h2></div></div></div><p>This section describes the flexible logging capabilities of the Ap ache Qpid Broker-J.</p><p> + </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>The Broker is capable of sending logging events to a variety of destinations including + plain files, remote syslog daemons, and an in-memory buffer (viewable from Management). + The system is also open for extension meaning it is possible to produce a plugin to log to + a bespoke destination.</p></li><li class="listitem"><p>Logging can be dynamically configured at runtime. For instance, it is possible to + temporarily increase the logging verbosity of the system whilst a problem is investigated + and then revert later, all without the need to restart the Broker.</p></li><li class="listitem"><p>Virtualhosts can be configured to generate their own separate log, and the Broker is + capable of generating a log either inclusive or exclusive of virtualhost events.</p></li><li class="listitem"><p>Logs are accessible over Management, removing the need for those operating the Broker + to have shell level access.</p></li></ul></div><p> + </p><p>In the remainder of this section you will first find a description of the concepts used in + the logging subsystem. Next, you find a description of the default configuration. The section + then concludes with a in-depth description of the loggers themselves and how they may be + configured.</p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Runtime-Logging-Concepts"></a>9.1.1. Concepts</h3></div></div></div><p>The logging subsystem uses two concepts:</p><p> + </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>A <span class="emphasis"><em>Logger</em></span> is responsible for production of a log. The Broker + ships a variety of loggers, for instance, a file logger, which is capable of writing a + log file to the file system, a Syslog Logger capable of writing to a remote syslog + daemon and console logger capable of writing to stdout or stderr.</p><p>Loggers are attached at two points within the Broker Model; the Broker itself and + the virtualhosts. Loggers attached at the Broker can capture log events for the system + as a whole, or can exclude events related to virtualhosts.</p><p>Loggers attached to a virtualhost capture log events relating to that virtualhost + only.</p><p>The Broker and virtualhosts can have zero or more Loggers. If no loggers are + configured, no logging is generated at all.</p></li><li class="listitem"><p><span class="emphasis"><em>Inclusion rules</em></span> govern what appears within a log. Inclusion + rules are associated with Loggers. This means it is possible for different Loggers to + have different contents.</p><p>A Logger with no inclusion rules will produce an empty log.</p></li></ul></div><p> + </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Runtime-Logging-Default-Configuration"></a>9.1.2. Default Configuration</h3></div></div></div><p>The default configuration is designed to be suitable for use without change in small + production environments. It has the following characteristics:</p><p> + </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>The Broker generates a single log file <code class="literal">qpid.log</code>. This logfile is + rolled automatically when the file reaches 100MB. A maximum history of one file is + retained. On restart the the log will be appended to.</p><p>The log contains: </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; "><li class="listitem"><p>All operational logging events. See <a class="xref" href="Java-Broker-Appendix-Operation-Logging.html" title="Appendix C. Operational Logging">Appendix C, <em>Operational Logging</em></a>.</p></li><li class="listitem"><p>Log events from Qpid itself deemed informational or + higher.</p></li><li class="listitem"><p>Log events from Qpid's dependencies (such as Derby or Jetty) that are + deemed warning or higher.</p></li></ul></div><p> + </p><p>The default location for the log file is + <code class="literal">${QPID_WORK}/log/qpid.log</code>.</p></li><li class="listitem"><p>The Broker also caches the last 4096 log events in a memory cache. By default, the + memory logger logs the same things the file logger does.</p></li></ul></div><p> + </p><p>The configuration can be customised at runtime using Management. This makes it possible to + investigate unusual conditions <span class="emphasis"><em>without</em></span> the need to restart the Broker. + For instance, you may alter the logging level so that a verbose log is produced whilst an + investigation is in progress and revert the setting later, all without the need to restart the + Broker.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Runtime-Logging-Loggers"></a>9.1.3. Loggers</h3></div></div></div><p>Loggers are responsible for the writing of a log. The log includes log events that match a + Logger's inclusion rules.</p><p>Loggers are associated with either the Broker or a virtualhost. Virtualhost loggers write + only log events related to that virtualhost. Broker Loggers write log events from the Broker + as a whole. Optionally a Broker Logger can be configured to exclude log events coming from + virtualhosts. These abilities can be usefully exploited together in managed service scenarios + to produce separate logs for separate user groups.</p><p>Loggers can be added or removed at runtime, without restarting the Broker. However changes + to a Logger's configuration such as filenames and rolling options don't take effect until the + next restart. Changes to a Logger's inclusion rules take effect immediately.