content/releases/qpid-broker-j-7.1.9/book/Java-Broker-Security-Group-Providers.html - qpid-site - Git at Google

 <!DOCTYPE html>
 <!--
  -
  - Licensed to the Apache Software Foundation (ASF) under one
  - or more contributor license agreements.  See the NOTICE file
  - distributed with this work for additional information
  - regarding copyright ownership.  The ASF licenses this file
  - to you under the Apache License, Version 2.0 (the
  - "License"); you may not use this file except in compliance
  - with the License.  You may obtain a copy of the License at
  -
  -   http://www.apache.org/licenses/LICENSE-2.0
  -
  - Unless required by applicable law or agreed to in writing,
  - software distributed under the License is distributed on an
  - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  - KIND, either express or implied.  See the License for the
  - specific language governing permissions and limitations
  - under the License.
  -
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
   <head>
     <title>8.2.&#160;Group Providers - Apache Qpid&#8482;</title>
     <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
     <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
     <link rel="stylesheet" href="/site.css" type="text/css" async="async"/>
     <link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/>
     <script type="text/javascript">var _deferredFunctions = [];</script>
     <script type="text/javascript" src="/deferred.js" defer="defer"></script>
     <!--[if lte IE 8]>
       <link rel="stylesheet" href="/ie.css" type="text/css"/>
       <script type="text/javascript" src="/html5shiv.js"></script>
     <![endif]-->

     <!-- Redirects for `go get` and godoc.org -->
     <meta name="go-import"
           content="qpid.apache.org git https://gitbox.apache.org/repos/asf/qpid-proton.git"/>
     <meta name="go-source"
           content="qpid.apache.org
 https://github.com/apache/qpid-proton/blob/go1/README.md
 https://github.com/apache/qpid-proton/tree/go1{/dir}
 https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
   </head>
   <body>
     <div id="-content">
       <div id="-top" class="panel">
         <a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a>

         <a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a>

         <ul id="-global-navigation">
           <li><a id="-logotype" href="/index.html">Apache Qpid<sup>&#8482;</sup></a></li>
           <li><a href="/documentation.html">Documentation</a></li>
           <li><a href="/download.html">Download</a></li>
           <li><a href="/discussion.html">Discussion</a></li>
         </ul>
       </div>

       <div id="-menu" class="panel" style="display: none;">
         <div class="flex">
           <section>
             <h3>Project</h3>

             <ul>
               <li><a href="/overview.html">Overview</a></li>
               <li><a href="/components/index.html">Components</a></li>
               <li><a href="/releases/index.html">Releases</a></li>
             </ul>
           </section>

           <section>
             <h3>Messaging APIs</h3>

             <ul>
               <li><a href="/proton/index.html">Qpid Proton</a></li>
               <li><a href="/components/jms/index.html">Qpid JMS</a></li>
               <li><a href="/components/messaging-api/index.html">Qpid Messaging API</a></li>
             </ul>
           </section>

           <section>
             <h3>Servers and tools</h3>

             <ul>
               <li><a href="/components/broker-j/index.html">Broker-J</a></li>
               <li><a href="/components/cpp-broker/index.html">C++ broker</a></li>
               <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li>
             </ul>
           </section>

           <section>
             <h3>Resources</h3>

             <ul>
               <li><a href="/dashboard.html">Dashboard</a></li>
               <li><a href="https://cwiki.apache.org/confluence/display/qpid/Index">Wiki</a></li>
               <li><a href="/resources.html">More resources</a></li>
             </ul>
           </section>
         </div>
       </div>

       <div id="-search" class="panel" style="display: none;">
         <form action="http://www.google.com/search" method="get">
           <input type="hidden" name="sitesearch" value="qpid.apache.org"/>
           <input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/>
           <button type="submit">Search</button>
           <a href="/search.html">More ways to search</a>
         </form>
       </div>

       <div id="-middle" class="panel">
         <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li><a href="/releases/index.html">Releases</a></li><li><a href="/releases/qpid-broker-j-7.1.9/index.html">Qpid Broker-J 7.1.9</a></li><li><a href="/releases/qpid-broker-j-7.1.9/book/index.html">Apache Qpid Broker-J</a></li><li>8.2.&#160;Group Providers</li></ul>

