[QPID-4230] C++ Broker could use username substitution keyword strings in Acl rules - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 0.19
Fix Version/s: 0.19
Component/s: C++ Broker
Labels:
None

Description

Acl processing in the broker could perform username substitution into Acl rules. This would provide an easy and flexible way to constrain users.

1. Let the literal string ${user} be the keyword placed into Acl files.
2. When expanded ${user} will become the full authenticated userId such as 'bob@QPID'. Note that simply using 'bob' leads to issues distinguishing between 'bob@QPID' and 'bob@EXAMPLE.COM'.
3. Username keyword substitution is performed only on object names and in routing keys.

Acl rule file examples:

acl allow all create exchange name=temp-${user}
acl allow all access exchange name=temp-${user}
acl allow all bind exchange name=temp-${user}
acl allow all unbind exchange name=temp-${user}
acl allow all delete exchange name=temp-${user}
acl allow all publish exchange name=temp-${user} routingkey=temp.${user}

acl allow all create queue name=temp-${user}
acl allow all access queue name=temp-${user}
acl allow all purge queue name=temp-${user}
acl allow all consume queue name=temp-${user}
acl allow all delete queue name=temp-${user}

Using a rule set like this would allow all users to create a private temp- exchange and a private temp- queue bound to their user names.

Attachments

Activity

People

Assignee:: Charles E. Rolke

Reporter:: Charles E. Rolke

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 14/Aug/12 14:50

Updated:: 29/Jul/13 19:06

Resolved:: 21/Aug/12 14:48