Uploaded image for project: 'Qpid'
  1. Qpid
  2. QPID-4230

C++ Broker could use username substitution keyword strings in Acl rules

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 0.19
    • Fix Version/s: 0.19
    • Component/s: C++ Broker
    • Labels:
      None

      Description

      Acl processing in the broker could perform username substitution into Acl rules. This would provide an easy and flexible way to constrain users.

      1. Let the literal string ${user} be the keyword placed into Acl files.
      2. When expanded ${user} will become the full authenticated userId such as 'bob@QPID'. Note that simply using 'bob' leads to issues distinguishing between 'bob@QPID' and 'bob@EXAMPLE.COM'.
      3. Username keyword substitution is performed only on object names and in routing keys.

      Acl rule file examples:

      acl allow all create exchange name=temp-${user}
      acl allow all access exchange name=temp-${user}
      acl allow all bind exchange name=temp-${user}
      acl allow all unbind exchange name=temp-${user}
      acl allow all delete exchange name=temp-${user}
      acl allow all publish exchange name=temp-${user} routingkey=temp.${user}

      acl allow all create queue name=temp-${user}
      acl allow all access queue name=temp-${user}
      acl allow all purge queue name=temp-${user}
      acl allow all consume queue name=temp-${user}
      acl allow all delete queue name=temp-${user}

      Using a rule set like this would allow all users to create a private temp- exchange and a private temp- queue bound to their user names.

        Attachments

          Activity

            People

            • Assignee:
              chug Chuck Rolke
              Reporter:
              chug Chuck Rolke
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: