Reported by pieterh (1241180394|%O ago)
Extended user groups
Currently, OpenAMQ defines two user groups ('super' and 'normal') which have hard-coded rights in the broker. Super users can for example connect to HA backup brokers, to do monitoring.
The first change would be to allow the creation of arbitrary named user groups that have 'normal' status. Each user name profile would specify "super", "normal", or one of these custom user group names:
<group name = "blue"> .... </group> <security name = "plain"> <user name = "blue001" password = "Os8Sg41" group = "blue" /> <user name = "blue002" password = "JshU6S2" group = "blue" /> </security>
Addition of namespaces
We define a 'namespace' as a string that prefixes exchange and queue names. A namespace always ends in a dot. OpenAMQ already implements a namespace "amq." which is reserved for configured resources (exchanges, in fact).
Custom groups would be configurable with these possible access rights, defined within a specific namespace:
- The right to create exchanges within the namespace (the "exchange" right)
- The right to publish to exchanges within the namespace (the "publish" right)
- The right to bind to exchanges within the namespace (the "subscribe" right)
- The right to create shared queues within the namespace (the "queue" right)
In each case, the right is either global, or defined within a specific namespace. The configuration would look like this:
<group name = "blue"> <namespace name = "blue." exchange = "1" queue = "1" publish = "1" subscribe = "0" /> ... </group>
Some default rights exist:
- Any user that could create a resource can delete it.
- The owner of an exclusive resource can delete it.
- Any rights that are not specified default to "1".
- If no namespace rules are defined for a group, the default is a namespace with the same name (followed by a dot).
Thus the minimal configuration is to create and use groups, each of which has a private namespace that all members of the group can share as today they share the whole server.
No files attached to this page.