         <div id="-middle-content">
           <div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">8.2.&#160;Group Providers</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="Java-Broker-Security.html">Prev</a>&#160;</td><th align="center" width="60%">Chapter&#160;8.&#160;Security</th><td align="right" width="20%">&#160;<a accesskey="n" href="Java-Broker-Security-AccessControlProviders.html">Next</a></td></tr></table><hr /></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Java-Broker-Security-Group-Providers"></a>8.2.&#160;Group Providers</h2></div></div></div><p>
     The Apache Qpid Broker-J utilises GroupProviders to allow assigning users to groups for use in <a class="link" href="Java-Broker-Security-AccessControlProviders.html" title="8.3.&#160;Access Control Providers">ACLs</a>.
     Following authentication by a given <a class="link" href="Java-Broker-Security.html#Java-Broker-Security-Authentication-Providers" title="8.1.&#160;Authentication Providers">Authentication Provider</a>,
     the configured Group Providers are consulted allowing the assignment of GroupPrincipals for a given authenticated user. Any number of
     Group Providers can be added into the Broker. All of them will be checked for the presence of the groups for a given authenticated user.
   </p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="File-Group-Manager"></a>8.2.1.&#160;GroupFile Provider</h3></div></div></div><p>
       The <span class="emphasis"><em>GroupFile</em></span> Provider allows specifying group membership in a flat file on disk.
       On adding a new GroupFile Provider the path to the groups file is required to be specified.
       If file does not exist an empty file is created automatically. On deletion of GroupFile Provider
       the groups file is deleted as well. Only one instance of "GroupFile" Provider per groups file location can be created.
       On attempt to create another GroupFile Provider pointing to the same location the error will be displayed and
       the creation will be aborted.
     </p><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="File-Group-Manager-FileFormat"></a>8.2.1.1.&#160;File Format</h4></div></div></div><p>
             The groups file has the following format:
           </p><pre class="programlisting">
     # &lt;GroupName&gt;.users = &lt;comma delimited user list&gt;
     # For example:

     administrators.users = admin,manager
 </pre><p>
             Only users can be added to a group currently, not other groups. Usernames can't contain commas.
           </p><p>
             Lines starting with a '#' are treated as comments when opening the file, but these are not preserved when the broker updates the file due to changes made through the management interface.
           </p></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-Group-Providers-ManagedGroupProvider"></a>8.2.2.&#160;ManagedGroupProvider</h3></div></div></div><p>
             The <span class="emphasis"><em>ManagedGroupProvider</em></span> allows specifying group membership as part of broker configuration.
             In future version of Brokers GroupFile Provider will be replaced by this one.
         </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-Group-Providers-CloudFoundry"></a>8.2.3.&#160;CloudFoundryDashboardManagementGroupProvider</h3></div></div></div><p>
             The <span class="emphasis"><em>CloudFoundryDashboardManagementGroupProvider</em></span>
             allows mapping of service instance ids to qpid management groups.
         </p><p>
             One use case is restricting management capabilities of a OAuth2 authenticated user to certain virtual
             hosts. For this, one would associate a cloudfoundry service id with each virtual host and have an ACL with a
             separate management group for each virtual host. Given the correct service instance id to
             management group mapping the GroupProvider will then associate the user with each management group the user
             is provisioned to manage the associated service instance in the <a class="link" href="http://docs.cloudfoundry.org/services/dashboard-sso.html#checking-user-permissions" target="_top">CloudFoundry dashboard</a>.
         </p></div></div><div class="navfooter"><hr /><table summary="Navigation footer" width="100%"><tr><td align="left" width="40%"><a accesskey="p" href="Java-Broker-Security.html">Prev</a>&#160;</td><td align="center" width="20%"><a accesskey="u" href="Java-Broker-Security.html">Up</a></td><td align="right" width="40%">&#160;<a accesskey="n" href="Java-Broker-Security-AccessControlProviders.html">Next</a></td></tr><tr><td align="left" valign="top" width="40%">Chapter&#160;8.&#160;Security&#160;</td><td align="center" width="20%"><a accesskey="h" href="Apache-Qpid-Broker-J-Book.html">Home</a></td><td align="right" valign="top" width="40%">&#160;8.3.&#160;Access Control Providers</td></tr></table></div></div>

           <hr/>

           <ul id="-apache-navigation">
             <li><a href="http://www.apache.org/">Apache</a></li>
             <li><a href="http://www.apache.org/licenses/">License</a></li>
             <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
             <li><a href="http://www.apache.org/foundation/thanks.html">Thanks!</a></li>
             <li><a href="/security.html">Security</a></li>
             <li><a href="http://www.apache.org/"><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li>
           </ul>

