use OpenSRF::Transport::Listener;
use OpenSRF::Utils;
use OpenSRF::Utils::Config;
-use Redis;
my $opt_service = undef;
my $opt_config = "@CONF_DIR@/opensrf_core.xml";
my $opt_pid_dir = "@PID_DIR@/run/opensrf";
+my $opt_bus_accounts = "@CONF_DIR@/redis-accounts.txt";
my $opt_no_daemon = 0;
my $opt_settings_pause = 0;
my $opt_localhost = 0;
GetOptions(
'service=s' => \$opt_service,
'config=s' => \$opt_config,
+ 'bus-accounts=s' => \$opt_bus_accounts,
'pid-dir=s' => \$opt_pid_dir,
'no-daemon' => \$opt_no_daemon,
'settings-startup-pause=i' => \$opt_settings_pause,
my $domain = ref $router ? $router->{domain} : $router;
my $port = $conf->bootstrap->port;
- # This redis connection uses the "default" account, which has
- # access to all actions and keys so it can act as the admin.
- my @connect_args = (server => "$domain:$port");
+ msg("Resetting bus accounts for domain $domain");
- my $redis = Redis->new(@connect_args) or
- die "Cannot connect to Redis instance at @connect_args\n";
-
- # Clear all the data
- msg("Clearing all data from message bus: @connect_args");
- $redis->flushall;
-
- my $username = $conf->bootstrap->username;
- my $password = $conf->bootstrap->passwd;
-
- msg("Applying bus access for $username");
-
- $redis->acl('SETUSER', $username, 'reset');
- $redis->acl('SETUSER', $username, 'on', ">$password");
-
- my @perms = qw/
- -@all
- +lpop
- +blpop
- +rpush
- +del
- ~opensrf:router:*
- ~opensrf:service:*
- ~opensrf:client:*
- /;
-
- $redis->acl('SETUSER', $username, @perms);
-
- $redis->quit;
+ system("cat $opt_bus_accounts | redis-cli -h $domain -p $port > /dev/null");
}
}
<!-- jabber login info -->
<!-- The gateway connects to the public domain -->
<domain>public.localhost</domain>
- <username>opensrf</username>
+ <username>gateway</username>
<passwd>password</passwd>
<port>5222</port>
<logfile>LOCALSTATEDIR/log/gateway.log</logfile>
--- /dev/null
+
+SET comment "opensrf clients can perform all opensrf-level actions"
+SET COMMENT "opensrf accounts send requets to opensrf:router:* queues"
+SET COMMENT "opensrf accounts send replies to opensrf:client:* queues"
+SET COMMENT "opensrf accounts lpop requests from their opensrf:servivce: queue."
+SET COMMENT "TODO: separate Listener vs Drone accounts to prevent Drones / standalone clients from accessing opensrf:service:*"
+
+ACL SETUSER opensrf reset
+ACL SETUSER opensrf on >password
+ACL SETUSER opensrf -@all +lpop +blpop +rpush +del ~opensrf:router:* ~opensrf:service:* ~opensrf:client:*
+
+SET comment "routers lpop requests from their own opensrf:router:* queues"
+SET comment "routers send requests to opensrf:service:* queues"
+SET comment "routers send replies to opensrf:client:* queues"
+
+ACL SETUSER router reset
+ACL SETUSER router on >password
+ACL SETUSER router -@all +lpop +blpop +rpush +del ~opensrf:router:* ~opensrf:service:* ~opensrf:client:*
+
+SET comment "gateway accounts send request to opensrf:router:* queues"
+SET comment "gateway accounts send subsequent, stateful requests to opensrf:client:* queues"
+
+ACL SETUSER gateway reset
+ACL SETUSER gateway on >password
+ACL SETUSER gateway -@all +lpop +blpop +rpush +del ~opensrf:router:* ~opensrf:client:*
+
+SET comment "admin can do anything"
+
+ACL SETUSER admin reset
+ACL SETUSER admin on >password
+ACL SETUSER admin +@all ~* &*
+
+DEL comment
+
projects / working / OpenSRF.git / commitdiff