</p><p>All loggers allow the log event layout to be customised. Loggers understand <a class="link" href="http://logback.qos.ch/manual/layouts.html#ClassicPatternLayout" target="_top"> Logback Classic + Pattern Layouts</a>. </p><p>The following sections describes each Logger implementation in detail.</p><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="Java-Broker-Runtime-Logging-Loggers-FileLogger"></a>9.1.3.1. FileLogger</h4></div></div></div><p>A <span class="emphasis"><em>FileLogger</em></span> - writes a log file to the filesystem. The name and + location of the log file, the rolling configuration, and compression options can be + configured.</p><p>The <span class="emphasis"><em>roll daily</em></span> option, if enabled, will cause the log file will be + rolled at midnight local time. The rolled over file will have a suffix in the form + <code class="literal">yyyy-mm-dd</code>. In roll daily mode, <span class="emphasis"><em>maximum number of rolled + files</em></span> controls the maximum number of <span class="emphasis"><em>days</em></span> to be retained. + Older files will be deleted.</p><p>The <span class="emphasis"><em>maximum file size</em></span> option limits the size of any one log file. + Once a log file reaches the given size, it will be rolled. The rolled over file will have + the numeric suffix, beginning at <code class="literal">1</code>. If the log file rolls again, first + the existing file with the suffix <code class="literal">.1</code> is renamed to <code class="literal">.2</code> + and so forth. If roll daily is not in use, <span class="emphasis"><em>maximum number of rolled + files</em></span> governs the number of rolled <span class="emphasis"><em>files</em></span> that will be + retained.</p><p><span class="emphasis"><em>Roll on restart</em></span> governs whether the log file is rolled when the + Broker is restarted. If not ticked, the Broker will append to the existing log file until it + needs to be rolled.</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="Java-Broker-Runtime-Logging-Loggers-ConsoleLogger"></a>9.1.3.2. ConsoleLogger</h4></div></div></div><p><span class="emphasis"><em>ConsoleLogger</em></span> - writes a log file standard out or standard + error.</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="Java-Broker-Runtime-Logging-Loggers-SyslogLogger"></a>9.1.3.3. SyslogLogger</h4></div></div></div><p><span class="emphasis"><em>SyslogLogger</em></span> - writes a log file to a syslog daemon using the + <code class="literal">USER</code> facility. The hostname and port number of the syslog daemon can be + configured.</p><p>Log entries can be prefixed with a string. This string defaults to include the word + <code class="literal">Qpid</code> and the name of the Broker or virtualhost. This serves to + distinguish the logging generated by this Qpid instance, from other Qpid instances, or other + applications using the <code class="literal">USER</code>.</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="Java-Broker-Runtime-Logging-Loggers-MemoryLogger"></a>9.1.3.4. MemoryLogger</h4></div></div></div><p><span class="emphasis"><em>MemoryLogger</em></span> - writes a log file to a circular in-memory buffer. By + default the circular buffer holds the last 4096 log events. The contents of the buffer can + be viewed via Management. See <a class="xref" href="Java-Broker-Runtime.html#Java-Broker-Runtime-Logging-Management-MemoryLogger" title="Figure 9.3. Viewing a memory logger">Figure 9.3, “Viewing a memory logger”</a></p></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Runtime-Logging-InclusionRules"></a>9.1.4. Inclusion Rules</h3></div></div></div><p>A <span class="emphasis"><em>Logger</em></span> has one or more <span class="emphasis"><em>inclusion rules</em></span>. These + govern what appears in the log. A Logger with no inclusion rules will log nothing.</p><p>Inclusion rules can be added, removed or changed at runtime. Changes take place + immediately.</p><p> + </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>The <span class="emphasis"><em>Name And Level</em></span> inclusion rule accepts log events that match + a given <span class="emphasis"><em>log event source name</em></span> and have a level that equals or + exceeds the specified value.</p><p>The log event source name refers to the fully qualified class name from which the + event originates. These names permit a trailing wild card <code class="literal">.*</code>. For + instance a source name of <code class="literal">org.apache.qpid.*</code> will match all events + from classes in the package <code class="literal">org.apache.qpid</code> and any sub packages + beneath.</p><p>The <span class="emphasis"><em>Level</em></span> governs the level of the events that will be included + in the log. It may take one of the following values: ERROR, WARN, INFO, DEBUG, TRACE + where ERROR is considered the highest and TRACE the lowest. In addition, there are two + special values: OFF and ALL, the former excludes all log events whereas the latter will + include everything. When considering whether a logging event should be included in the + log, the logging event must have a level that matches that of the inclusion rule or be + higher, otherwise the log event will not appear in the log.</p></li></ul></div><p> + </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Runtime-Logging-Management"></a>9.1.5. Logging Management</h3></div></div></div><p>The logging subsystem can be completely managed from the Web Management Console or the + REST API. You can: </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>Add, remove, or change the configuration of Loggers.</p></li><li class="listitem"><p>Add, remove, or change the Inclusion Rules.