The micro broker uses a policy-based authorization scheme.
Policies are specified in an access control language (ACL), which is specified in XML. The ACL file is called micro-acl.xml
and resides in the broker data directory. A default ACL file is created when a micro broker is created. Any changes to the file take effect when the broker starts or restarts. To use an existing ACL file with a new broker, first create the broker, then overwrite the generated default ACL file with the prewritten one, and finally start the new broker.
A detailed description of the ACL file is given in ACL document structure
, following a more general description of its function and capability.
Micro broker clientsParent topic: Configuring micro broker security
Micro broker clients supply a username and password, which first authenticate the client. An authenticated username then becomes the subject name in terms of authorization and is evaluated against the authorization file of the micro broker (micro-acl.xml
) to see whether the client is permitted to do the requested action.
Specifying access policies
The ACL file of the micro broker contains one or more access policies. A policy is a set of rules defined for a specified target. A rule is the elementary unit out of which policies are composed. A rule defines an effect for a given target; that is, it either allows or denies a target. A target defines a set that consists of subjects, resources, actions, and environment.
The micro broker consults the ACL file to check whether a particular client that connects from a given network environment is allowed to perform a variety of operations.
Rule evaluation and the grouping of rules into policies
A policy is a set of rules that applies to a given target and defines how the rules are combined. A rule in a policy applies only if the target of the policy applies in addition to the target of the rule.
ACL document structure
A micro broker ACL document is an XML document with a single top-level element that defines a policy-combination algorithm permit-overrides
and a number of policy definitions.
Micro broker ACL example
This section contains a complete example of a simple micro broker ACL file:
Micro broker ACL samples
This section contains sample micro-acl.xml
files that demonstrate how to accomplish a number of common access control schemes. They can be used either to replace the default file (with appropriate edits for your own user names) or as a cookbook, where relevant sections can be cut and pasted to create your own set of policies.