8.3.6. ACL Syntax
ACL rules must be on a single line and follow this syntax:
acl permission {<group-name>|<user-name>|"all"} {action|"all"} [object|"all"] [property=<property-value>]
In ACL files, the following syntactic conventions apply:
- The default (anonymous) exchange is identified using
name=amq.default
. - A line starting with the
#
character is considered a comment and is ignored. - Empty lines and lines that contain only whitespace are ignored
- All tokens are case sensitive.
name1
is not the same asName1
andcreate
is not the same asCREATE
- Group lists can be extended to the following line by terminating the line with the
\
character - Additional whitespace - that is, where there is more than one whitespace character - between and after tokens is ignored. Group and ACL definitions must start with either
group
oracl
and with no preceding whitespace. - All ACL rules are limited to a single line
- Rules are interpreted from the top of the file down until the name match is obtained; at which point processing stops.
- The keyword
all
matches all individuals, groups and actions - The last line of the file - whether present or not - will be assumed to be
acl deny all all
. If present in the file, all lines below it are ignored. - Names and group names may contain only
a-z
,A-Z
,0-9
,-
and_
- Rules must be preceded by any group definitions they can use. Any name not defined as a group will be assumed to be that of an individual.
- Qpid fails to start if ACL file is not valid
- ACL rules can be reloaded at runtime by calling a QMF method
See Also: