Specifying access policiesAdded by IBM on October 4, 2010 | Version 1 (Original)
|The micro broker's ACL file contains one or more access policies. A policy is a set of rules defined for a specified target. A rule is the elementary unit out of which policies are composed. A rule defines an effect for a given target, that is it either allows or denies a target. A target defines a set that consists of subjects, resources, actions and environment.
The micro broker's ACL file contains one or more access policies. A policy is a set of rules defined for a specified target. A rule is the elementary unit out of which policies are composed. A rule defines an effect for a given target, that is it either allows or denies a target. A target defines a set that consists of subjects, resources, actions and environment.
These elements have the following meaning:
Wildcard matching process
- Topics - Two different wild cards (”+” and “#”) are supported. Wild card matching is performed using the same rules as for MQTT publishing and subscribing, which allow the single-level wildcard “+” to appear anywhere in a hierarchy (and multiple times), but the multi-level wildcard “#”, if used, must be the last character in the topic hierarchy. If the wild carded subscription contains a wild card character that would allow more topics than the ACL allows, then that subscription as a whole will be refused (that is, it will be refused if, at any position in the slash (/) delimited string, the subscription has a hash (#) where the ACL does not, or the subscription has a plus (+) where the ACL does not have a hash or plus). The subscription as a whole must be refused, since the subscription might otherwise be partially within and partially without two conflicting actions. For example, with ‘nested' ACLs, ACL1=”stocks/#” and ACL2=”stocks/US/+/tech/#”, if the subscription were: “stocks/US/NYC/#”, it would match the first but not the second; if ACL1 were Permit and ACL2 were Deny and the combining rule were ‘Deny Overrides', then the subscription would be permitted overall access, but this should not be the case, since it would have access to topics explicitly denied by ACL2.
- Queues - Only one wildcard is allowed (” * “). It may only appear once and it must be at the end of the queue name. The rule for Queue wild cards, is that the first part of the two names must match, up to the asterisk (” * “). For example, a resource name of “foo*” will match any of the following destination Queue names: “foo”, “foobar”, “foo.XYZ.123”; but not “fo”, “ABC.foo”, “ear-trumpet”.
Typically, a policy consists of multiple rules. The targets of rules may overlap, in which case multiple rules apply. A combination algorithm specifies how overlapping rules are evaluated. Two algorithms exist, permit-overrides and deny-overrides. In the case of permit-overrides, a single matching permit results in a permit, irrespective of any other matches that result in deny for the same target. Likewise, deny-overrides results in deny if a single match evaluates to deny, irrespective of any other matching permits. Multiple policies are combined in an analogous way to the rules.
Parent topic: Configuring micro broker authorization: XPD621