</p></li><li class="listitem"><p>For FileLoggers, download the log file and rolled log files associated with + the Logger.</p></li><li class="listitem"><p>For MemoryLoggers, view the last <code class="literal">n</code> log + events</p></li></ul></div><p> + </p><p> The figure that follows shows a FileLogger. The attributes area shows the configuration + of the Logger. The inclusion rule table shows the rules that are associated with the Logger. + The area towards the bottom of the tab allows the log files to be downloaded to the browser. + </p><div class="figure"><a id="Java-Broker-Runtime-Logging-Management-FileLogger"></a><p class="title"><strong>Figure 9.1. Viewing a file logger</strong></p><div class="figure-contents"><div class="mediaobject"><table border="0" style="cellpadding: 0; cellspacing: 0;" summary="manufactured viewport for HTML img" width="900"><tr><td><img alt="Viewing a file logger" src="images/Management-Web-Logging-FileLogger.png" width="900" /></td></tr></table></div></div></div><p><br class="figure-break" /> + </p><p> The figure below shows the editing of the level of an inclusion rule. </p><div class="figure"><a id="Java-Broker-Runtime-Logging-Management-InclusionRule"></a><p class="title"><strong>Figure 9.2. Editing an inclusion rule</strong></p><div class="figure-contents"><div class="mediaobject"><table border="0" style="cellpadding: 0; cellspacing: 0;" summary="manufactured viewport for HTML img" width="900"><tr><td><img alt="Editing an inclusion rule" src="images/Management-Web-Logging-InclusionRule.png" width="900" /></td></tr></table></div></div></div><p><br class="figure-break" /> + </p><p> The figure below shows a Memory Logger. Note that the Memory Logger provides access to + the cached message via the viewer towards the bottom on the tab. </p><div class="figure"><a id="Java-Broker-Runtime-Logging-Management-MemoryLogger"></a><p class="title"><strong>Figure 9.3. Viewing a memory logger</strong></p><div class="figure-contents"><div class="mediaobject"><table border="0" style="cellpadding: 0; cellspacing: 0;" summary="manufactured viewport for HTML img" width="900"><tr><td><img alt="Viewing a memory logger" src="images/Management-Web-Logging-MemoryLogger.png" width="900" /></td></tr></table></div></div></div><p><br class="figure-break" /> + </p></div></div></div><div class="navfooter"><hr /><table summary="Navigation footer" width="100%"><tr><td align="left" width="40%"><a accesskey="p" href="Java-Broker-Security-Configuration-Encryption.html">Prev</a> </td><td align="center" width="20%"> </td><td align="right" width="40%"> <a accesskey="n" href="Java-Broker-Runtime-Disk-Space-Management.html">Next</a></td></tr><tr><td align="left" valign="top" width="40%">8.4. Configuration Encryption </td><td align="center" width="20%"><a accesskey="h" href="Apache-Qpid-Broker-J-Book.html">Home</a></td><td align="right" valign="top" width="40%"> 9.2. Disk Space Management</td></tr></table></div></div> + + <hr/> + + <ul id="-apache-navigation"> + <li><a href="http://www.apache.org/">Apache</a></li> + <li><a href="http://www.apache.org/licenses/">License</a></li> + <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li> + <li><a href="http://www.apache.org/foundation/thanks.html">Thanks!</a></li> + <li><a href="/security.html">Security</a></li> + <li><a href="http://www.apache.org/"><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li> + </ul> + + <p id="-legal"> + Apache Qpid, Messaging built on AMQP; Copyright © 2015 + The Apache Software Foundation; Licensed under + the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache + License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton, + Proton, Apache, the Apache feather logo, and the Apache Qpid + project logo are trademarks of The Apache Software + Foundation; All other marks mentioned may be trademarks or + registered trademarks of their respective owners + </p> + </div> + </div> + </div> + </body> +</html> http://git-wip-us.apache.org/repos/asf/qpid-site/blob/0e1f0cc4/content/releases/qpid-broker-j-7.0.0/book/Java-Broker-Security-AccessControlProviders.html ---------------------------------------------------------------------- diff --git a/content/releases/qpid-broker-j-7.0.0/book/Java-Broker-Security-AccessControlProviders.html b/content/releases/qpid-broker-j-7.0.0/book/Java-Broker-Security-AccessControlProviders.html new file mode 100644 index 0000000..f433406 --- /dev/null +++ b/content/releases/qpid-broker-j-7.0.0/book/Java-Broker-Security-AccessControlProviders.html @@ -0,0 +1,364 @@ +<!DOCTYPE html> +<!-- + - + - Licensed to the Apache Software Foundation (ASF) under one + - or more contributor license agreements. See the NOTICE file + - distributed with this work for additional information + - regarding copyright ownership. The ASF licenses this file + - to you under the Apache License, Version 2.0 (the + - "License"); you may not use this file except in compliance + - with the License. You may obtain a copy of the License at + - + - http://www.apache.org/licenses/LICENSE-2.0 + - + - Unless required by applicable law or agreed to in writing, + - software distributed under the License is distributed on an + - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + - KIND, either express or implied. See the License for the + - specific language governing permissions and limitations + - under the License. + - +--> +<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> + <head> + <title>8.3. Access Control Providers - Apache Qpid™</title> + <meta http-equiv="X-UA-Compatible" content="IE=edge"/> + <meta name="viewport" content="width=device-width, initial-scale=1.0"/> + <link rel="stylesheet" href="/site.css" type="text/css" async="async"/> + <link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/> + <script type="text/javascript">var _deferredFunctions = [];</script> + <script type="text/javascript" src="/deferred.js" defer="defer"></script> + <!