9.13. ACL ルックアップクエリーメソッド
ACL 承認インターフェースをクエリーするには、qmf メソッドを使用できます。
Broker は、クエリーを行う ACL ファイルで起動する必要があります。その ACL ファイルには、ルックアップ操作を許可するのに十分なパーミッションが含まれる必要があります。
# Catch 22: allow anonymous to access the lookup debug functions acl allow-log anonymous create queue acl allow-log anonymous all exchange name=qmf.* acl allow-log anonymous all exchange name=amq.direct acl allow-log anonymous all exchange name=qpid.management acl allow-log anonymous access method name=Lookup*
ACL 承認インターフェースをクエリーする QMF メソッドは
Lookup
およびです LookupPublish
。
Lookup
メソッドは、アクション、オブジェクト、およびプロパティーのセットに対する一般的なクエリーです。この LookupPublish
方法は、メッセージごとに最適化された fastpath クエリーです。
どちらの方法でも
allow
、、、deny
allow-log
、またはのいずれかになります deny-log
。
method: Lookup
表9.3 method: Lookup
引数 | type | 方向 |
---|---|---|
userId
|
long-string
|
I
|
action
|
long-string
|
I
|
オブジェクト
|
long-string
|
I
|
objectName
|
long-string
|
I
|
propertyMap
|
field-table
|
I
|
結果
|
long-string
|
O
|
メソッド: LookupPublish
表9.4 メソッド: LookupPublish
引数 | type | 方向 |
---|---|---|
userId
|
long-string
|
I
|
exchangeName
|
long-string
|
I
|
routingkey
|
long-string
|
I
|
結果
|
long-string
|
O
|
管理プロパティーと統計
有効にするコマンドライン設定を反映するために、以下のプロパティーと統計が追加され、Acl クォータの拒否アクティビティーが反映されます。
表9.5 Broker Management Quota プロパティー
要素 | type | access | description |
---|---|---|---|
maxConnections
|
uint16
|
ReadOnly
|
許可される最大接続
|
表9.6 ACL 管理インターフェース
要素 | type | access | description |
---|---|---|---|
maxConnectionsPerIp
|
uint16
|
ReadOnly
|
許可される最大接続
|
maxConnectionsPerUser
|
uint16
|
ReadOnly
|
許可される最大接続
|
maxQueuesPerUser
|
uint16
|
ReadOnly
|
許可される最大キュー
|
connectionDenyCount
|
uint64
| |
拒否された接続数
|
queueQuotaDenyCount
|
uint64
| |
拒否されたキューの作成数
|
例
手順9.1 ACL ルックアップの例
実用的な例を確認するには、以下の手順に従います。
- 以下で
acl-test-01-rules.acl
再現した ACL ファイルのサンプルを使用して、ブローカーを起動しQPID_LOG_ENABLE=debug+:acl
ます。 - Python スクリプトを実行し
acl-test-01.py
ます。 - Python プログラムの出力とブローカーログを確認します。
ACL ファイル acl-test-01-rules.acl
# acl-test-rules-00.acl # 27-march-2012 group admins moe@COMPANY.COM \ larry@COMPANY.COM \ curly@COMPANY.COM \ shemp@COMPANY.COM group auditors aaudit@COMPANY.COM baudit@COMPANY.COM caudit@COMPANY.COM \ daudit@COMPANY.COM eaduit@COMPANY.COM eaudit@COMPANY.COM group tatunghosts tatung01@COMPANY.COM \ tatung02/x86.build.company.com@COMPANY.COM \ tatung03/x86.build.company.com@COMPANY.COM \ tatung04/x86.build.company.com@COMPANY.COM \ HTTP/tatung-test1.eng.company.com@COMPANY.COM group publishusers publish@COMPANY.COM x-pubs@COMPANY.COM # Admins: This should be the *only* group which ever gets "all" access # to anything. Everything/everyone else must not be as permissive acl allow-log admins all all # Catch 22: allow anonymous to access the lookup debug functions acl allow-log anonymous create queue acl allow-log anonymous all exchange name=qmf.* acl allow-log anonymous all exchange name=amq.direct acl allow-log anonymous all exchange name=qpid.management acl allow-log anonymous access method name=Lookup* acl allow all publish exchange name='' # Auditors acl allow-log auditors all exchange name=company.topic routingkey=private.audit.* # Tatung acl allow-log tatunghosts publish exchange name=company.topic routingkey=tatung.