The micro broker uses a policy-based authorization scheme.
Policies are specified in an access control language (ACL), which is specified in XML. The ACL file is called micro-acl.xml
and resides in the broker data directory. A default ACL file is created when a micro broker is created. Any changes to the file take effect when the broker starts or restarts. To use an existing ACL file with a new broker, first create the broker then overwrite the generated default ACL file with the pre-written one, and finally start the new broker.
A detailed description of the ACL file is given in ACL document structure
, following a more general description of its function and capability.
Micro broker client information: XPD621
Micro broker clients supply a username and password, which are first authenticate the client. An authenticated username then becomes the subject name in terms of authorization and is evaluated against the micro broker's authorization file (micro-acl.xml
) to see whether the client is permitted to do the requested action.
Specifying access policies: XPD621
The micro broker's ACL file contains one or more access policies. A policy is a set of rules defined for a specified target. A rule is the elementary unit out of which policies are composed. A rule defines an effect for a given target, that is it either allows or denies a target. A target defines a set that consists of subjects, resources, actions and environment.
Rule matching: XPD621
The micro broker consults the ACL file to check whether a particular client that connects from a given network environment is allowed to perform a variety of operations.
Rule evaluation and the grouping of rules into policies: XPD621
A policy is a set of rules that applies to a given target and defines how the rules are combined. A rule in a policy only applies if the target of the policy applies as well as the target of the rule.
ACL document structure: XPD621
A micro broker ACL document is an XML document with a single top-level element that defines a policy-combination algorithm permit-overrides
and a number of policy definitions.
Micro broker ACL example: XPD621
This section contains a complete example of a simple micro broker ACL file:
Micro broker ACL samples: XPD621
This section contains sample micro-acl.xml
files that demonstrate how to accomplish a number of common access control schemes. They can be used either to replace the default file (with appropriate edits for your own user names) or as a ‘cookbook’, where relevant sections can be cut and pasted to create your own set of policies.
Parent topic: Configuring micro broker security: XPD621