From 9c73ef7a5ac10acd6a50d5d52bd721fc2faa5919 Mon Sep 17 00:00:00 2001
From: Kim van der Riet <kpvdr@apache.org>
Date: Thu, 28 Feb 2013 16:14:30 +0000
Subject: Update from trunk r1375509 through r1450773

git-svn-id: https://svn.apache.org/repos/asf/qpid/branches/asyncstore@1451244 13f79535-47bb-0310-9956-ffa450edef68
---
 java/broker/etc/broker_example.acl |  94 ++++++++++++++++++++------------
 java/broker/etc/config.xml         | 106 -------------------------------------
 java/broker/etc/groups             |  29 ++++++++++
 java/broker/etc/log4j.xml          |  23 +++-----
 4 files changed, 96 insertions(+), 156 deletions(-)
 delete mode 100644 java/broker/etc/config.xml
 create mode 100644 java/broker/etc/groups

(limited to 'java/broker/etc')

diff --git a/java/broker/etc/broker_example.acl b/java/broker/etc/broker_example.acl
index 45a48bda09..fc650801c8 100644
--- a/java/broker/etc/broker_example.acl
+++ b/java/broker/etc/broker_example.acl
@@ -19,24 +19,20 @@
 
 ### EXAMPLE ACL V2 FILE
 ### NOTE: Rules are considered from top to bottom, and the first matching rule governs the decision.
-
-### DEFINE GROUPS ###
-
-#Define a 'messaging-users' group with users  'client' and  'server' in it
-GROUP messaging-users client server
-
-#Define a group for management web console users
-GROUP webadmins webadmin
+### Rules may refer to users or groups. Groups are currently defined in the etc/groups file.
 
 ### JMX MANAGEMENT ####
 
-# Allow everyone to perform read operations on the ServerInformation mbean
-# This is used for items such as querying the management API and broker release versions.
-ACL ALLOW ALL ACCESS METHOD component="ServerInformation"
+# To use JMX management, first give the user/group ACCESS MANAGEMENT permission
+ACL ALLOW administrators ACCESS MANAGEMENT
+ACL ALLOW guest ACCESS MANAGEMENT
 
-# Allow 'admin' all management operations. To reduce log file noise, only non-read-only operations are logged.
-ACL ALLOW admin ACCESS METHOD
-ACL ALLOW-LOG admin ALL METHOD
+# Allow guest to perform read operations on the ServerInformation mbean
+ACL ALLOW guest ACCESS METHOD component="ServerInformation"
+
+# Allow 'administrators' all management operations. To reduce log file noise, only non-read-only operations are logged.
+ACL ALLOW administrators ACCESS METHOD
+ACL ALLOW-LOG administrators ALL METHOD
 
 # Allow 'guest' to view logger levels, and use getter methods on LoggingManagement
 ACL ALLOW guest ACCESS METHOD component="LoggingManagement" name="viewEffectiveRuntimeLoggerLevels"
@@ -49,17 +45,61 @@ ACL DENY-LOG ALL ACCESS METHOD component="UserManagement"
 ACL DENY-LOG ALL ACCESS METHOD component="ConfigurationManagement"
 ACL DENY-LOG ALL ACCESS METHOD component="LoggingManagement"
 
-# Allow everyone to perform all read operations (using ALLOW rather than ALLOW-LOG to reduce log file noise)
-# on the mbeans not listed in the DENY rules above
+# Allow everyone to perform all read operations on the mbeans not listed in the DENY rules above
 ACL ALLOW ALL ACCESS METHOD
 
+### WEB MANAGEMENT ####
+
+# To use web management, first give the user/group ACCESS MANAGEMENT permission
+ACL ALLOW webadmins ACCESS MANAGEMENT
+
+# ACL for web management console admins
+# All rules below are required for console admin users
+# to perform create/update/delete operations
+ACL ALLOW-LOG webadmins CREATE QUEUE
+ACL ALLOW-LOG webadmins DELETE QUEUE
+ACL ALLOW-LOG webadmins PURGE  QUEUE
+ACL ALLOW-LOG webadmins CREATE EXCHANGE
+ACL ALLOW-LOG webadmins DELETE EXCHANGE
+ACL ALLOW-LOG webadmins BIND   EXCHANGE
+ACL ALLOW-LOG webadmins UNBIND EXCHANGE
+ACL ALLOW-LOG webadmins CREATE GROUP
+ACL ALLOW-LOG webadmins DELETE GROUP
+ACL ALLOW-LOG webadmins UPDATE GROUP
+ACL ALLOW-LOG webadmins CREATE USER
+ACL ALLOW-LOG webadmins DELETE USER
+ACL ALLOW-LOG webadmins UPDATE USER
+
+ACL ALLOW-LOG webadmins UPDATE METHOD
+
+# at the moment only the following UPDATE METHOD rules are supported by web management console
+#ACL ALLOW-LOG webadmins UPDATE METHOD component="VirtualHost.Queue" name="moveMessages"
+#ACL ALLOW-LOG webadmins UPDATE METHOD component="VirtualHost.Queue" name="copyMessages"
+#ACL ALLOW-LOG webadmins UPDATE METHOD component="VirtualHost.Queue" name="deleteMessages"
+
 ### MESSAGING ###
+# The 'ACCESS VIRTUALHOST' rules below apply to messaging operations (as opposed to management operations)
+
+# Firewall examples
+
+# Deny access to all users from *.example.company1.com and *.example.company2.com
+ACL DENY-LOG all ACCESS VIRTUALHOST from_hostname=".*\.example\.company1.com,.*\.example\.company2.com"
 