* acl allow-log tatunghosts publish exchange name=company.direct routingkey=tatung-service-queue # Publish acl allow-log publishusers create queue acl allow-log publishusers publish exchange name=qpid.management routingkey=broker acl allow-log publishusers publish exchange name=qmf.default.topic routingkey=* acl allow-log publishusers publish exchange name=qmf.default.direct routingkey=* # Consumers - everyone acl allow-log all bind exchange name=company.topic routingkey=tatung.* acl allow-log all bind exchange name=company.direct routingkey=tatung-service-queue acl allow-log all consume queue acl allow-log all access exchange acl allow-log all access queue acl allow-log all create queue name=tmp.* durable=false autodelete=true exclusive=true policytype=ring # All else is denied acl deny-log all all
Python スクリプト acl-test-01.py
# acl-test-00.py # test driver for QPID-3918 lookup hooks. # # The broker is to use acl-test-00-rules.acl. # import sys import qpid import qmf totalLookups = 0 failLookups = 0 exitOnError = True # # Run a type 1 lookup # This is the general lookup # def Lookup(acl, userName, action, aclObj, aclObjName, propMap, expectedResult = ''): global totalLookups global failLookups totalLookups += 1 result = acl.Lookup(userName, action, aclObj, aclObjName, propMap) suffix = '' if (expectedResult != ''): if (result.result != expectedResult): failLookups += 1 suffix = ', [ERROR: Expected ' + expectedResult + "]" if (result.result is None): suffix = suffix + ', [' + result.text + ']' print 'Lookup : [name:', userName, ", action: ", action, ", object: ", aclObj, \ ", objName: '", aclObjName, "', properties: ", propMap, \ "], [Result: ", result.result, "]", suffix if (exitOnError and failLookups > 0): sys.exit() # # Run a type 2 lookup # This is a specific PUBLISH EXCHANGE ['user', 'exchangeName', 'routingKey'] lookup # def LookupPublish(acl, userName, exchName, keyName, expectedResult = ''): global totalLookups global failLookups totalLookups += 1 result = acl.LookupPublish(userName, exchName, keyName) suffix = '' if (expectedResult != ''): if (result.result != expectedResult): failLookups += 1 suffix = ', [ERROR: Expected ' + expectedResult + "]" if (result.result is None): suffix = suffix + ', [' + result.text + ']' print 'LookupPublish : [name:', userName, \ ", exchName: '", exchName, "', key: ", keyName, \ "], [Result: ", result.result, "]", suffix if (exitOnError and failLookups > 0): sys.exit() # # AllBut # # Given All names and some names we don't want, # return the All list with the targets removed # def AllBut(allList, removeList): tmpList = allList[:] for item in removeList: try: tmpList.remove(item) except Exception, e: print "ERROR in AllBut() \nallList = %s \nremoveList = %s \nerror = %s " \ % (allList, removeList, e) return tmpList # # Main # # Fire up a session and get the acl methods # from qmf.console import Session sess = Session() broker = sess.addBroker() acls = sess.getObjects(_class="acl", _package="org.apache.qpid.acl") acl = acls[0] # print acl.getMethods() # just to see the method names available # # define some group lists # g_admins = ['moe@COMPANY.COM', \ 'larry@COMPANY.COM', \ 'curly@COMPANY.COM', \ 'shemp@COMPANY.COM'] g_auditors = [ 'aaudit@COMPANY.COM','baudit@COMPANY.COM','caudit@COMPANY.COM', \ 