8.3.14. User Name and Domain Name Symbol Substitution
MRG 3 has the ability to use a simple set of user name and domain name substitution variables. This provides administrators with an easy way to define private or shared resources.
Symbol substitution is allowed in the Acl file anywhere that text is supplied for a property value.
In the following table an authenticated user
bob.user@QPID.COM has his substitution keywords expanded.
Table 8.13.
| Keyword | Expansion |
|---|---|
|
${userdomain}
|
bob_user_QPID_COM
|
|
${user}
|
bob_user
|
|
${domain}
|
QPID_COM
|
The original name has the period "." and at symbol "@" characters translated into underscore "_". This allows substitutions to work when the substitution keyword is used in a routingkey in the ACL file.
Using Symbol Substitution and Wildcards in Routing Keys
The
* symbol can be used a wildcard match for any number of characters in a single field in a routing key. For example:
acl allow user_group publish exchange name=users routingkey=${user}-delivery-*
The '#' symbol , when used in a routing key specification substitutes for any number of dotted subject name fields. User and Domain symbol substitutions can also be combined with the
# wildcard symbol in routing keys, for example:
acl allow user_group bind exchange name=${user}-work2 routingkey=news.#.${user}
ACL Matching of Wildcards in Routing Keys
The ACL processing matches
${userdomain} before matching either ${user} or ${domain}. In most circumstances ACL processing treats ${user}_${domain} and ${userdomain} as equivalent and the two forms may be used interchangeably. The exception to this is rules that specify wildcards within routing keys. In this case the combination ${user}_${domain} will never match, and the form ${userdomain} should be used.
For example, the following rule will never match:
acl allow all publish exchange name=X routingkey=${user}_${domain}.c
In that example, the rule will never match, as the ACL processor looks for routingkey
${userdomain}.c.
ACL Symbol Substitution Example
Administrators can set up ACL rule files that allow every user to create a private exchange, a private queue, and a private binding between them. In this example the users are also allowed to create private backup exchanges, queues and bindings. This effectively provides limits to user's exchange, queue, and binding creation and guarantees that each user gets exclusive access to these resources.
#
# Create primary queue and exchange:
acl allow all create queue name=${user}-work alternate=${user}-work2
acl deny all create queue name=${user}-work alternate=*
acl allow all create queue name=${user}-work
acl allow all create exchange name=${user}-work alternate=${user}-work2
acl deny all create exchange name=${user}-work alternate=*
acl allow all create exchange name=${user}-work
#
# Create backup queue and exchange
#
acl deny all create queue name=${user}-work2 alternate=*
acl allow all create queue name=${user}-work2
acl deny all create exchange name=${user}-work2 alternate=*
acl allow all create exchange name=${user}-work2
#
# Bind/unbind primary exchange
#
acl allow all bind exchange name=${user}-work routingkey=${user} queuename=${user}-work
acl allow all unbind exchange name=${user}-work routingkey=${user} queuename=${user}-work
#
# Bind/unbind backup exchange
#
acl allow all bind exchange name=${user}-work2 routingkey=${user} queuename=${user}-work2
acl allow all unbind exchange name=${user}-work2 routingkey=${user} queuename=${user}-work2
#
# deny mode
#
acl deny all all