ActiveMQ(5.10.0) - Destination-level authorization

To build upon authentication, consider a use case requiring more fine-grained control over clients to authorize certain tasks. ActiveMQ provides two levels of authorization: operation-level authorization and message-level authorization. These two types of authorization provide a more detailed level of control than simple authentication. This section discusses these two types of authorization and walks through some examples to demonstrate each.

There are three types of user-level operations with JMS destinations:

  • Read — The ability to receive messages from the destination
  • Write — The ability to send messages to the destination
  • Admin — The ability to administer the destination

Through these well-known operations, you can control the ability to perform the operations. Using the ActiveMQ XML configuration file, such authorization can be easily defined. Take a look at the following listing to add some operation-specific authorization to some destinations.

...
<plugins>
    <plugins>
        <jaasAuthenticationPlugin configuration="activemq-domain"/>
    </plugins>    
    <authorizationPlugin>
        <map>
            <authorizationMap>
                <authorizationEntries>
                    <authorizationEntry queue=">" read="admins" write="admins" admin="admins"/>
                    <authorizationEntry queue="EXAMPLE.>" read="consumers" write="producers" admin="producers"/>
                    <authorizationEntry queue="EXAMPLE.HelloQueue" read="guests"/>
                    <authorizationEntry topic="ActiveMQ.Advisory.>" 
                        read="admins,producers,consumers,guests" 
                        write="admins,producers,consumers,guests" 
                        admin="admins,producers,consumers,guests"/>
                </authorizationEntries>
            </authorizationMap>
        </map>
    </authorizationPlugin>
</plugins>
...

In the listing, the JAAS authorization plug-in has been defined and pointed at the activemq-domain configuration in the login.config file. It has also been provided with a map of authorization entries. When configuring the map of authorization entries, the first task is to define the destination to be secured. This is achieved through the use of either a topic or a queue attribute on the entry. The next task is to declare which users and/or groups have privileges for operations on that destination.

A handy feature is the ability to define the destination value using wildcards. For example, EXAMPLE.> means the entry applies to all destinations in the EXAMPLE path recursively. Also, the authorization operations will accept either a single group or a comma-separated list of groups as a value.

Considering this explanation, the configuration used in the previous example can be translated as follows:

  • Users from the admins group have full access to all queues
  • Consumers can consume and producers can send messages to the destinations in the EXAMPLE path
  • Guests can only consume from the EXAMPLE.HelloQueue queue

 

posted on 2016-01-13 18:28  huey2672  阅读(342)  评论(0编辑  收藏  举报