'daudit@COMPANY.COM','eaduit@COMPANY.COM','eaudit@COMPANY.COM'] g_tatunghosts = ['tatung01@COMPANY.COM', \ 'tatung02/x86.build.company.com@COMPANY.COM', \ 'tatung03/x86.build.company.com@COMPANY.COM', \ 'tatung04/x86.build.company.com@COMPANY.COM', \ 'HTTP/tatung-test1.eng.company.com@COMPANY.COM'] g_publishusers = ['publish@COMPANY.COM', 'x-pubs@COMPANY.COM'] g_public = ['jpublic@COMPANY.COM', 'me@yahoo.com'] g_all = g_admins + g_auditors + g_tatunghosts + g_publishusers + g_public action_all = ['consume','publish','create','access','bind','unbind','delete','purge','update'] # # Run some tests # print '#' print '# admin' print '#' for u in g_admins: Lookup(acl, u, "create", "queue", "anything", {"durable":"true"}, "allow-log") print '#' print '# auditors' print '#' uInTest = g_auditors + g_admins uOutTest = AllBut(g_all, uInTest) for u in uInTest: LookupPublish(acl, u, "company.topic", "private.audit.This", "allow-log") for u in uInTest: for a in action_all: Lookup(acl, u, a, "exchange", "company.topic", {"routingkey":"private.audit.This"}, "allow-log") for u in uOutTest: LookupPublish(acl, u, "company.topic", "private.audit.This", "deny-log") Lookup(acl, u, "bind", "exchange", "company.topic", {"routingkey":"private.audit.This"}, "deny-log") print '#' print '# tatungs' print '#' uInTest = g_admins + g_tatunghosts uOutTest = AllBut(g_all, uInTest) for u in uInTest: LookupPublish(acl, u, "company.topic", "tatung.this2", "allow-log") LookupPublish(acl, u, "company.direct", "tatung-service-queue", "allow-log") for u in uOutTest: LookupPublish(acl, u, "company.topic", "tatung.this2", "deny-log") LookupPublish(acl, u, "company.direct", "tatung-service-queue", "deny-log") for u in uOutTest: for a in ["bind", "access"]: Lookup(acl, u, a, "exchange", "company.topic", {"routingkey":"tatung.this2"}, "allow-log") Lookup(acl, u, a, "exchange", "company.direct", {"routingkey":"tatung-service-queue"}, "allow-log") print '#' print '# publishusers' print '#' uInTest = g_admins + g_publishusers uOutTest = AllBut(g_all, uInTest) for u in uInTest: LookupPublish(acl, u, "qpid.management", "broker", "allow-log") LookupPublish(acl, u, "qmf.default.topic", "this3", "allow-log") LookupPublish(acl, u, "qmf.default.direct", "this4", "allow-log") for u in uOutTest: LookupPublish(acl, u, "qpid.management", "broker", "deny-log") LookupPublish(acl, u, "qmf.default.topic", "this3", "deny-log") LookupPublish(acl, u, "qmf.default.direct", "this4", "deny-log") for u in uOutTest: for a in ["bind"]: Lookup(acl, u, a, "exchange", "qpid.management", {"routingkey":"broker"}, "deny-log") Lookup(acl, u, a, "exchange", "qmf.default.topic", {"routingkey":"this3"}, "deny-log") Lookup(acl, u, a, "exchange", "qmf.default.direct", {"routingkey":"this4"}, "deny-log") for a in ["access"]: Lookup(acl, u, a, "exchange", "qpid.management", {"routingkey":"broker"}, "allow-log") Lookup(acl, u, a, "exchange", "qmf.default.topic", {"routingkey":"this3"}, "allow-log") Lookup(acl, u, a, "exchange", "qmf.default.direct", {"routingkey":"this4"}, "allow-log") # # Report statistics # print 'Total Lookups: ', totalLookups print 'Failed Lookups: ', failLookups # # Close the session # sess.close()