| <div class="docbook"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">8.2. Group Providers</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="Java-Broker-Security.html">Prev</a> </td><th width="60%" align="center">Chapter 8. Security</th><td width="20%" align="right"> <a accesskey="n" href="Java-Broker-Security-AccessControlProviders.html">Next</a></td></tr></table><hr /></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Java-Broker-Security-Group-Providers" />8.2. Group Providers</h2></div></div></div><p> |
| The Apache Qpid Broker-J utilises GroupProviders to allow assigning users to groups for use in <a class="link" href="Java-Broker-Security-AccessControlProviders.html" title="8.3. Access Control Providers">ACLs</a>. |
| Following authentication by a given <a class="link" href="Java-Broker-Security.html#Java-Broker-Security-Authentication-Providers" title="8.1. Authentication Providers">Authentication Provider</a>, |
| the configured Group Providers are consulted allowing the assignment of GroupPrincipals for a given authenticated user. Any number of |
| Group Providers can be added into the Broker. All of them will be checked for the presence of the groups for a given authenticated user. |
| </p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="File-Group-Manager" />8.2.1. GroupFile Provider</h3></div></div></div><p> |
| The <span class="emphasis"><em>GroupFile</em></span> Provider allows specifying group membership in a flat file on disk. |
| On adding a new GroupFile Provider the path to the groups file is required to be specified. |
| If file does not exist an empty file is created automatically. On deletion of GroupFile Provider |
| the groups file is deleted as well. Only one instance of "GroupFile" Provider per groups file location can be created. |
| On attempt to create another GroupFile Provider pointing to the same location the error will be displayed and |
| the creation will be aborted. |
| </p><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="File-Group-Manager-FileFormat" />8.2.1.1. File Format</h4></div></div></div><p> |
| The groups file has the following format: |
| </p><pre class="programlisting"> |
| # <GroupName>.users = <comma delimited user list> |
| # For example: |
| |
| administrators.users = admin,manager |
| </pre><p> |
| Only users can be added to a group currently, not other groups. Usernames can't contain commas. |
| </p><p> |
| Lines starting with a '#' are treated as comments when opening the file, but these are not preserved when the broker updates the file due to changes made through the management interface. |
| </p></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-Group-Providers-ManagedGroupProvider" />8.2.2. ManagedGroupProvider</h3></div></div></div><p> |
| The <span class="emphasis"><em>ManagedGroupProvider</em></span> allows specifying group membership as part of broker configuration. |
| In future version of Brokers GroupFile Provider will be replaced by this one. |
| </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-Group-Providers-CloudFoundry" />8.2.3. CloudFoundryDashboardManagementGroupProvider</h3></div></div></div><p> |
| The <span class="emphasis"><em>CloudFoundryDashboardManagementGroupProvider</em></span> |
| allows mapping of service instance ids to qpid management groups. |
| </p><p> |
| One use case is restricting management capabilities of a OAuth2 authenticated user to certain virtual |
| hosts. For this, one would associate a cloudfoundry service id with each virtual host and have an ACL with a |
| separate management group for each virtual host. Given the correct service instance id to |
| management group mapping the GroupProvider will then associate the user with each management group the user |
| is provisioned to manage the associated service instance in the <a class="link" href="http://docs.cloudfoundry.org/services/dashboard-sso.html#checking-user-permissions" target="_top">CloudFoundry dashboard</a>. |
| </p></div></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="Java-Broker-Security.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="Java-Broker-Security.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="Java-Broker-Security-AccessControlProviders.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 8. Security </td><td width="20%" align="center"><a accesskey="h" href="Apache-Qpid-Broker-J-Book.html">Home</a></td><td width="40%" align="right" valign="top"> 8.3. Access Control Providers</td></tr></table></div></div> |