-#Example permissions for request-response based messaging.
+# Deny access to all users in the IP ranges 192.168.1.0-192.168.1.255 and 192.168.2.0-192.168.2.255,
+# using the notation specified in RFC 4632, "Classless Inter-domain Routing (CIDR)"
+ACL DENY-LOG messaging-users ACCESS VIRTUALHOST from_network="192.168.1.0/24,192.168.2.0/24"
 
-#Allow 'messaging-users' group to connect to the virtualhost
+# Deny access to all users in the IP ranges 192.169.1.0-192.169.1.255 and 192.169.2.0-192.169.2.255,
+# using wildcard notation.
+ACL DENY-LOG messaging-users ACCESS VIRTUALHOST from_network="192.169.1.*,192.169.2.*"
+
+# Allow 'messaging-users' group to connect to all virtualhosts
 ACL ALLOW-LOG messaging-users ACCESS VIRTUALHOST
 
+# Deny messaging-users management
+ACL DENY-LOG messaging-users ACCESS MANAGEMENT
+
+
 # Client side
 # Allow the 'client' user to publish requests to the request queue and create, consume from, and delete temporary reply queues.
 ACL ALLOW-LOG client CREATE QUEUE temporary="true"
@@ -77,24 +117,8 @@ ACL ALLOW-LOG server CONSUME QUEUE name="example.RequestQueue"
 ACL ALLOW-LOG server BIND EXCHANGE
 ACL ALLOW-LOG server PUBLISH EXCHANGE name="amq.direct" routingKey="TempQueue*"
 
-# ACL for web management console admins
-# All rules below are required for console admin users
-# to perform create/update/delete operations
-ACL ALLOW-LOG webadmins CREATE QUEUE
-ACL ALLOW-LOG webadmins DELETE QUEUE
-ACL ALLOW-LOG webadmins PURGE  QUEUE
-ACL ALLOW-LOG webadmins CREATE EXCHANGE
-ACL ALLOW-LOG webadmins DELETE EXCHANGE
-ACL ALLOW-LOG webadmins BIND   EXCHANGE
-ACL ALLOW-LOG webadmins UNBIND EXCHANGE
-ACL ALLOW-LOG webadmins UPDATE METHOD
-
-# at the moment only the following UPDATE METHOD rules are supported by web management console
-#ACL ALLOW-LOG webadmins UPDATE METHOD component="VirtualHost.Queue" name="moveMessages"
-#ACL ALLOW-LOG webadmins UPDATE METHOD component="VirtualHost.Queue" name="copyMessages"
-#ACL ALLOW-LOG webadmins UPDATE METHOD component="VirtualHost.Queue" name="deleteMessages"
 