--[if lte IE 8]> + <link rel="stylesheet" href="/ie.css" type="text/css"/> + <script type="text/javascript" src="/html5shiv.js"></script> + <![endif]--> + + <!-- Redirects for `go get` and godoc.org --> + <meta name="go-import" + content="qpid.apache.org git https://git-wip-us.apache.org/repos/asf/qpid-proton.git"/> + <meta name="go-source" + content="qpid.apache.org +https://github.com/apache/qpid-proton/blob/go1/README.md +https://github.com/apache/qpid-proton/tree/go1{/dir} +https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> + </head> + <body> + <div id="-content"> + <div id="-top" class="panel"> + <a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a> + + <a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a> + + <ul id="-global-navigation"> + <li><a id="-logotype" href="/index.html">Apache Qpid<sup>™</sup></a></li> + <li><a href="/documentation.html">Documentation</a></li> + <li><a href="/download.html">Download</a></li> + <li><a href="/discussion.html">Discussion</a></li> + </ul> + </div> + + <div id="-menu" class="panel" style="display: none;"> + <div class="flex"> + <section> + <h3>Project</h3> + + <ul> + <li><a href="/overview.html">Overview</a></li> + <li><a href="/components/index.html">Components</a></li> + <li><a href="/releases/index.html">Releases</a></li> + </ul> + </section> + + <section> + <h3>Messaging APIs</h3> + + <ul> + <li><a href="/proton/index.html">Qpid Proton</a></li> + <li><a href="/components/jms/index.html">Qpid JMS</a></li> + <li><a href="/components/messaging-api/index.html">Qpid Messaging API</a></li> + </ul> + </section> + + <section> + <h3>Servers and tools</h3> + + <ul> + <li><a href="/components/broker-j/index.html">Broker-J</a></li> + <li><a href="/components/cpp-broker/index.html">C++ broker</a></li> + <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li> + </ul> + </section> + + <section> + <h3>Resources</h3> + + <ul> + <li><a href="/dashboard.html">Dashboard</a></li> + <li><a href="https://cwiki.apache.org/confluence/display/qpid/Index">Wiki</a></li> + <li><a href="/resources.html">More resources</a></li> + </ul> + </section> + </div> + </div> + + <div id="-search" class="panel" style="display: none;"> + <form action="http://www.google.com/search" method="get"> + <input type="hidden" name="sitesearch" value="qpid.apache.org"/> + <input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/> + <button type="submit">Search</button> + <a href="/search.html">More ways to search</a> + </form> + </div> + + <div id="-middle" class="panel"> + <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li><a href="/releases/index.html">Releases</a></li><li><a href="/releases/qpid-broker-j-7.0.0/index.html">Qpid Broker-J 7.0.0</a></li><li><a href="/releases/qpid-broker-j-7.0.0/book/index.html">Apache Qpid Broker-J</a></li><li>8.3. Access Control Providers</li></ul> + + <div id="-middle-content"> + <div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">8.3. Access Control Providers</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="Java-Broker-Security-Group-Providers.html">Prev</a> </td><th align="center" width="60%">Chapter 8. Security</th><td align="right" width="20%"> <a accesskey="n" href="Java-Broker-Security-Configuration-Encryption.html">Next</a></td></tr></table><hr /></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Java-Broker-Security-AccessControlProviders"></a>8.3. Access Control Providers</h2></div></div></div><p> + The Access Control Provider governs the actions that a user may perform. + </p><p>There are two points within the hierarchy that enforce access control: the Broker itself and at each Virtual + Host. When an access decision needs to be made, the nearest control point configured with a provider is consulted + for a decision. The example, when making a decision about the ability to say, consume from, a Queue, if the + Virtual Host is configured with Access Control Provider it is consulted. Unless a decision is made, the decision + is delegated to the Access Control Provider configured at the Broker. + </p><p>Access Control Providers are configured with a list of ACL rules. The rules determine to which objects + the user has access and what actions the user may perform on those objects. Rules are ordered and are considered + top to bottom. The first matching rule makes the access decision. + </p><p> + ACL rules may be written in terms of user or group names. A rule written in terms of a group name applies to the + user if he is a member of that group. Groups information is obtained from the + <a class="link" href="Java-Broker-Security.html#Java-Broker-Security-Authentication-Providers" title="8.1. Authentication Providers">Authentication Providers</a> + and + <a class="link" href="Java-Broker-Security-Group-Providers.html" title="8.2. Group Providers">Group Providers</a>. Writing ACL in terms of groups is + recommended. + </p><p> + The Access Control Providers can be configured using + <a class="link" href="Java-Broker-Management-Channel-REST-API.html" title="6.3. REST API">REST Management interfaces</a> + and <a class="link" href="Java-Broker-Management-Channel-Web-Console.html" title="6.2. Web Management Console">Web Management Console</a>. + </p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-AccessControlProviders-Types"></a>8.3.1. Types</h3></div></div></div><p>There are currently two types of Access Control Provider implementing ACL rules. + </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><span class="emphasis"><em>RulesBased</em></span> - a provider that stores the rules-set within + the Broker's or VirtualHost's configuration. When used with HA, the Virtualhost + rules automatically propagated to all nodes participating within the HA group.