[rabbitmq-discuss] Access control in RabbitMQ 2.0.0

Alexandru Scvorţov alexandru at rabbitmq.com
Thu Aug 26 12:59:20 BST 2010 

Hi Jiri,

> I'm trying this in RabbitMQ 2.0.0 and don't get the expected results.  
> I have set the following permissions (they have client scope by  
> default):
> 
> rabbitmqctl set_permissions -p $VHOST $USER "" "" ""
> 
> When the client app tries to declare a server-named exclusive  
> auto-delete queue, it gets:
> 
> ACCESS_REFUSED - access to queue 'amq.gen-579strgPMK52VQEcVFKqkA==' in  
> vhost '$VHOST' refused for user '$USER'
> 
> The declare command only works if I explicitly give $USER permissions  
> for "amq.gen.*".

You're right.  It's a bug: all permissions are interpreted as having
scope "all".

> Does that mean that "" with scope 'client' means 'allow only resources  
> with server-generated names' and "" with scope 'all' means 'allow  
> nothing'?

That's the idea, but until we fix this bug, it's just ``allow nothing''.


Alex

On Thu, Aug 26, 2010 at 01:23:30PM +0200, jiri at krutil.com wrote:
> Hi Alex
> 
> > In previous releases, resources with server generated names (i.e.
> > anything starting with amq.gen) were NOT checked for permissions.  Only
> > resources with client specified names were.  This is what we now call
> > ``client'' scope permissions.  So,
> >   - clients can do whatever they want with sever-generated names (they
> >     have full access to amq.gen resources),
> >   - permissions are enforced only for client named resources (so, you
> >     can restrict a client from creating named queues, etc.)
> 
> I'm trying this in RabbitMQ 2.0.0 and don't get the expected results.  
> I have set the following permissions (they have client scope by  
> default):
> 
> rabbitmqctl set_permissions -p $VHOST $USER "" "" ""
> 
> When the client app tries to declare a server-named exclusive  
> auto-delete queue, it gets:
> 
> ACCESS_REFUSED - access to queue 'amq.gen-579strgPMK52VQEcVFKqkA==' in  
> vhost '$VHOST' refused for user '$USER'
> 
> The declare command only works if I explicitly give $USER permissions  
> for "amq.gen.*".
> 
> 
> > Permissions are regular expressions.  The regular expression "^$"
> > matches nothing.  The regular expressions "" matches everything,
> > so it would mean allow-everything.  We found this confusing, so "" is now
> > treated specially to mean "^$".  That paragraph explains this.
> 
> Does that mean that "" with scope 'client' means 'allow only resources  
> with server-generated names' and "" with scope 'all' means 'allow  
> nothing'?
> 
> Cheers
> Jiri
> 
> _______________________________________________
> rabbitmq-discuss mailing list
> rabbitmq-discuss at lists.rabbitmq.com
> https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss

More information about the rabbitmq-discuss mailing list