8.3.5. Writing an Access Control List

  1. The user id in the ACL file is of the form <user-id>@<domain>. The Domain is configured via the SASL configuration for the broker, and the domain/realm for qpidd is set using --realm and default to 'QPID'.
  2. Each line in an ACL file grants or denies specific rights to a user.
    1. If the last line in an ACL file is acl deny all all, the ACL uses deny mode, and only those rights that are explicitly allowed are granted: 
      acl allow user@QPID all all
acl deny all all
      On this server, deny mode is the default. user@QPID can perform any action, but nobody else can.
    2. If the last line in an ACL file is acl allow all all, the ACL uses allow mode, and all rights are granted except those that are explicitly denied. 
      acl deny user@QPID all all
acl allow all all
      On this server, allow mode is the default. The ACL allows everyone else to perform any action, but denies user@QPID all permissions.
  3. ACL processing ends when one of the following lines is encountered: 
    acl allow all all

    acl deny all all
    Any lines after one of these statements will be ignored: 
    acl allow all all
acl deny user@QPID all all # This line is ignored !!!
  4. ACL syntax allows fine-grained access rights for specific actions: 
    acl allow carlt@QPID create exchange name=carl.*
acl allow fred@QPID create all
acl allow all consume queue
acl allow all bind exchange
acl deny all all
  5. An ACL file can define user groups, and assign permissions to them: 
    group admin ted@QPID martin@QPID
acl allow admin create all
acl deny all all
Report a bug