This is archived documentation for an older version of Nirvana (v2.0).
Please refer to documentation for the
latest version if required.
Nirvana Access Control Lists (ACL's).
|
Nirvana’s Access Control
List (ACL) controls clients’ connection requests
and subsequent Nirvana operations. By default access
control checks are performed within a realm.
A Nirvana realm’s Access Control List can be
controlled programatically through the Nirvana management
API or using the Nirvana
Realm Manager GUI. Any 3rd party security service
can be passed a subject and request and return a result
that directly controls the individual user level ACL’s
within a Nirvana realm. The Nirvana Admin
API exposes the complete security model of the Nirvana
Realm Server remotely allowing customer specific security
models to be created.
For more information on Nirvana security please see
the Nirvana
security white paper.
|
General ACL permissions
The following flags apply to every ACL.
• Modify – Allows the subject to add/remove
ACL entries
• List – Allows the subject to get a list
of ACL entries
• Full Privileges – Has complete access
to the secured object
Nirvana Realm Server ACL permissions
The Realm Access Control Entry has the following controllable
flags
• Use Admin API – Can use the nAdminAPI
package
• Manage Realm – Can add / remove realms
from this realm
• Manage Joins - Can add/delete channel joins
• Manage P2P Services – Can create/destroy
P2P services
• Manage Channels – Can add/delete channels
on this realm
• Access The Realm – Can actually connect
to this realm
• Override Connection Count – Can bypass
the connection count on the realm
• Configure Realm – Can set run time parameters
on the realm
Channel ACL permissions
The Channel Access Control Entry has the following
controllable flags
• Write – Can publish events to this
channel
• Read – Can subscribe for events on this
channel
• Purge – Can delete events on this channel
• Get Last EID – Can get the last event
Id on this channel
Queue ACL permissions
The Queue Access Control Entry has the following controllable
flags
• Write – Can push events to this queue
• Read – Can peek the events on this queue
• Purge – Can delete events on this queue
• Pop – Can pop events from the queue
P2P Service permissions
The Service Access Control Entry has the following controllable
flags
• Connect – Can access this service
Wildcard Support
As well as being able to specify an access control entry
for a specific subject the subject itself can contain
wildcards. In this way you can specify access control
based on hostname or on username.
For example :
| ACL Entry |
Description |
| *@* |
Represents all users from all nodes |
| *@client1.com |
Represents all users from the node client1.com |
| username@nodename |
Represents the user "username" on the
node "nodename" |
| username@* |
Represents the user "username" on all
nodes |
|
|
