🎄 Happy Holidays! 🥳
Most of Solace is closed December 24–January 1 so our employees can spend time with their families. We will re-open Thursday, January 2, 2024. Please expect slower response times during this period and open a support ticket for anything needing immediate assistance.
Happy Holidays!
Please note: most of Solace is closed December 25–January 2, and will re-open Tuesday, January 3, 2023.
Applying ACL profile on Queue Subscription!
Answers
-
Hi @Naresh,
queues in a Solace broker have an owner and a "permission for non-owners".
If you set permission for non-owner to none, only connections with the client-username in the owner-field are able to consume data from that queue.
Does that answer your question ?
Uli
0 -
Hello,
Thanks for the quick response.
This is to inform you that we dont have internal database for client authentication rather we have configured our LDAP as user store.
Hence my requirement is to control permission for an authorization group to subscribe from a queue rather a single user.
Please provide your feedback
Best Regards
Naresh
0 -
Hi Naresh,
I'm not sure, if this kind of permission control is possible for LDAP groups.
Another option: If you don't use pre-defined queues, but queues created by the consumer during connection, then the ACL will work... consumers can only create queues with subscriptions that match their ACL.
Uli
0 -
Hello Uli,
For cases where Producers are publishing to a Topic(backed by a queue) and we have subscribers reading from the queue we need to rely on Pre-Defined queues.
If such is not possible, does that mean an LDAP user created who has ACLs for Topics defined, would automatically have access to ALL the queues or am I missing something?
Best Regards,
Franklin
0 -
Permission concept for queues:
- There is an owner of a queue. Queue owner has full access to queue.
- There is a permission for non-owners. Every valid client that is not owner has permissions as listed here. This could be e.g. "none", "read-only", "consume and delete".
Most customers with demand to secure access to other clients do this with a proper owner setting and "non-owner-permission=none" - but as I said, there is no support for a group of owners.
0 -
Depending on your deployment you can realize something like that with a different VPN (or a 2nd messaging-service):
Migrate the connections from the LDAP group to a 2nd message-vpn (or 2nd messaging-service) who has only access for this LDAP group members and no one else and mv messages to that vpn/service via static bridge or DMR.
If this sounds interesting to you: give me some details on your deployment (like: Do you solace cloud or self-deployed software brokers ? Which type (connection size, standard vs. enterprise) ?)
I can write down some more specific hints, how to do that.
Uli
0 -
Hello Uli,
Based on the feedback and clarification
- There is an owner of a queue. Queue owner has full access to queue.
Q - Logically who would be the owner of the queue? Is it always a subscriber?
Q - If LDAP Groups cannot be provided, what about LDAP user? Can that be setup as the Owner?
Best Regards,
Franklin
0 -
Hi @Frankee787
Typical setup: Queue owner is the client-username used by the consuming application.
And yes - LDAP users can be setup as queue owner.
Uli
0 -
Thanks @uherbst
Our LDAP groups and user are successfully authenticating. However we still are not able to add an LDAP user as the owner for a queue.
Can you share some hints on how this can be done?
0 -
Another solution of the used case of applying ACL’s on Q subscription:
You can set the authorization type to LDAP so that the broker will look for a Group Membership Attribute (default is memberOf) in the LDAP user to know which authorization group a particular client belongs to. For example, if we have a client "john" and he has a memberOf attribute of "clientGroup", we can create a matching authorization group on the broker to assign an ACL profile and client profile. In this approach we can set the the LDAP user owner of a queue by manually typing in the username (ie. cn, uid) of the user into the queue owner box. The queue owner box tries to auto complete to a client username but you do not have to select one, you can type in anything into this box and it will be valid.
This approach saves you from creating LDAP users as client username in broker.
Thanks
Alam
P.S more details has been sent to you mail
2 -
Thanks @alamkhan786. For others that come across this thread, the use of LDAP groups for client authorization is defined in more detail in the docs: https://docs.solace.com/Security/Client-Authorization-Overview.htm#LDAP-Groups
1 -
Thanks @marc for the link
0 -
Hi @alamkhan786 ,
I have few queries for this approach,
- Every time user connects (after getting disconnected for any reason), I believe it will have new(dynamic) username (cn,uid) right? so then each time it will be required to set the uid manually in owner box, is there way that username can be automatically set whenever the user gets connected?
- What will be the role/use of ACL profile in this case as ACL profile is used for topic access only?
- How will client profile play role in this case?
Can you please help me to understand.
0
