Specifying access policiesAdded by IBM on October 5, 2011 | Version 1 (Original)
|The ACL file of the micro broker contains one or more access policies. A policy is a set of rules defined for a specified target. A rule is the elementary unit out of which policies are composed. A rule defines an effect for a given target; that is, it either allows or denies a target. A target defines a set that consists of subjects, resources, actions, and environment.
The ACL file of the micro broker contains one or more access policies. A policy is a set of rules defined for a specified target. A rule is the elementary unit out of which policies are composed. A rule defines an effect for a given target; that is, it either allows or denies a target. A target defines a set that consists of subjects, resources, actions, and environment.
These elements have the following meaning:
Wild card matching process
- Topics - Two different wild cards (+ and #) are supported. Wild card matching is performed using the same rules as for MQTT publishing and subscribing, which allow the single-level wild card + to appear anywhere in a hierarchy (and multiple times), but the multi-level wild card #, if used, must be the last character in the topic hierarchy. If the wild carded subscription contains a wild card character that allows more topics than the ACL allows, then that subscription as a whole is refused (that is, it is refused if, at any position in the slash (/) delimited string, the subscription has a hash (#) where the ACL does not, or the subscription has a plus (+) where the ACL does not have a hash or plus). The subscription as a whole must be refused because the subscription might otherwise be partially within and partially without two conflicting actions. For example, with nested ACLs, ACL1="stocks/#"
- and ACL2="stocks/US/+/tech/#", if the subscription were: "stocks/US/NYC/#", it matches the first but not the second; if ACL1 were Permit and ACL2 were Deny and the combining rule were Deny Overrides, then the subscription is permitted overall access, but this is not the case because it has access to topics explicitly denied by ACL2.
- Queues - Only one wildcard is allowed (”* ). It might appear only once, and it must be at the end of the queue name. The rule for Queue wild cards is that the first part of the two names must match, up to the asterisk (*). For example, a resource name of foo* matches any of the following destination Queue names: foo, foobar, foo.XYZ.123; but not fo, ABC.foo, ear-trumpet.
Typically, a policy consists of multiple rules. The targets of rules might overlap, in which case multiple rules apply. A combination algorithm specifies how overlapping rules are evaluated. Two algorithms exist, permit-overrides and deny-overrides. In the case of permit-overrides, a single matching permit results in a permit, irrespective of any other matches that result in deny for the same target. Likewise, deny-overrides results in deny if a single match evaluates to deny, irrespective of any other matching permits. Multiple policies are combined in an analogous way to the rules.
Parent topic: Configuring micro broker authorization