summaryrefslogtreecommitdiff
path: root/qpid/java/broker/etc/broker_example.acl
diff options
context:
space:
mode:
Diffstat (limited to 'qpid/java/broker/etc/broker_example.acl')
-rw-r--r--qpid/java/broker/etc/broker_example.acl25
1 files changed, 21 insertions, 4 deletions
diff --git a/qpid/java/broker/etc/broker_example.acl b/qpid/java/broker/etc/broker_example.acl
index 93955bb7f9..aae4ee3162 100644
--- a/qpid/java/broker/etc/broker_example.acl
+++ b/qpid/java/broker/etc/broker_example.acl
@@ -24,15 +24,32 @@
#Define a 'messaging-users' group with users 'client' and 'server' in it
GROUP messaging-users client server
+
### MANAGEMENT ####
-#Allow 'guest' to perform read operations on the Serverinformation mbean and view logger levels
-ACL ALLOW-LOG guest ACCESS METHOD component="ServerInformation"
-ACL ALLOW-LOG guest ACCESS METHOD component="LoggingManagement" name="viewEffectiveRuntimeLoggerLevels"
+# Allow everyone to perform read operations on the ServerInformation mbean
+# This is used for items such as querying the management API and broker release versions.
+ACL ALLOW-LOG ALL ACCESS METHOD component="ServerInformation"
-#Allow 'admin' all management operations
+# Allow 'admin' all management operations
ACL ALLOW-LOG admin ALL METHOD
+# Deny access to Shutdown, UserManagement, ConfigurationManagement and LoggingManagement for all other users
+# You could grant specific users access to these beans by adding ALLOW-LOG rules above for them
+ACL DENY-LOG ALL ACCESS METHOD component="Shutdown"
+ACL DENY-LOG ALL ACCESS METHOD component="UserManagement"
+ACL DENY-LOG ALL ACCESS METHOD component="ConfigurationManagement"
+ACL DENY-LOG ALL ACCESS METHOD component="LoggingManagement"
+
+# Allow 'guest' to view logger levels, and use getter methods on LoggingManagement
+# These are examples of redundant rules! The DENY-LOG rule above will be invoked
+# first and will deny the access to all methods of LoggingManagement for guest
+ACL ALLOW-LOG guest ACCESS METHOD component="LoggingManagement" name="viewEffectiveRuntimeLoggerLevels"
+ACL ALLOW-LOG guest ACCESS METHOD component="LoggingManagement" name="get*"
+
+# Allow everyone to perform all read operations on the mbeans not listened in the DENY-LOG rules above
+ACL ALLOW-LOG ALL ACCESS METHOD
+
### MESSAGING ###
#Example permissions for request-response based messaging.
View Lorry Controller Status