Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Fixed
-
0.19
-
None
Description
Acl processing in the broker could perform username substitution into Acl rules. This would provide an easy and flexible way to constrain users.
1. Let the literal string ${user} be the keyword placed into Acl files.
2. When expanded ${user} will become the full authenticated userId such as 'bob@QPID'. Note that simply using 'bob' leads to issues distinguishing between 'bob@QPID' and 'bob@EXAMPLE.COM'.
3. Username keyword substitution is performed only on object names and in routing keys.
Acl rule file examples:
acl allow all create exchange name=temp-${user}
acl allow all access exchange name=temp-${user}
acl allow all bind exchange name=temp-${user}
acl allow all unbind exchange name=temp-${user}
acl allow all delete exchange name=temp-${user}
acl allow all publish exchange name=temp-${user} routingkey=temp.${user}
acl allow all create queue name=temp-${user}
acl allow all access queue name=temp-${user}
acl allow all purge queue name=temp-${user}
acl allow all consume queue name=temp-${user}
acl allow all delete queue name=temp-${user}
Using a rule set like this would allow all users to create a private temp- exchange and a private temp- queue bound to their user names.