8.3.5. Writing an Access Control List
- The user id in the ACL file is of the form <user-id>@<domain>. The Domain is configured via the SASL configuration for the broker, and the domain/realm for qpidd is set using
--realm
and default to 'QPID'. - Each line in an ACL file grants or denies specific rights to a user.
- If the last line in an ACL file is
acl deny all all
, the ACL uses deny mode, and only those rights that are explicitly allowed are granted:acl allow user@QPID all all acl deny all all
On this server, deny mode is the default.user@QPID
can perform any action, but nobody else can. - If the last line in an ACL file is
acl allow all all
, the ACL uses allow mode, and all rights are granted except those that are explicitly denied.acl deny user@QPID all all acl allow all all
On this server, allow mode is the default. The ACL allows everyone else to perform any action, but deniesuser@QPID
all permissions.
- ACL processing ends when one of the following lines is encountered:
acl allow all all
acl deny all all
Any lines after one of these statements will be ignored:acl allow all all acl deny user@QPID all all # This line is ignored !!!
- ACL syntax allows fine-grained access rights for specific actions:
acl allow carlt@QPID create exchange name=carl.* acl allow fred@QPID create all acl allow all consume queue acl allow all bind exchange acl deny all all
- An ACL file can define user groups, and assign permissions to them:
group admin ted@QPID martin@QPID acl allow admin create all acl deny all all