Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved


Chapter 5 Access Control List : Subject Access

Subject Access
The second layer of access control determines the Rendezvous message subjects to which a connected client can subscribe and publish.
Subject access controls use independent settings for subscribing and publishing, but the configuration and semantics are similar.
Profiles and Mappings
Subject access controls requires two types of configuration that interact in a cascading fashion:
A profile mapping associates each client connection with an ACL profile.
Each profile determines the subjects to which associated client connections can subscribe and publish.
 
You can define several profiles.
You can map several client connections to the same profile.
Mappings
Each profile mapping associates a combination of username and Rendezvous service with an ACL profile. That is, you define a profile mapping by supplying three items:
 
You may define several mappings.
Username
Client processes tacitly include their username with each client connection request. This value is the login username on the host computer where the client process is running. Subject access controls match this username against the profile mappings.
Semantics
Each mapping means that a client connection that matches its username and service can access Rendezvous subjects as defined in the profile. If you omit the username, then client connections with any username can match the mapping. If you omit the service, then client connections with any service can match the mapping.
When a client matches more than one profile mapping, the most specific mapping takes precedence (for details, see Table 3 and Example 2).
 
 
 
Example 2 ACL Profile Mappings and Precedence
For example, suppose that you have defined the following profile mappings:
 
 
When User-1 connects on service 1111, then Profile-1 applies.
When User-1 connects on service 3333, then Profile-3 applies.
When User-1 connects on service 8888, then Profile-3 applies.
 
When User-2 connects on service 1111, then Profile-2 applies.
When User-2 connects on service 8888, then Profile-4 applies.
When User-2 connects on service 3333, then the default profile applies.
 
When User-5 connects on service 8888, then Profile-4 applies.
When User-5 connects on service 1111, then the default profile applies.

 
Subject Rules
Within each profile, you can configure exactly two subject rules—one subscribe rule and one publish rule. Each rule consists of a default action and a set of exceptions.
Default Action
The default action can either allow all subjects, or disallow all subjects.
If the default action allows all subjects, then any exceptions specify subjects that are expressly disallowed.
Conversely, if the default action disallows all subjects, then any exceptions specify subjects that are expressly allowed.
Exceptions
Each rule can include zero or more exceptions to its default action.
Example 3 ACL Allow Subject
For example, suppose profile P1 has a subscribe rule that allows all subjects, and an exception disallowing foo.>.  Then client connections that map to profile P1 can subscribe to any subject except those that either match foo.> directly (for example, foo.bar, foo.*.baz) or overlap foo.> (for example, *.bar, *.*, >).
For a description of analogous behavior in rvrd, see Subject Filtering with Wildcards, in TIBCO Rendezvous Administration.)
Subscribing to a subject that is disallowed (even in part), produces an error advisory; see CLIENT.SUBSCRIPTION.DISALLOWED on page 46.
Example 4 ACL Disallow Subject
Conversely, suppose profile P2 has a subscribe rule that disallows all subjects, and an exception allowing Free.Chat.>.  Then client connections that map to profile P2 can subscribe to any subject that matches Free.Chat.> directly (for example, Free.Chat.Cats.> and Free.Chat.*.Feeding).
Notice that overlapping subjects (such as Free.*.*) are not allowed. As a general rule, overlapping is sufficient to disallow, but not to allow.

 
Publish rules have similar semantics to the subscribe rule examples above.
Enforcement
Subscribing
P-7500 enforces subscription controls (that is, subscribe rules) whenever a client attempts to subscribe to a subject.
After a client has already subscribed to a subject, changing the ACL configuration to disallow that subject (or map the client to a different profile) does not have any effect; all existing subscriptions remain in effect.
Publishing
P-7500 enforces publishing controls (that is, publish rules) whenever a client attempts to publish to a subject.
Notice that the P-7500 filters each individual message that a client sends, using the publish rule that is in effect at the time the client sends the message.
Initial Configuration
When you first enable the ACL feature, a profile named default is factory configured. This profile has a subscribe rule that allows all subjects, and a publish rule that allows all subjects. All client connections (that is, any combination of username and service) map to this default profile (specificity 4).
You may change the subject rules of the default profile, but you cannot delete it.
You may map client connections (at any specificity) to other profiles.

Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved