8.3.15. ACL Definition Examples
Most ACL files begin by defining groups:
group admin ted@QPID martin@QPID group user-consume martin@QPID ted@QPID group group2 kim@QPID user-consume rob@QPID group publisher group2 \ tom@QPID andrew@QPID debbie@QPID
Rules in an ACL file grant or deny specific permissions to users or groups:
acl allow carlt@QPID create exchange name=carl.* acl allow rob@QPID create queue acl allow guest@QPID bind exchange name=amq.topic routingkey=stocks.rht.# acl allow user-consume create queue name=tmp.* acl allow publisher publish all durable=false acl allow publisher create queue name=RequestQueue acl allow consumer consume queue durable=true acl allow fred@QPID create all acl allow bob@QPID all queue acl allow admin all acl allow all consume queue acl allow all bind exchange acl deny all all
In the previous example, the last line,
acl deny all all
, denies all authorizations that have not been specifically granted. This is the default, but it is useful to include it explicitly on the last line for the sake of clarity. If you want to grant all rights by default, you can specify acl allow all all
in the last line.
Do not allow
guest
to access and log QMF management methods that could cause security breaches:
group allUsers guest@QPID .... acl deny-log allUsers create link acl deny-log allUsers access method name=connect acl deny-log allUsers access method name=echo acl allow all all