           <p id="-legal">
             Apache Qpid, Messaging built on AMQP; Copyright &#169; 2015
             The Apache Software Foundation; Licensed under
             the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache
             License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton,
             Proton, Apache, the Apache feather logo, and the Apache Qpid
             project logo are trademarks of The Apache Software
             Foundation; All other marks mentioned may be trademarks or
             registered trademarks of their respective owners
           </p>
         </div>
       </div>
     </div>
   </body>
 </html>
	<!DOCTYPE html>
	<!--
	-
	- Licensed to the Apache Software Foundation (ASF) under one
	- or more contributor license agreements. See the NOTICE file
	- distributed with this work for additional information
	- regarding copyright ownership. The ASF licenses this file
	- to you under the Apache License, Version 2.0 (the
	- "License"); you may not use this file except in compliance
	- with the License. You may obtain a copy of the License at
	-
	- http://www.apache.org/licenses/LICENSE-2.0
	-
	- Unless required by applicable law or agreed to in writing,
	- software distributed under the License is distributed on an
	- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	- KIND, either express or implied. See the License for the
	- specific language governing permissions and limitations
	- under the License.
	-
	-->
	<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
	<head>
	<title>8.2. Group Providers - Apache Qpid™</title>
	<meta http-equiv="X-UA-Compatible" content="IE=edge"/>
	<meta name="viewport" content="width=device-width, initial-scale=1.0"/>
	<link rel="stylesheet" href="/site.css" type="text/css" async="async"/>
	<link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/>
	<script type="text/javascript">var _deferredFunctions = [];</script>
	<script type="text/javascript" src="/deferred.js" defer="defer"></script>
	<!--[if lte IE 8]>
	<link rel="stylesheet" href="/ie.css" type="text/css"/>
	<script type="text/javascript" src="/html5shiv.js"></script>
	<![endif]-->

	<!-- Redirects for `go get` and godoc.org -->
	<meta name="go-import"
	content="qpid.apache.org git https://gitbox.apache.org/repos/asf/qpid-proton.git"/>
	<meta name="go-source"
	content="qpid.apache.org
	https://github.com/apache/qpid-proton/blob/go1/README.md
	https://github.com/apache/qpid-proton/tree/go1{/dir}
	https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
	</head>
	<body>
	<div id="-content">
	<div id="-top" class="panel">
	<a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a>

	<a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a>

	<ul id="-global-navigation">
	<li><a id="-logotype" href="/index.html">Apache Qpid<sup>™</sup></a></li>
	<li><a href="/documentation.html">Documentation</a></li>
	<li><a href="/download.html">Download</a></li>
	<li><a href="/discussion.html">Discussion</a></li>
	</ul>
	</div>

	<div id="-menu" class="panel" style="display: none;">
	<div class="flex">
	<section>
	<h3>Project</h3>

	<ul>
	<li><a href="/overview.html">Overview</a></li>
	<li><a href="/components/index.html">Components</a></li>
	<li><a href="/releases/index.html">Releases</a></li>
	</ul>
	</section>

	<section>
	<h3>Messaging APIs</h3>

	<ul>
	<li><a href="/proton/index.html">Qpid Proton</a></li>
	<li><a href="/components/jms/index.html">Qpid JMS</a></li>
	<li><a href="/components/messaging-api/index.html">Qpid Messaging API</a></li>
	</ul>
	</section>

	<section>
	<h3>Servers and tools</h3>

	<ul>
	<li><a href="/components/broker-j/index.html">Broker-J</a></li>
	<li><a href="/components/cpp-broker/index.html">C++ broker</a></li>
	<li><a href="/components/dispatch-router/index.html">Dispatch router</a></li>
	</ul>
	</section>

	<section>
	<h3>Resources</h3>

	<ul>
	<li><a href="/dashboard.html">Dashboard</a></li>
	<li><a href="https://cwiki.apache.org/confluence/display/qpid/Index">Wiki</a></li>
	<li><a href="/resources.html">More resources</a></li>
	</ul>
	</section>
	</div>
	</div>

	<div id="-search" class="panel" style="display: none;">
	<form action="http://www.google.com/search" method="get">
	<input type="hidden" name="sitesearch" value="qpid.apache.org"/>
	<input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/>
	<button type="submit">Search</button>
	<a href="/search.html">More ways to search</a>
	</form>
	</div>

	<div id="-middle" class="panel">
	<ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li><a href="/releases/index.html">Releases</a></li><li><a href="/releases/qpid-broker-j-7.1.9/index.html">Qpid Broker-J 7.1.9</a></li><li><a href="/releases/qpid-broker-j-7.1.9/book/index.html">Apache Qpid Broker-J</a></li><li>8.2. Group Providers</li></ul>

