Nirvana Access Control Lists

Nirvana’s Access Control List (ACL) controls client connection requests and subsequent Nirvana operations. By default access control checks are performed within a realm.

The Nirvana Admin API exposes the complete security model of the Nirvana Realm Server, remotely allowing customer specific security models to be created. This means that it is easy to integrate Nirvana into an existing authentication and entitlment service.

It is also possible to manage Nirvana ACLs using the enterprise manager GUI.

The Nirvana realm has an ACL associated with it. The acl contains a list of subjects and the operations that each subject can perform on the realm.

Each channel, queue and service also has an associated acl that defines subjects and the operations the subjects can perform.

A subject corresponds to the user information for a realm connection

nACL

The nACL object defines a set of nACLEntry objects that consist of a user subject and a value that corresponds to the operations permitted for that subject. With an nACL object, it is possible to added, delete and modify acl entries for specific subjects.

There are 3 different subclasses of the base nACLEntry object. These are :

• nRealmACLEntry – defines permissions for a specific subject on the Nirvana Realm server itself
• nChannelACLEntry – defines permissions for a subject on a channel or queue
• nServiceACLEntry – defines permissions for a subject on a Nirvana P2P service

Each type of acl entry has a number of flags that can be set to true or false in order to specify whether the subject can or can't perform the operation.

The following flags apply to every ACL.

• Modify – Allows the subject to add/remove ACL entries
• List – Allows the subject to get a list of ACL entries
• Full Privileges – Has complete access to the secured object

Nirvana Realm Server ACL permissions

• Use Admin API – Can use the nAdminAPI package
• Manage Realm – Can add / remove realms from this realm
• Manage Joins - Can add/delete channel joins
• Manage P2P Services – Can create/destroy P2P services
• Manage Channels – Can add/delete channels on this realm
• Access The Realm – Can actually connect to this realm
• Override Connection Count – Can bypass the connection count on the realm
• Configure Realm – Can set run time parameters on the realm
• Cluster - perform cluster operations, such as create, delete or modify cluster information

Channel ACL permissions

The Channel Access Control Entry has the following controllable flags

• Write – Can publish events to this channel
• Read – Can subscribe for events on this channel
• Purge – Can delete events on this channel
• Get Last EID – Can get the last event Id on this channel
• Named - Can the user connect using a named (durable) subscriber

Queue ACL permissions

The Queue Access Control Entry has the following controllable flags

• Write – Can push events to this queue
• Read – Can peek the events on this queue
• Purge – Can delete events on this queue
• Pop – Can pop events from the queue

P2P Service permissions

• Connect – Can access this service

Wildcard Support

For example :