Menu Search

8.2. Group Providers

The Apache Qpid Broker-J utilises GroupProviders to allow assigning users to groups for use in ACLs or CLTs. Following authentication by a given Authentication Provider, the configured Group Providers are consulted allowing the assignment of GroupPrincipals for a given authenticated user. Any number of Group Providers can be added into the Broker. All of them will be checked for the presence of the groups for a given authenticated user.

8.2.1. GroupFile Provider

The GroupFile Provider allows specifying group membership in a flat file on disk. On adding a new GroupFile Provider the path to the groups file is required to be specified. If file does not exist an empty file is created automatically. On deletion of GroupFile Provider the groups file is deleted as well. Only one instance of "GroupFile" Provider per groups file location can be created. On attempt to create another GroupFile Provider pointing to the same location the error will be displayed and the creation will be aborted.

8.2.1.1. File Format

The groups file has the following format:

    # <GroupName>.users = <comma delimited user list>
    # For example:

    administrators.users = admin,manager

Only users can be added to a group currently, not other groups. Usernames can't contain commas.

Lines starting with a '#' are treated as comments when opening the file, but these are not preserved when the broker updates the file due to changes made through the management interface.

8.2.2. ManagedGroupProvider

The ManagedGroupProvider allows specifying group membership as part of broker configuration. In future version of Brokers GroupFile Provider will be replaced by this one.

8.2.3. CloudFoundryDashboardManagementGroupProvider

The CloudFoundryDashboardManagementGroupProvider allows mapping of service instance ids to qpid management groups.

One use case is restricting management capabilities of a OAuth2 authenticated user to certain virtual hosts. For this, one would associate a cloudfoundry service id with each virtual host and have an ACL with a separate management group for each virtual host. Given the correct service instance id to management group mapping the GroupProvider will then associate the user with each management group the user is provisioned to manage the associated service instance in the CloudFoundry dashboard.