61 - Simple access rights model

Reported by pieterhpieterh (1241180394|%O ago)

Extended user groups

Currently, OpenAMQ defines two user groups ('super' and 'normal') which have hard-coded rights in the broker. Super users can for example connect to HA backup brokers, to do monitoring.

The first change would be to allow the creation of arbitrary named user groups that have 'normal' status. Each user name profile would specify "super", "normal", or one of these custom user group names:

    <group name = "blue">
        ....
    </group>
    <security name = "plain">
        <user name = "blue001"  password = "Os8Sg41"   group = "blue" />
        <user name = "blue002"  password = "JshU6S2"   group = "blue" />
    </security>

Addition of namespaces

We define a 'namespace' as a string that prefixes exchange and queue names. A namespace always ends in a dot. OpenAMQ already implements a namespace "amq." which is reserved for configured resources (exchanges, in fact).

Group rights

Custom groups would be configurable with these possible access rights, defined within a specific namespace:

  • The right to create exchanges within the namespace (the "exchange" right)
  • The right to publish to exchanges within the namespace (the "publish" right)
  • The right to bind to exchanges within the namespace (the "subscribe" right)
  • The right to create shared queues within the namespace (the "queue" right)

In each case, the right is either global, or defined within a specific namespace. The configuration would look like this:

    <group name = "blue">
        <namespace name = "blue." exchange = "1" queue = "1" publish = "1" subscribe = "0" />
        ...
    </group>

Some default rights exist:

  • Any user that could create a resource can delete it.
  • The owner of an exclusive resource can delete it.
  • Any rights that are not specified default to "1".
  • If no namespace rules are defined for a group, the default is a namespace with the same name (followed by a dot).

Thus the minimal configuration is to create and use groups, each of which has a private namespace that all members of the group can share as today they share the whole server.

Attachments:

No files attached to this page.

Comments

Add a New Comment

Edit | Files | Tags | Print

rating: +1+x

Who's following this issue?

pieterhpieterh
martin_sustrikmartin_sustrik
bkcbkc
CybariteCybarite
Watch: site | category | page

Submitted by pieterhpieterh

Use one of these tags to say what kind of issue it is:

  • issue - a fault in the software or the packaging or the documentation.
  • change - a change or feature request.

Use one of these tags to say what state the issue is in:

  • open - a new, open issue.
  • closed - issue has been closed.
  • rejected - the issue has been rejected.

Use one of these tags to say how urgent the issue is:

  • fatal - the issue is stopping all work.
  • urgent - it's urgent.

All open

89 - multi-threaded client connection failure (17 Nov 2012 16:28) [open]
87 - Zyre returns incomplete XML (26 Apr 2010 08:15) [open]
86 - SFL 'random(num)' macro is wrong in sfl.h (31 Mar 2010 09:23) [open]
85 - Zyre does not start on Solaris (23 Mar 2010 01:29) [open]
84 - OpenAMQ JMS - AMQTopic constructor use HEADER name and class instead of TOPIC (28 Jan 2010 17:04) [open]
83 - WireAPI: How to 'override' signal handlers? (14 Jan 2010 17:33) [open]
82 - Opf Classes Cannot Accept Default Values With Characte (06 Jan 2010 09:34) [open]
81 - AMQP Topic Exhange Routing (29 Dec 2009 00:21) [open]
80 - OpenAMQ reports malformed frame on 0-9-1 queue.unbind (20 Nov 2009 12:33) [open]
79 - AMQ Server crashing if subscribe topic is set as #.# (30 Oct 2009 06:11) [open]
78 - Error while publishing the messages faster (30 Oct 2009 05:57) [open]
77 - Tuning for latency (28 Oct 2009 16:47) [open]
76 - New user forum (28 Oct 2009 11:29) [change open]
74 - Simulaneous connect/disconnect from multiple threads crashes (03 Sep 2009 15:32) [open]
73 - Topic Exchange not sending a message to XXX.* (25 Aug 2009 21:10) [open]
72 - amq_content_basic_new() causes seg fault if not connected to broker (12 Aug 2009 23:50) [open]
71 - zyre bugs (06 Aug 2009 09:33) [open]
69 - OpenAMQ and Zyre (15 Jul 2009 11:27) [open]
68 - Change names of max and min source code macros (10 Jul 2009 16:52) [open]
67 - Server crash when multiple consumers ack on shared queue (26 Jun 2009 11:35) [open]

page 1 of 212next »

Most recent