Simple Access Entitlements Module

The AMPS distribution includes a module that provides access to resources that meet specific patterns. In this release, the simple access entitlement module is provided with AMPS, but is not loaded by default. This module is an optional extension to the AMPS product, and while it is included with the AMPS distribution, the module must be explicitly loaded, enabled, and configured.

When using this module, AMPS grants and denies permissions to resources based on the name of the resource. The name of the user is not considered by this module, so when this module is used every user has the same set of permissions for the transport.

When to Use the Simple Access Module

The AMPS Simple Access module can be a good option when:

There are specific topics for a transport that are allowed or denied, but no other restrictions on the transport.
There is no other entitlement system in use for the installation.

Most often, the simple access module is used to allow access to the parts of the Admin console that do not modify the state of an AMPS instance, while refusing access to the parts of the Admin console that affect the instance state.

Configuring AMPS to use the Simple Access Module

The simple access entitlement module is included in the AMPS distribution, but is not loaded in AMPS by default. To load the module, add the following configuration item to the Modules block in your AMPS configuration:

<Modules>
    ...

    <Module>
        <Name>simple-access</Name>
        <Library>libamps_simple_access_entitlement.so</Library>

        <!-- This module does not require options when loaded. -->
    </Module>

    ...
</Modules>

Options for the module are set when the module is used for Entitlement. When used in an Entitlement block, the module requires the AllowedTopics and/or DeniedTopics options to be specified.

Option Description

Option	Description
`AllowedTopics`	A regular expression that matches the topics that the module will allow access to. The module will grant access only to topics that match this regular expression and do not match the `DeniedTopics` regular expression. Defaults to `.*`, matching all topics in the instance.
`DeniedTopics`	A regular expression that matches the topics that the module will deny access to. The module will grant access only to topics that do not match this regular expression. There is no default for this parameter. If not provided, the module does not consider any topics to be explicitly denied and will grant access to any topic that matches the `AllowedTopics` parameter.
`GrantedPermissions`	When set, this option directs the module to grant only read or write permissions when a topic is allowed. This option accepts a value of `read` or `write`, specifying which permission the module will grant. There is no default for this parameter. If not provided, the module will grant both read and write permissions to any allowed topic. When using this option for the `Admin` transport, notice that the `administrator` actions use an HTTP `GET`, so they are considered read operations.

AllowedTopics

A regular expression that matches the topics that the module will allow access to. The module will grant access only to topics that match this regular expression and do not match the DeniedTopics regular expression.

Defaults to .*, matching all topics in the instance.

DeniedTopics

A regular expression that matches the topics that the module will deny access to. The module will grant access only to topics that do not match this regular expression.

There is no default for this parameter. If not provided, the module does not consider any topics to be explicitly denied and will grant access to any topic that matches the AllowedTopics parameter.

GrantedPermissions

When set, this option directs the module to grant only read or write permissions when a topic is allowed.

This option accepts a value of read or write, specifying which permission the module will grant.

There is no default for this parameter. If not provided, the module will grant both read and write permissions to any allowed topic.

When using this option for the Admin transport, notice that the administrator actions use an HTTP GET, so they are considered read operations.

For example, the following configuration loads the module, uses the module for entitlements on the administrative console, and explicitly refuses access to paths beneath /amps/administrator -- the paths that might modify the state of the instance. Since AllowedTopics defaults to .*, all other topics are allowed.

<AMPSConfig>

    <Modules>
        ...

        <Module>
            <Name>simple-access</Name>
            <Library>libamps_simple_access_entitlement.so</Library>
        </Module>

        ...
    </Modules>


    <Admin>
        <InetAddr>localhost:8085</InetAddr>
        <!-- Use the simple-access module to deny access to topics under
            /amps/administrator. -->
        <Entitlement>
            <Module>simple-access</Module>
            <Options>
                <!-- Deny all topics under /amps/administrator -->
                <DeniedTopics>^/amps/administrator</DeniedTopics>

                <!-- Allowed topics defaults to .* , so no need
                    to set that explicitly. -->
            </Options>
        </Entitlement>
    </Admin>

</AMPSConfig>

PreviousMultimethod Authentication Module NextOptional Authenticator Modules

Last updated 13 days ago