It would be very useful to be able to start the broker in a mode whereby only a configuration process was able to connect to it and it remained inaccessible to other clients until configuration (e.g. queue creation and binding, cluster nodes joining etc) was complete.
I think there are 2 necessary things here: 1. Limit the protocol or interface that connections are accepted on: So in this mode we'd on accept connections say from localhost or a unix domain socket (when we implement that) 2. Use ACLs to limit access to only a user authenticated apropriately. These things would also need to happen dynamically, so that restarting the broker wouldn't be necessary. I think that 2 is probably possible, but not dynamically. 1 would need to implemented and to be made dynamic.
(In reply to Andrew Stitcher from comment #1) > I think there are 2 necessary things here: > > 1. Limit the protocol or interface that connections are accepted on: > > So in this mode we'd on accept connections say from localhost or a unix > domain socket (when we implement that) > > 2. Use ACLs to limit access to only a user authenticated apropriately. > > These things would also need to happen dynamically, so that restarting the > broker wouldn't be necessary. > > I think that 2 is probably possible, but not dynamically. > > 1 would need to implemented and to be made dynamic. I don't think 1 is essential here, though it may be nice to have. The HA module does something quite similar here. Backups reject all but management clients (though they do so by a special connection option rather than authenticated user - however that option is I think protected by ACL). I.e. have mode in which the broker rejects all connections except those identified as management clients (this could indeed be via a special 'access broker in management-mode' permission; have a command line flag to cause the broker to 'boot' into that mode; have a management command to move from that mode into normal mode.