 ### DEFAULT ###
 
-#Deny all users from performing all operations
+# Deny all users from performing all operations
 ACL DENY-LOG all all
diff --git a/java/broker/etc/config.xml b/java/broker/etc/config.xml
deleted file mode 100644
index 08c7c23d13..0000000000
--- a/java/broker/etc/config.xml
+++ /dev/null
@@ -1,106 +0,0 @@
-<?xml version="1.0" encoding="ISO-8859-1"?>
-<!--
- -
- - Licensed to the Apache Software Foundation (ASF) under one
- - or more contributor license agreements.  See the NOTICE file
- - distributed with this work for additional information
- - regarding copyright ownership.  The ASF licenses this file
- - to you under the Apache License, Version 2.0 (the
- - "License"); you may not use this file except in compliance
- - with the License.  You may obtain a copy of the License at
- -
- -   http://www.apache.org/licenses/LICENSE-2.0
- -
- - Unless required by applicable law or agreed to in writing,
- - software distributed under the License is distributed on an
- - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- - KIND, either express or implied.  See the License for the
- - specific language governing permissions and limitations
- - under the License.
- -
- -->
-<broker>
-    <prefix>${QPID_HOME}</prefix>
-    <work>${QPID_WORK}</work>
-    <conf>${prefix}/etc</conf>
-
-    <plugin-directory>${QPID_HOME}/lib/plugins</plugin-directory>
-    <cache-directory>${QPID_WORK}/cache</cache-directory>
-    
-    <connector>
-        <!-- To enable SSL edit the keystorePath and keystorePassword
-	     and set enabled to true. 
-             To disable Non-SSL port set sslOnly to true -->
-        <ssl>
-            <enabled>false</enabled>
-            <port>5671</port>
-            <sslOnly>false</sslOnly>
-            <keyStorePath>/path/to/keystore.ks</keyStorePath>
-            <keyStorePassword>keystorepass</keyStorePassword>
-        </ssl>
-        <port>5672</port>
-        <socketReceiveBuffer>262144</socketReceiveBuffer>
-        <socketSendBuffer>262144</socketSendBuffer>
-    </connector>
-    <management>
-        <enabled>true</enabled>
-        <jmxport>
-            <registryServer>8999</registryServer>
-            <!--
-             If unspecified, connectorServer defaults to 100 + registryServer port.
-            <connectorServer>9099</connectionServer>
-            -->
-        </jmxport>
-        <ssl>
-            <enabled>false</enabled>
-            <!-- Update below path to your keystore location. -->
-            <keyStorePath>${conf}/qpid.keystore</keyStorePath>
-            <keyStorePassword>password</keyStorePassword>
-        </ssl>
-        <https>
-            <enabled>false</enabled>
-        </https>
-    </management>
-    <advanced>
-        <framesize>65535</framesize>
-        <locale>en_US</locale>	
-    </advanced>
-
-    <security>
-        <pd-auth-manager>
-            <principal-database>
-                <class>org.apache.qpid.server.security.auth.database.PlainPasswordFilePrincipalDatabase</class>
-                <attributes>
-                    <attribute>
-                        <name>passwordFile</name>
-                        <value>${conf}/passwd</value>
-                    </attribute>
-                </attributes>
-            </principal-database>
-        </pd-auth-manager>
-
-        <!-- By default, all authenticated users have permissions to perform all actions -->
-
-        <!-- ACL Example
-             This example illustrates securing the both Management (JMX) and Messaging.
-        <acl>${conf}/broker_example.acl</acl>
-        -->
-        
-        <msg-auth>false</msg-auth>
-    </security>
-
-    <virtualhosts>${conf}/virtualhosts.xml</virtualhosts>
-    
-    <heartbeat>
-        <delay>0</delay>
-        <timeoutFactor>2.0</timeoutFactor>
-    </heartbeat>
-    <queue>
-        <auto_register>true</auto_register>
-    </queue>
-
-    <status-updates>ON</status-updates>
-
-</broker>
-
-
diff --git a/java/broker/etc/groups b/java/broker/etc/groups
new file mode 100644
index 0000000000..e3912ece99
--- /dev/null
+++ b/java/broker/etc/groups
@@ -0,0 +1,29 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+#
+# To define a group, use the format:
+#
+# <groupname>.users=<user1>,<user2>,...,<usern>
+#
+
+messaging-users.users=guest,client,server
+administrators.users=admin
+webadmins.users=webadmin
+
diff --git a/java/broker/etc/log4j.xml b/java/broker/etc/log4j.xml
index b1b31248c1..71a13875a1 100644
--- a/java/broker/etc/log4j.xml
+++ b/java/broker/etc/log4j.xml
@@ -68,7 +68,7 @@
         <param name="backupFilesToPath" value="${QPID_WORK}/backup/log"/>
 
         <layout class="org.apache.log4j.PatternLayout">
-            <param name="ConversionPattern" value="%d %-5p [%t] (%F:%L) - %m%n"/>
+            <param name="ConversionPattern" value="%d %-5p [%t] (%c{2}) - %m%n"/>
         </layout>
     </appender>
 
@@ -77,20 +77,20 @@
         <param name="Append" value="false"/>
 
         <layout class="org.apache.log4j.PatternLayout">
-            <param name="ConversionPattern" value="%d %-5p [%t] (%F:%L) - %m%n"/>
+            <param name="ConversionPattern" value="%d %-5p [%t] (%c{2}) - %m%n"/>
         </layout>
     </appender>
 
     <appender class="org.apache.log4j.ConsoleAppender" name="STDOUT">
         <layout class="org.apache.log4j.PatternLayout">
-            <param name="ConversionPattern" value="%d %-5p [%t] (%F:%L) - %m%n"/>
+            <param name="ConversionPattern" value="%d %-5p [%t] (%c{2}) - %m%n"/>
         </layout>
     </appender>
 
     <!-- Provide warnings to standard output -->
-    <category additivity="true" name="org.apache.qpid">
-        <priority value="warn"/>
-    </category>
+    <logger additivity="true" name="org.apache.qpid">
+        <level value="warn"/>
+    </logger>
 
     <!-- Enable info messages for the status-logging hierarchy -->
     <logger additivity="true" name="qpid.message">
@@ -108,21 +108,14 @@
       <level value="info"/>
     </logger>
 
-    <!-- Examples of additional logging settings -->
-    <!-- Used to generate extra debug. See debug.log4j.xml -->
-    
-    <!--<category additivity="true" name="org.apache.qpid.server.store">
-        <priority value="debug"/>
-    </category-->
-
     <!-- Set the commons logging that the XML parser uses to WARN, it is very chatty at debug -->
     <logger name="org.apache.commons">
-        <level value="WARN"/>
+        <level value="warn"/>
     </logger>
 
     <!-- Log all info events to file -->
     <root>
-        <priority value="info"/>
+        <level value="info"/>
         <appender-ref ref="FileAppender"/>
         <!--appender-ref ref="ArchivingFileAppender"/-->
     </root>
-- 
cgit v1.2.1