diff options
author | Robert Gemmell <robbie@apache.org> | 2012-08-03 15:38:44 +0000 |
---|---|---|
committer | Robert Gemmell <robbie@apache.org> | 2012-08-03 15:38:44 +0000 |
commit | 24429443745b108023722ea24ecde812f01377ac (patch) | |
tree | 3c006420e4024f54086c32b19a8acacdd3576293 | |
parent | ea4789318932d359cb4de57e0cd055bf5622d937 (diff) | |
download | qpid-python-24429443745b108023722ea24ecde812f01377ac.tar.gz |
QPID-4185: improve broker_example.acl to give more reasonable settings, replacing some ALLOW-LOG with ALLOW for read only operations and removing 'dead rule' example.
Applied patch from Philip Harvey <phil@philharveyonline.com> , Oleksandr Rudyy<orudyy@gmail.com> and myself.
git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@1369046 13f79535-47bb-0310-9956-ffa450edef68
-rw-r--r-- | qpid/java/broker/etc/broker_example.acl | 25 |
1 files changed, 13 insertions, 12 deletions
diff --git a/qpid/java/broker/etc/broker_example.acl b/qpid/java/broker/etc/broker_example.acl index 1f32f8463e..45a48bda09 100644 --- a/qpid/java/broker/etc/broker_example.acl +++ b/qpid/java/broker/etc/broker_example.acl @@ -18,6 +18,7 @@ # ### EXAMPLE ACL V2 FILE +### NOTE: Rules are considered from top to bottom, and the first matching rule governs the decision. ### DEFINE GROUPS ### @@ -27,30 +28,30 @@ GROUP messaging-users client server #Define a group for management web console users GROUP webadmins webadmin -### MANAGEMENT #### +### JMX MANAGEMENT #### # Allow everyone to perform read operations on the ServerInformation mbean # This is used for items such as querying the management API and broker release versions. -ACL ALLOW-LOG ALL ACCESS METHOD component="ServerInformation" +ACL ALLOW ALL ACCESS METHOD component="ServerInformation" -# Allow 'admin' all management operations +# Allow 'admin' all management operations. To reduce log file noise, only non-read-only operations are logged. +ACL ALLOW admin ACCESS METHOD ACL ALLOW-LOG admin ALL METHOD +# Allow 'guest' to view logger levels, and use getter methods on LoggingManagement +ACL ALLOW guest ACCESS METHOD component="LoggingManagement" name="viewEffectiveRuntimeLoggerLevels" +ACL ALLOW guest ACCESS METHOD component="LoggingManagement" name="get*" + # Deny access to Shutdown, UserManagement, ConfigurationManagement and LoggingManagement for all other users -# You could grant specific users access to these beans by adding ALLOW-LOG rules above for them +# You could grant specific users access to these beans by adding rules above to allow them ACL DENY-LOG ALL ACCESS METHOD component="Shutdown" ACL DENY-LOG ALL ACCESS METHOD component="UserManagement" ACL DENY-LOG ALL ACCESS METHOD component="ConfigurationManagement" ACL DENY-LOG ALL ACCESS METHOD component="LoggingManagement" -# Allow 'guest' to view logger levels, and use getter methods on LoggingManagement -# These are examples of redundant rules! The DENY-LOG rule above will be invoked -# first and will deny the access to all methods of LoggingManagement for guest -ACL ALLOW-LOG guest ACCESS METHOD component="LoggingManagement" name="viewEffectiveRuntimeLoggerLevels" -ACL ALLOW-LOG guest ACCESS METHOD component="LoggingManagement" name="get*" - -# Allow everyone to perform all read operations on the mbeans not listened in the DENY-LOG rules above -ACL ALLOW-LOG ALL ACCESS METHOD +# Allow everyone to perform all read operations (using ALLOW rather than ALLOW-LOG to reduce log file noise) +# on the mbeans not listed in the DENY rules above +ACL ALLOW ALL ACCESS METHOD ### MESSAGING ### |