</p></li><li class="listitem"><p> + </p><p><span class="emphasis"><em>ACLFile</em></span> - an older provider that references an externally provided + ACL file (or data url). This provider is deprecated.</p><p> + </p></li></ul></div><p> + </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-AccessControlProviders-ACLRules"></a>8.3.2.  + ACL Rules + </h3></div></div></div><p> + An ACL rule-set is an ordered list of ACL rules.</p><p>An ACL rule comprises matching criteria that determines if a rule applies to a situation and a decision + outcome. The rule produces an outcome only if the all matching criteria are satisfied. + </p><p>Matching criteria is composed of an ACL object type (e.g. <code class="literal">QUEUE</code>), an ACL action + (e.g. <code class="literal">UPDATE</code>) and other properties that further refine if a match is made. These properties + restrict the match based on additional criteria such as name or IP address. ACL Object type <code class="literal">ALL</code> + matches any object. Likewise ACL Action <code class="literal">ALL</code> matches any action. + </p><p>Let's look at some examples.</p><pre class="programlisting"> + ACL ALLOW alice CREATE QUEUE # Grants alice permission to create all queues. + ACL DENY bob CREATE QUEUE name="myqueue" # Denies bob permission to create a queue called "myqueue" + </pre><p> + As discussed, the ACL rule-set is considered in order with the first matching rule taking precedence over all those + that follow. In the following example, if the user bob tries to create an exchange "myexch", the action + will be allowed by the first rule. The second rule will never be considered. + </p><pre class="programlisting"> + ACL ALLOW bob ALL EXCHANGE + ACL DENY bob CREATE EXCHANGE name="myexch" # Dead rule + </pre><p> + If the desire is to allow bob to create all exchanges except "myexch", order of the rules must be reversed: + </p><pre class="programlisting"> + ACL DENY bob CREATE EXCHANGE name="myexch" + ACL ALLOW bob ALL EXCHANGE + </pre><p> + If a rule-set fails to make a decision, the result is configurable. By default, the <code class="literal">RuleBased</code> + provider defers the decision allowing another provider further up the hierarchy to make a decision (i.e. allowing + the VirtualHost control point to delegate to the Broker). In the case of the ACLFile provider, by default, its + rule-set implicit have a rule denying all operations to all users. It is as if the rule-set ends with + <code class="literal">ACL DENY ALL ALL</code>. If no access control provider makes a decision the default is to + deny the action. + </p><p> + When writing a new ACL, a useful approach is to begin with an rule-set containing only + </p><pre class="programlisting">ACL DENY-LOG ALL ALL</pre><p> at the Broker control point which will cause the Broker to + deny all operations with details of the denial logged. Build up the ACL rule by rule, gradually working through + the use-cases of your system. Once the ACL is complete, consider switching the DENY-LOG actions to DENY. + </p><p> + ACL rules are very powerful: it is possible to write very granular rules specifying many broker objects and their + properties. Most projects probably won't need this degree of flexibility. A reasonable approach is to choose to apply permissions + at a certain level of abstractions and apply them consistently across the whole system. + </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-AccessControlProviders-Syntax"></a>8.3.3.  + Syntax + </h3></div></div></div><p> + ACL rules follow this syntax: + </p><pre class="programlisting"> + ACL {permission} {<group-name>|<user-name>|ALL} {action|ALL} [object|ALL] [property="<property-value>"] + </pre><p> + Comments may be introduced with the hash (#) character and are ignored. Long lines can be broken with the slash (\) character. + </p><pre class="programlisting"> + # A comment + ACL ALLOW admin CREATE ALL # Also a comment + ACL DENY guest \ + ALL ALL # A broken line + </pre></div><div class="table"><a id="table-Java-Broker-Security-AccessControlProviders-Syntax_permissions"></a><p class="title"><strong>Table 8.1. List of ACL permission</strong></p><div class="table-contents"><table border="1" summary="List of ACL permission"><colgroup><col /><col /></colgroup><tbody><tr><td><span class="command"><strong>ALLOW</strong></span></td><td><p>Allow the action</p></td></tr><tr><td><span class="command"><strong>ALLOW-LOG</strong></span></td><td><p> Allow the action and log the action in the log </p></td></tr><tr><td><span class="command"><strong>DENY</strong></span></td><td><p> Deny the action</p></td></tr><tr><td><span class="command"><strong>DENY-LOG</strong></span></td><td><p> Deny the action and log the action in the log</p></td></tr></tbody></table></div></div><br class="table-break" /><div class="table"><a id="table-Java-Broker-Security-AccessControlProviders-Syntax_actions"></a><p class="title"><strong>Table 8.2. List of ACL actions</strong></p><div class="table-contents"><table border="1" summary="List of ACL actions"><colgroup><col /><col /><col /><col /></colgroup><thead><tr><th><p>Action</p></th><th><p>Description</p></th><th><p>Supported object types</p></th><th><p>Supported properties</p></th></tr></thead><tbody><tr><td> <span class="command"><strong>CONSUME</strong></span> </td><td> <p> Applied when subscriptions