首页 > 其他 > 详细

ActiveMQ(5.10.0) - Destination-level authorization

时间:2016-01-13 19:40:51      阅读:153      评论:0      收藏:0      [点我收藏+]

To build upon authentication, consider a use case requiring more fine-grained control over clients to authorize certain tasks. ActiveMQ provides two levels of authorization: operation-level authorization and message-level authorization. These two types of authorization provide a more detailed level of control than simple authentication. This section discusses these two types of authorization and walks through some examples to demonstrate each.

There are three types of user-level operations with JMS destinations:

  • Read — The ability to receive messages from the destination
  • Write — The ability to send messages to the destination
  • Admin — The ability to administer the destination

Through these well-known operations, you can control the ability to perform the operations. Using the ActiveMQ XML configuration file, such authorization can be easily defined. Take a look at the following listing to add some operation-specific authorization to some destinations.

...
<plugins>
    <plugins>
        <jaasAuthenticationPlugin configuration="activemq-domain"/>
    </plugins>    
    <authorizationPlugin>
        <map>
            <authorizationMap>
                <authorizationEntries>
                    <authorizationEntry queue=">" read="admins" write="admins" admin="admins"/>
                    <authorizationEntry queue="EXAMPLE.>" read="consumers" write="producers" admin="producers"/>
                    <authorizationEntry queue="EXAMPLE.HelloQueue" read="guests"/>
                    <authorizationEntry topic="ActiveMQ.Advisory.>" 
                        read="admins,producers,consumers,guests" 
                        write="admins,producers,consumers,guests" 
                        admin="admins,producers,consumers,guests"/>
                </authorizationEntries>
            </authorizationMap>
        </map>
    </authorizationPlugin>
</plugins>
...

In the listing, the JAAS authorization plug-in has been defined and pointed at the activemq-domain configuration in the login.config file. It has also been provided with a map of authorization entries. When configuring the map of authorization entries, the first task is to define the destination to be secured. This is achieved through the use of either a topic or a queue attribute on the entry. The next task is to declare which users and/or groups have privileges for operations on that destination.

A handy feature is the ability to define the destination value using wildcards. For example, EXAMPLE.> means the entry applies to all destinations in the EXAMPLE path recursively. Also, the authorization operations will accept either a single group or a comma-separated list of groups as a value.

Considering this explanation, the configuration used in the previous example can be translated as follows:

  • Users from the admins group have full access to all queues
  • Consumers can consume and producers can send messages to the destinations in the EXAMPLE path
  • Guests can only consume from the EXAMPLE.HelloQueue queue

 

ActiveMQ(5.10.0) - Destination-level authorization

原文:http://www.cnblogs.com/huey/p/5128133.html

(0)
(0)
   
举报
评论 一句话评论(0
关于我们 - 联系我们 - 留言反馈 - 联系我们:wmxa8@hotmail.com
© 2014 bubuko.com 版权所有
打开技术之扣,分享程序人生!