qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gordon Sim <g...@redhat.com>
Subject Re: ACLV2 : permissioning the default exchange
Date Tue, 29 Nov 2011 12:43:05 GMT
On 11/24/2011 11:38 AM, Keith W wrote:
> Some work here on QPID-3641 has provoked a discussion about the
> correct way to write ACLV2 rules to permission the default exchange.
> The ACLV2 documentatuion seems to say nothing on the subject.
>
> As the default exchange is internal to the Broker, effectively acting
> as a global registry for all queues with binds/unbinds managed within
> the broker, the user has no reason to write BIND, UNBIND, CREATE or
> DELETE rules for the internal exchange.
> However, the user may wish to write PUBLISH rules for default
> exchange.   How are these expressed?
>
> Suppose I wanted to stop guest publishing to the default exchange.
>
> The following won't work as it violates the BNF for ACLv (and is
> correctly rejected by both Brokers):
>
> ACL DENY guest PUBLISH EXCHANGE name=
>
> The best I can think of,within the restrictions of ACLV2 format, it to
> enumerate all named exchanges allowing, then add a deny all, but this
> seems very longwinded.
>
> ACL ALLOW guest PUBLISH EXCHANGE name=amq.direct
> ACL ALLOW guest PUBLISH EXCHANGE name=amq.topic
> ....
> ACL DENY guest PUBLISH EXCHANGE
>
> How is the CPP Broker handling this?  I took a look through the CPP
> tests and couldn't find anything illustrating how this would be done.

It appears it cannot handle it. If you try to specify '' or "" then that 
is taken as a literal rather than an empty string.

---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org


Mime
View raw message