	<div id="-middle-content">
	<div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">8.2. Group Providers</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="Java-Broker-Security.html">Prev</a> </td><th align="center" width="60%">Chapter 8. Security</th><td align="right" width="20%"> <a accesskey="n" href="Java-Broker-Security-AccessControlProviders.html">Next</a></td></tr></table><hr /></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Java-Broker-Security-Group-Providers"></a>8.2. Group Providers</h2></div></div></div><p>
	The Apache Qpid Broker-J utilises GroupProviders to allow assigning users to groups for use in <a class="link" href="Java-Broker-Security-AccessControlProviders.html" title="8.3. Access Control Providers">ACLs</a>.
	Following authentication by a given <a class="link" href="Java-Broker-Security.html#Java-Broker-Security-Authentication-Providers" title="8.1. Authentication Providers">Authentication Provider</a>,
	the configured Group Providers are consulted allowing the assignment of GroupPrincipals for a given authenticated user. Any number of
	Group Providers can be added into the Broker. All of them will be checked for the presence of the groups for a given authenticated user.
	</p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="File-Group-Manager"></a>8.2.1. GroupFile Provider</h3></div></div></div><p>
	The <span class="emphasis"><em>GroupFile</em></span> Provider allows specifying group membership in a flat file on disk.
	On adding a new GroupFile Provider the path to the groups file is required to be specified.
	If file does not exist an empty file is created automatically. On deletion of GroupFile Provider
	the groups file is deleted as well. Only one instance of "GroupFile" Provider per groups file location can be created.
	On attempt to create another GroupFile Provider pointing to the same location the error will be displayed and
	the creation will be aborted.
	</p><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="File-Group-Manager-FileFormat"></a>8.2.1.1. File Format</h4></div></div></div><p>
	The groups file has the following format:
	</p><pre class="programlisting">
	# <GroupName>.users = <comma delimited user list>
	# For example:

	administrators.users = admin,manager
	</pre><p>
	Only users can be added to a group currently, not other groups. Usernames can't contain commas.
	</p><p>
	Lines starting with a '#' are treated as comments when opening the file, but these are not preserved when the broker updates the file due to changes made through the management interface.
	</p></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-Group-Providers-ManagedGroupProvider"></a>8.2.2. ManagedGroupProvider</h3></div></div></div><p>
	The <span class="emphasis"><em>ManagedGroupProvider</em></span> allows specifying group membership as part of broker configuration.
	In future version of Brokers GroupFile Provider will be replaced by this one.
	</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-Group-Providers-CloudFoundry"></a>8.2.3. CloudFoundryDashboardManagementGroupProvider</h3></div></div></div><p>
	The <span class="emphasis"><em>CloudFoundryDashboardManagementGroupProvider</em></span>
	allows mapping of service instance ids to qpid management groups.
	</p><p>
	One use case is restricting management capabilities of a OAuth2 authenticated user to certain virtual
	hosts. For this, one would associate a cloudfoundry service id with each virtual host and have an ACL with a
	separate management group for each virtual host. Given the correct service instance id to
	management group mapping the GroupProvider will then associate the user with each management group the user
	is provisioned to manage the associated service instance in the <a class="link" href="http://docs.cloudfoundry.org/services/dashboard-sso.html#checking-user-permissions" target="_top">CloudFoundry dashboard</a>.
	</p></div></div><div class="navfooter"><hr /><table summary="Navigation footer" width="100%"><tr><td align="left" width="40%"><a accesskey="p" href="Java-Broker-Security.html">Prev</a> </td><td align="center" width="20%"><a accesskey="u" href="Java-Broker-Security.html">Up</a></td><td align="right" width="40%"> <a accesskey="n" href="Java-Broker-Security-AccessControlProviders.html">Next</a></td></tr><tr><td align="left" valign="top" width="40%">Chapter 8. Security </td><td align="center" width="20%"><a accesskey="h" href="Apache-Qpid-Broker-J-Book.html">Home</a></td><td align="right" valign="top" width="40%"> 8.3. Access Control Providers</td></tr></table></div></div>

	<hr/>

	<ul id="-apache-navigation">
	<li><a href="http://www.apache.org/">Apache</a></li>
	<li><a href="http://www.apache.org/licenses/">License</a></li>
	<li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
	<li><a href="http://www.apache.org/foundation/thanks.html">Thanks!</a></li>
	<li><a href="/security.html">Security</a></li>
	<li><a href="http://www.apache.org/"><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li>
	</ul>

	<p id="-legal">
	Apache Qpid, Messaging built on AMQP; Copyright © 2015
	The Apache Software Foundation; Licensed under
	the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache
	License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton,
	Proton, Apache, the Apache feather logo, and the Apache Qpid
	project logo are trademarks of The Apache Software
	Foundation; All other marks mentioned may be trademarks or
	registered trademarks of their respective owners
	</p>
	</div>
	</div>
	</div>
	</body>
	</html>