are created </p> </td><td><p>QUEUE</p></td><td><p>name, autodelete, temporary, durable, exclusive, alternate, owner, virtualhost_name</p></td></tr><tr><td> <span class="command"><strong>PUBLISH</strong></span> </td><td> <p> Applied on a per message basis on publish message transfers</p> </td><td><p>EXCHANGE</p></td><td><p>name, routingkey, virtualhost_name</p></td></tr><tr><td> <span class="command"><strong>CREATE</strong></span> </td><td> <p> Applied when an object is created, such as bindings, queues, exchanges</p> </td><td><p>VIRTUALHOSTNODE, VIRTUALHOST, EXCHANGE, QUEUE, USER, GROUP </p></td><td><p>see properties on the corresponding object type</p></td></tr><tr><td> <span class="command"><strong>ACCESS</strong></span> </td><td> <p> Applied when a connection is made for messaging or management</p> </td><td><p>VIRTUALHOST, MANAGEMENT</p></td><td><p>name (for VIRTUALHOST only)</p></td></tr><tr><td> <span class="command"><strong>BIND</strong></span> </td><td> <p> Applied when queues are bound to exchanges</p> </td><td><p>EXCHANGE</p></td><td><p>name, routingKey, queue_name, virtualhost_name, temporary, durable</p></td></tr><tr><td> <span class="command"><strong>UNBIND</strong></span> </td><td> <p> Applied when queues are unbound from exchanges</p> </td><td><p>EXCHANGE</p></td><td><p>name, routingKey, queue_name, virtualhost_name, temporary, durable</p></td></tr><tr><td> <span class="command"><strong>DELETE</strong></span> </td><td> <p> Applied when objects are deleted </p> </td><td><p>VIRTUALHOSTNODE, VIRTUALHOST, EXCHANGE, QUEUE, USER, GROUP</p></td><td><p>see pr operties on the corresponding object type</p></td></tr><tr><td> <span class="command"><strong>PURGE</strong></span> </td><td> + <p>Applied when the contents of a queue is purged</p> </td><td><p>QUEUE</p></td><td><p> </p></td></tr><tr><td> <span class="command"><strong>UPDATE</strong></span> </td><td> <p> Applied when an object is updated </p> </td><td><p>VIRTUALHOSTNODE, VIRTUALHOST, EXCHANGE, QUEUE, USER, GROUP</p></td><td><p>see EXCHANGE and QUEUE properties</p></td></tr><tr><td> <span class="command"><strong>CONFIGURE</strong></span> </td><td> <p> Applied when a Broker/Port/Authentication Provider/Access Control Provider/BrokerLogger is created/update/deleted.</p> </td><td><p>BROKER</p></td><td><p> </p></td></tr><tr><td><span class="command"><strong>ACCESS_LOGS</strong></span> </td><td><p>Allows/denies the specific user to download log file(s).</p> </td><td><p>BROKER, VIRTUALHOST</p></td><td><p>name (for VIRTUALHOST only)</p></td></tr><tr><td><span class="command"><strong>SHUTDOWN</strong></span> </td><td><p>Allows/denies the specific user to shutdown the Broker.</p> </td><td><p>BROKER</p></td>< td><p /></td></tr><tr><td><span class="command"><strong>INVOKE</strong></span> </td><td><p>Allows/denies the specific user to invoke the named operation.</p> </td><td><p>BROKER, VIRTUALHOSTNODE, VIRTUALHOST, EXCHANGE, QUEUE, USER, GROUP</p></td><td><p>method_name, name and virtualhost_name</p></td></tr></tbody></table></div></div><br class="table-break" /><div class="table"><a id="table-Java-Broker-Security-AccessControlProviders-Syntax_objects"></a><p class="title"><strong>Table 8.3. List of ACL objects</strong></p><div class="table-contents"><table border="1" summary="List of ACL objects"><colgroup><col /><col /><col /><col /></colgroup><thead><tr><th><p>Object type</p></th><th><p>Description</p></th><th><p>Supported actions</p></th><th><p>Supported properties</p></th><th><p>Allowed in Virtualhost ACLs?</p></th></tr></thead><tbody><tr><td> <span class="command"><strong>VIRTUALHOSTNODE</strong></span> </td><td> <p>A virtualhostnode or remote replication node</p> </td><td> <p>ALL, CREATE, UPDATE, DELETE, INVOKE</p> </td><td><p>name</p> </td><td><p>No</p> </td></tr><tr><td> <span class="command"><strong>VIRTUALHOST</strong></span> </td><td> <p>A virtualhost</p> </td><td><p>ALL, CREATE, UPDATE, DELETE, ACCESS, ACCESS_LOGS, INVOKE</p> </td><td><p>name</p> </td><td><p>No</p> </td></tr><tr><td> <span class="command"><strong>QUEUE</strong></span> </td><td> <p>A queue </p> </td><td><p>ALL, CREATE, DELETE, PURGE, CONSUME, UPDATE, INVOKE</p></td><td><p>name, autodelete, temporary, durable, exclusive, alternate, owner, virtualhost_name</p></td><td><p>Yes</p> </td></tr><tr><td> <span class="command"><strong>EXCHANGE</strong></span> </td><td><p>An exchange</p></td><td><p>ALL, ACCESS, CREATE, DELETE, BIND, UNBIND, PUBLISH, UPDATE, INVOKE</p></td><td><p>name, autodelete, temporary, durable, type, virtualhost_name, queue_name(only for BIND and UNBIND), routingkey(only for BIND and UNBIND, PUBLISH)</p></td><td><p>Yes</p> </td></tr><tr><td> <span class="command"><stro ng>USER</strong></span> </td><td> <p>A user</p> </td><td><p>ALL, CREATE, DELETE, UPDATE, INVOKE</p></td><td><p>name</p></td><td><p>No</p> </td></tr><tr><td> <span class="command"><strong>GROUP</strong></span> </td><td> <p>A group</p> </td><td><p>ALL, CREATE, DELETE, UPDATE, INVOKE</p></td><td><p>name</p></td><td><p>No</p> </td></tr><tr><td> <span class="command"><strong>BROKER</strong></span> </td><td> <p>The broker</p> </td><td><p>ALL, CONFIGURE, ACCESS_LOGS, INVOKE</p></td><td><p /></td><td><p>No</p> </td></tr></tbody></table></div></div><br class="table-break" /><div class="table"><a id="table-Java-Broker-Security-AccessControlProviders-Syntax_properties"></a><p class="title"><strong>Table 8.4. List of ACL properties</strong></p><div class="table-contents"><table border="1" summary="List of ACL properties"><colgroup><col /><col /></colgroup><tbody><tr><td><span class="command"><strong>name</strong></span> </td><td> <p> String. Object name, such as a queue name or exchan ge name.