[rabbitmq-discuss] Access control in RabbitMQ 2.0.0
jiri at krutil.com
jiri at krutil.com
Thu Aug 26 12:23:30 BST 2010
Hi Alex
> In previous releases, resources with server generated names (i.e.
> anything starting with amq.gen) were NOT checked for permissions. Only
> resources with client specified names were. This is what we now call
> ``client'' scope permissions. So,
> - clients can do whatever they want with sever-generated names (they
> have full access to amq.gen resources),
> - permissions are enforced only for client named resources (so, you
> can restrict a client from creating named queues, etc.)
I'm trying this in RabbitMQ 2.0.0 and don't get the expected results.
I have set the following permissions (they have client scope by
default):
rabbitmqctl set_permissions -p $VHOST $USER "" "" ""
When the client app tries to declare a server-named exclusive
auto-delete queue, it gets:
ACCESS_REFUSED - access to queue 'amq.gen-579strgPMK52VQEcVFKqkA==' in
vhost '$VHOST' refused for user '$USER'
The declare command only works if I explicitly give $USER permissions
for "amq.gen.*".
> Permissions are regular expressions. The regular expression "^$"
> matches nothing. The regular expressions "" matches everything,
> so it would mean allow-everything. We found this confusing, so "" is now
> treated specially to mean "^$". That paragraph explains this.
Does that mean that "" with scope 'client' means 'allow only resources
with server-generated names' and "" with scope 'all' means 'allow
nothing'?
Cheers
Jiri
More information about the rabbitmq-discuss
mailing list