ActiveMQ(5.10.0) - Destination-level authorization

To build upon authentication, consider a use case requiring more fine-grained control over clients to authorize certain tasks. ActiveMQ provides two levels of authorization: operation-level authorization and message-level authorization. These two types of authorization provide a more detailed level of control than simple authentication. This section discusses these two types of authorization and walks through some examples to demonstrate each.

There are three types of user-level operations with JMS destinations:

  • Read — The ability to receive messages from the destination
  • Write — The ability to send messages to the destination
  • Admin — The ability to administer the destination

Through these well-known operations, you can control the ability to perform the operations. Using the ActiveMQ XML configuration file, such authorization can be easily defined. Take a look at the following listing to add some operation-specific authorization to some destinations.

...
<plugins>
    <plugins>
        <jaasAuthenticationPlugin configuration="activemq-domain"/>
    </plugins>
    <authorizationPlugin>
        <map>
            <authorizationMap>
                <authorizationEntries>
                    <authorizationEntry queue=">" read="admins" write="admins" admin="admins"/>
                    <authorizationEntry queue="EXAMPLE.>" read="consumers" write="producers" admin="producers"/>
                    <authorizationEntry queue="EXAMPLE.HelloQueue" read="guests"/>
                    <authorizationEntry topic="ActiveMQ.Advisory.>"
                        read="admins,producers,consumers,guests"
                        write="admins,producers,consumers,guests"
                        admin="admins,producers,consumers,guests"/>
                </authorizationEntries>
            </authorizationMap>
        </map>
    </authorizationPlugin>
</plugins>
...

In the listing, the JAAS authorization plug-in has been defined and pointed at the activemq-domain configuration in the login.config file. It has also been provided with a map of authorization entries. When configuring the map of authorization entries, the first task is to define the destination to be secured. This is achieved through the use of either a topic or a queue attribute on the entry. The next task is to declare which users and/or groups have privileges for operations on that destination.

A handy feature is the ability to define the destination value using wildcards. For example, EXAMPLE.> means the entry applies to all destinations in the EXAMPLE path recursively. Also, the authorization operations will accept either a single group or a comma-separated list of groups as a value.

Considering this explanation, the configuration used in the previous example can be translated as follows:

  • Users from the admins group have full access to all queues
  • Consumers can consume and producers can send messages to the destinations in the EXAMPLE path
  • Guests can only consume from the EXAMPLE.HelloQueue queue
时间: 2024-11-04 23:16:03

ActiveMQ(5.10.0) - Destination-level authorization的相关文章

ActiveMQ(5.10.0) - Configuring the jaas authentication plug-in

JAAS provides pluggable authentication, which means ActiveMQ will use the same authentication API regardless of the technique used to verify user credentials (a text file, a relational database, LDAP, and so on). All that’s required is an implementat

ActiveMQ(5.10.0) - Message Redelivery and DLQ Handling

When messages expire on the ActiveMQ broker (they exceed their time-to-live, if set) or can’t be redelivered, they’re moved to a dead-letter queue, so they can be consumed or browsed by an administrator at a later point. Messages are redelivered to a

ActiveMQ(5.10.0) - Connection Configuration URI

An Apache ActiveMQ connection can be configured by explicitly setting properties on the ActiveMQConnection or ActiveMQConnectionFactory objects themselves via the bean properties or using the following URI syntax. Example You set the property called

ActiveMQ(5.10.0) - Configuring the simple authentication plug-in

The easiest way to secure the broker is through the use of authentication credentials placed directly in the broker’s XML configuration file. Such functionality is provided by the simple authentication plug-in that’s part of ActiveMQ. The following l

ActiveMQ(5.10.0) - hello world

Sending a JMS message public class MyMessageProducer { ... // 创建连接工厂实例 ConnectionFactory connFactory = new ActiveMQConnectionFactory( ActiveMQConnection.DEFAULT_USER, ActiveMQConnection.DEFAULT_PASSWORD, "tcp://localhost:61616"); Connection conn

ActiveMQ(5.10.0) - 使用 JDBC 持久化消息

1. 编辑 ACTIVEMQ_HOME/conf/activemq.xml. <beans> <broker brokerName="localhost" persistent="true" xmlns="http://activemq.apache.org/schema/core"> <persistenceAdapter> <jdbcPersistenceAdapter dataSource=&quo

Kubadem方式安装Kubernetes(1.10.0)集群

背景 kubernetes已经是现有的docker容器管理工具中必学的一个架构了,相对与swarm来说,它的架构更重,组件和配置也更复杂,当然了,提供的功能也更加强大.在这里,k8s的基本概念和架构就不描述了,网上有很多的资料可供参考. 在技术的驱使下,我们公司也不可避免地开始了k8s的研究,所以也要开始接触到这一强大的docker容器管理架构.学习k8s的第一步,首先要搭建一个k8s的集群环境.搭建k8s最简单的应该是直接使用官方提供的二进制包.但在这里,我参考了k8s官方的安装指南,选择使用

Git 2.10.0 发布,分布式版本控制系统

Git 2.10.0 发布了,发布说明如下: UI, Workflows & Features * "git pull --rebase --verify-signature" learned to warn the user   that "--verify-signature" is a no-op when rebasing. * An upstream project can make a recommendation to shallowly cl

kafka0.9.0及0.10.0配置属性

问题导读 1.borker包含哪些属性?2.Producer包含哪些属性?3.Consumer如何配置? borker(0.9.0及0.10.0)配置Kafka日志本身是由多个日志段组成(log segment).一个日志是一个FileMessageSet,它包含了日志数据以及OffsetIndex对象,该对象使用位移来读取日志数据 * borker配置就是指配置server.properties文件 * 最小配置 通常情况下需要在减压缩kafka后,修改config/server.proper