🎄 Happy Holidays! 🥳

Most of Solace is closed December 24–January 1 so our employees can spend time with their families. We will re-open Thursday, January 2, 2024. Please expect slower response times during this period and open a support ticket for anything needing immediate assistance.

Happy Holidays!

Please note: most of Solace is closed December 25–January 2, and will re-open Tuesday, January 3, 2023.

Applying ACL profile on Queue Subscription!

Naresh
Naresh Member Posts: 2

Hi There!


i have a scenario to apply ACL policy for a JMS Subscriber, i would want them to subscribe only from specific Queue.


Is there any possibility of achieving this with PubSub+ Broker? Currently i can see i can give exemptions on Topic in ACL profile but not Queues

Tagged:

Answers

  • uherbst
    uherbst Member, Employee Posts: 130 Solace Employee

    Hi @Naresh,

    queues in a Solace broker have an owner and a "permission for non-owners".

    If you set permission for non-owner to none, only connections with the client-username in the owner-field are able to consume data from that queue.


    Does that answer your question ?


    Uli

  • Naresh
    Naresh Member Posts: 2

    Hello,


    Thanks for the quick response.

    This is to inform you that we dont have internal database for client authentication rather we have configured our LDAP as user store.


    Hence my requirement is to control permission for an authorization group to subscribe from a queue rather a single user.

    Please provide your feedback


    Best Regards

    Naresh

  • uherbst
    uherbst Member, Employee Posts: 130 Solace Employee

    Hi Naresh,

    I'm not sure, if this kind of permission control is possible for LDAP groups.


    Another option: If you don't use pre-defined queues, but queues created by the consumer during connection, then the ACL will work... consumers can only create queues with subscriptions that match their ACL.


    Uli

  • Frankee787
    Frankee787 Member Posts: 10

    Hello Uli,

    For cases where Producers are publishing to a Topic(backed by a queue) and we have subscribers reading from the queue we need to rely on Pre-Defined queues.

    If such is not possible, does that mean an LDAP user created who has ACLs for Topics defined, would automatically have access to ALL the queues or am I missing something?


    Best Regards,

    Franklin

  • uherbst
    uherbst Member, Employee Posts: 130 Solace Employee

    Permission concept for queues:


    1. There is an owner of a queue. Queue owner has full access to queue.
    2. There is a permission for non-owners. Every valid client that is not owner has permissions as listed here. This could be e.g. "none", "read-only", "consume and delete".

    Most customers with demand to secure access to other clients do this with a proper owner setting and "non-owner-permission=none" - but as I said, there is no support for a group of owners.

  • uherbst
    uherbst Member, Employee Posts: 130 Solace Employee

    Depending on your deployment you can realize something like that with a different VPN (or a 2nd messaging-service):


    Migrate the connections from the LDAP group to a 2nd message-vpn (or 2nd messaging-service) who has only access for this LDAP group members and no one else and mv messages to that vpn/service via static bridge or DMR.

    If this sounds interesting to you: give me some details on your deployment (like: Do you solace cloud or self-deployed software brokers ? Which type (connection size, standard vs. enterprise) ?)

    I can write down some more specific hints, how to do that.


    Uli

  • Frankee787
    Frankee787 Member Posts: 10

    Hello Uli,

    Based on the feedback and clarification

    1. There is an owner of a queue. Queue owner has full access to queue.

    Q - Logically who would be the owner of the queue? Is it always a subscriber?

    Q - If LDAP Groups cannot be provided, what about LDAP user? Can that be setup as the Owner?

    Best Regards,

    Franklin

  • uherbst
    uherbst Member, Employee Posts: 130 Solace Employee

    Hi @Frankee787

    Typical setup: Queue owner is the client-username used by the consuming application.

    And yes - LDAP users can be setup as queue owner.


    Uli

  • Frankee787
    Frankee787 Member Posts: 10

    Thanks @uherbst

    Our LDAP groups and user are successfully authenticating. However we still are not able to add an LDAP user as the owner for a queue.

    Can you share some hints on how this can be done?

  • alamkhan786
    alamkhan786 Member, Employee Posts: 11 Solace Employee

    @Naresh @Frankee787

    Another solution of the used case of applying ACL’s on Q subscription:

    You can set the authorization type to LDAP so that the broker will look for a Group Membership Attribute (default is memberOf) in the LDAP user to know which authorization group a particular client belongs to. For example, if we have a client "john" and he has a memberOf attribute of "clientGroup", we can create a matching authorization group on the broker to assign an ACL profile and client profile. In this approach we can set the the LDAP user owner of a queue by manually typing in the username (ie. cn, uid) of the user into the queue owner box. The queue owner box tries to auto complete to a client username but you do not have to select one, you can type in anything into this box and it will be valid.

     This approach saves you from creating LDAP users as client username in broker.

    Thanks

    Alam

    P.S more details has been sent to you mail

  • marc
    marc Member, Administrator, Moderator, Employee Posts: 963 admin

    Thanks @alamkhan786. For others that come across this thread, the use of LDAP groups for client authorization is defined in more detail in the docs: https://docs.solace.com/Security/Client-Authorization-Overview.htm#LDAP-Groups

  • alamkhan786
    alamkhan786 Member, Employee Posts: 11 Solace Employee

    Thanks @marc for the link

  • prashantk2000
    prashantk2000 Member Posts: 33 ✭✭

    Hi @alamkhan786 ,

    I have few queries for this approach,

    1. Every time user connects (after getting disconnected for any reason), I believe it will have new(dynamic) username (cn,uid) right? so then each time it will be required to set the uid manually in owner box, is there way that username can be automatically set whenever the user gets connected?
    2. What will be the role/use of ACL profile in this case as ACL profile is used for topic access only?
    3. How will client profile play role in this case?

    Can you please help me to understand.