</p> </td></tr><tr><td> <span class="command"><strong>durable</strong></span> </td><td> <p> Boolean. Indicates the object is durable </p> </td></tr><tr><td> <span class="command"><strong>routingkey</strong></span> </td><td> <p> String. Specifies routing key </p> </td></tr><tr><td> <span class="command"><strong>autodelete</strong></span> </td><td> <p> Boolean. Indicates whether or not the object gets deleted when the connection is closed </p> </td></tr><tr><td> <span class="command"><strong>exclusive</strong></span> </td><td> <p> Boolean. Indicates the presence of an <em class="parameter"><code>exclusive</code></em> flag </p> </td></tr><tr><td> <span class="command"><strong>temporary</strong></span> </td><td> <p> Boolean. Indicates the presence of an <em class="parameter"><code>temporary</code></em> flag </p> </td></tr><tr><td> <span class="command"><strong>type</strong></span> </td><td> <p> String. Type of object, such as topic, or fanout</p> </td></tr><tr><td> <span class=" command"><strong>alternate</strong></span> </td><td> <p> String. Name of the alternate exchange </p> </td></tr><tr><td> <span class="command"><strong>queue_name</strong></span> </td><td> <p> String. Name of the queue (used only when the object is EXCHANGE for BIND and UNBIND actions)</p> </td></tr><tr><td> <span class="command"><strong>component</strong></span> </td><td> <p> String. component name</p> </td></tr><tr><td> <span class="command"><strong>from_network</strong></span> </td><td> + <p> + Comma-separated strings representing IPv4 address ranges. + </p> + <p> + Intended for use in ACCESS VIRTUALHOST rules to apply firewall-like restrictions. + </p> + <p> + The rule matches if any of the address ranges match the IPv4 address of the messaging client. + The address ranges are specified using either Classless Inter-Domain Routing notation + (e.g. 192.168.1.0/24; see <a class="link" href="http://tools.ietf.org/html/rfc4632" target="_top">RFC 4632</a>) + or wildcards (e.g. 192.169.1.*). + </p> + </td></tr><tr><td> <span class="command"><strong>from_hostname</strong></span> </td><td> + <p> + Comma-separated strings representing hostnames, specified using Perl-style regular + expressions, e.g. .*\.example\.company\.com + </p> + <p> + Intended for use in ACCESS VIRTUALHOST rules to apply firewall-like restrictions. + </p> + <p> + The rule matches if any of the patterns match the hostname of the messaging client. + </p> + <p> + To look up the client's hostname, Qpid uses Java's DNS support, which internally caches its results. + </p> + <p> + You can modify the time-to-live of cached results using the *.ttl properties described on the + Java <a class="link" href="http://docs.oracle.com/javase/8/docs/technotes/guides/net/properties.html" target="_top">Networking + Properties</a> page. + </p> + <p> + For example, you can either set system property sun.net.inetaddr.ttl from the command line + (e.g. export QPID_OPTS="-Dsun.net.inetaddr.ttl=0") or networkaddress.cache.ttl in + $JAVA_HOME/lib/security/java.security. The latter is preferred because it is JVM + vendor-independent. + </p> + </td></tr><tr><td><span class="command"><strong>virtualhost_name</strong></span></td><td> + <p> + String. A name of virtual host to which the rule is applied. + </p> + </td></tr><tr><td><span class="command"><strong>method_name</strong></span></td><td> + <p> + String. The name of the method. A trailing wildcard (*) is permitted. Used with INVOKE ACL action. + </p> + </td></tr><tr><td><span class="command"><strong>attribute_names</strong></span></td><td> + <p> + Specifies attribute name criteria. Used by UPDATE ACL actions only. Rules with this criteria will match + if and only if the set of attributes being updated Comma separated list of attribute names . This criteria + will match if all attributes included within the update appear in the set described by + <code class="literal">attribute_names</code>. + </p> + </td></tr></tbody></table></div></div><br class="table-break" /><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-AccessControlProviders-WorkedExamples"></a>8.3.4.  + Worked Examples + </h3></div></div></div><p> + Here are some example ACLs illustrating common use cases. + </p><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="Java-Broker-Security-AccessControlProviders-WorkedExample1"></a>8.3.4.1.  + Worked example 1 - Management rights + </h4></div></div></div><p> + Suppose you wish to permission two users: a user <code class="literal">operator</code> must be able to perform all + Management operations, and a user 'readonly' must be enable to perform only read-only actions. Neither + <code class="literal">operator</code> nor <code class="literal">readonly</code> should be allowed to connect clients for + messaging. + </p><div class="example"><a id="d0e5292"></a><p class="title"><strong>Example 8.1. Worked example 1 - Management rights</strong></p><div class="example-contents"><pre class="programlisting"> + # Deny operator/readonly permission to connect for messaging. + ACL DENY-LOG operator ACCESS VIRTUALHOST + ACL DENY-LOG readonly ACCESS VIRTUALHOST + # Give operator permission to perfom all actions + ACL ALLOW operator ALL ALL + # Give readonly access permission to virtualhost. (Read permission for all objects implicit) + ACL ALLOW readonly ACCESS MANAGEMENT + ... + ... rules for other users + ... + </pre></div></div><br class="example-break" /></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="Java-Broker-Security-AccessControlProviders-WorkedExample2"></a>8.3.4.2.  + Worked example 2 - Simple Messaging + </h4></div></div></div><p> + Suppose you wish to permission a system for application messaging. User <code class="literal">publisher</code> + needs permission to publish to <code class="literal">appqueue</code> and consumer needs permission to consume + from the same queue object. We also want <code class="literal">operator</code> to be able to inspect messages + and delete messages in case of the need to intervene. This example assumes that the queue exists on + the Broker. + </p><p> + We use this ACL to illustrate separate Broker and Virtualhost access control providers. + </p><p> + The following ACL rules are given to the Broker. + </p><div class="example"><a id="d0e5315"></a><p class="title"><strong>Example 8.2. Worked example 2 - Simple Messaging - Broker ACL rules</strong></p><div class="example-contents"><pre class="programlisting"> +# This gives the operate permission to delete messages on all queues on all virtualhost +ACL ALLOW operator ACCESS MANAGEMENT +ACL ALLOW operator INVOKE QUEUE method_name="deleteMessages" +ACL ALLOW operator INVOKE QUEUE method_name="getMessage*" + </pre></div></div><br class="example-break" /><p> + And the following ACL rule-set is applied to the Virtualhost. The default outcome of the + Access Control Provider must be <code class="literal">DEFERED</code>. This means that if a request for + access is made for which there are no matching rules, the decision will be deferred to the + Broker so it can make a decision instead. + </p><div class="example"><a id="d0e5325"></a><p class="title"><strong>Example 8.3. Worked example 2 - Simple Messaging - Virtualhost ACL rules</strong></p><div class="example-contents"><pre class="programlisting"> +# Configure the rule-set to DEFER decisions that have no matching rules. +CONFIG DEFAULTDEFER=TRUE +# Allow client and server to connect to the virtual host. +ACL ALLOW publisher ACCESS VIRTUALHOST +ACL ALLOW consumer ACCESS VIRTUALHOST + +ACL ALLOW publisher PUBLISH EXCHANGE name="" routingKey="appqueue" +ACL ALLOW consumer CONSUME QUEUE name="appqueue" +# In some addressing configurations, the Qpid JMS AMQP 0-x client, will declare the queue as a side effect of creating the consumer. +# The following line allows for this. For the Qpid JMS AMQP 1.0 client, this is not required. +ACL ALLOW consumer CREATE QUEUE name="appqueue" + </pre></div></div><br class="example-break" /></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="Java-Broker-Security-AccessControlProviders-WorkedExample3"></a>8.3.4.3.  + Worked example 3 - firewall-like access control + </h4></div></div></div><p> + This example illustrates how to set up an ACL that restricts the IP addresses and hostnames + of messaging clients that can access a virtual host. + </p><div class="example"><a id="d0e5335"></a><p class="title"><strong>Example 8.4. Worked example 3 - firewall-like access control</strong></p><div class="example-contents"><pre class="programlisting"> + ################ + # Hostname rules + ################ + + # Allow messaging clients from company1.com and company1.co.uk to connect + ACL ALLOW all ACCESS VIRTUALHOST from_hostname=".*\.company1\.com,.*\.company1\.co\.uk" + + # Deny messaging clients from hosts within the dev subdomain + ACL DENY-LOG all ACCESS VIRTUALHOST from_hostname=".*\.dev\.company1\.com" + + ################## + # IP address rules + ################## + + # Deny access to all users in the IP ranges 192.168.1.0-192.168.1.255 and 192.168.2.0-192.168.2.255, + # using the notation specified in RFC 4632, "Classless Inter-domain Routing (CIDR)" + ACL DENY-LOG messaging-users ACCESS VIRTUALHOST \ + from_network="192.168.1.0/24,192.168.2.0/24" + + # Deny access to all users in the IP ranges 192.169.1.0-192.169.1.255 and 192.169.2.0-192.169.2.255, + # using wildcard notation. + ACL DENY-LOG messaging-users ACCESS VIRTUALHOST \ + from_network="192.169.1.*,192.169.2.*" + </pre></div></div><br class="example-break" /></div></div></div><div class="navfooter"><hr /><table summary="Navigation footer" width="100%"><tr><td align="left" width="40%"><a accesskey="p" href="Java-Broker-Security-Group-Providers.html">Prev</a> </td><td align="center" width="20%"><a accesskey="u" href="Java-Broker-Security.html">Up</a></td><td align="right" width="40%"> <a accesskey="n" href="Java-Broker-Security-Configuration-Encryption.html">Next</a></td></tr><tr><td align="left" valign="top" width="40%">8.2. Group Providers </td><td align="center" width="20%"><a accesskey="h" href="Apache-Qpid-Broker-J-Book.html">Home</a></td><td align="right" valign="top" width="40%"> 8.4. Configuration Encryption</td></tr></table></div></div> + + <hr/> + + <ul id="-apache-navigation"> + <li><a href="http://www.apache.org/">Apache</a></li> + <li><a href="http://www.apache.org/licenses/">License</a></li> + <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li> + <li><a href="http://www.apache.org/foundation/thanks.html">Thanks!</a></li> + <li><a href="/security.html">Security</a></li> + <li><a href="http://www.apache.org/"><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li> + </ul> + + <p id="-legal"> + Apache Qpid, Messaging built on AMQP; Copyright © 2015 + The Apache Software Foundation; Licensed under + the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache + License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton, + Proton, Apache, the Apache feather logo, and the Apache Qpid + project logo are trademarks of The Apache Software + Foundation; All other marks mentioned may be trademarks or + registered trademarks of their respective owners + </p> + </div> + </div> + </div> + </body> +</html> --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@qpid.apache.org For additional commands, e-mail: commits-h...@qpid.apache.org