[rabbitmq-discuss] Access control in RabbitMQ 2.0.0

• Previous message: [rabbitmq-discuss] Access control in RabbitMQ 2.0.0
• Next message: [rabbitmq-discuss] Access control in RabbitMQ 2.0.0
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Alex

> In previous releases, resources with server generated names (i.e.
> anything starting with amq.gen) were NOT checked for permissions.  Only
> resources with client specified names were.  This is what we now call
> ``client'' scope permissions.  So,
>   - clients can do whatever they want with sever-generated names (they
>     have full access to amq.gen resources),
>   - permissions are enforced only for client named resources (so, you
>     can restrict a client from creating named queues, etc.)

I'm trying this in RabbitMQ 2.0.0 and don't get the expected results.  
I have set the following permissions (they have client scope by  
default):

rabbitmqctl set_permissions -p $VHOST $USER "" "" ""

When the client app tries to declare a server-named exclusive  
auto-delete queue, it gets:

ACCESS_REFUSED - access to queue 'amq.gen-579strgPMK52VQEcVFKqkA==' in  
vhost '$VHOST' refused for user '$USER'

The declare command only works if I explicitly give $USER permissions  
for "amq.gen.*".


> Permissions are regular expressions.  The regular expression "^$"
> matches nothing.  The regular expressions "" matches everything,
> so it would mean allow-everything.  We found this confusing, so "" is now
> treated specially to mean "^$".  That paragraph explains this.

Does that mean that "" with scope 'client' means 'allow only resources  
with server-generated names' and "" with scope 'all' means 'allow  
nothing'?

Cheers
Jiri

• Previous message: [rabbitmq-discuss] Access control in RabbitMQ 2.0.0
• Next message: [rabbitmq-discuss] Access control in RabbitMQ 2.0.0
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]