[rabbitmq-discuss] Management plugin
Simon MacMullen
simon at rabbitmq.com
Mon Apr 11 12:57:38 BST 2011
On 08/04/11 21:26, Dave Greggory wrote:
> It looks like the management plugin does not allow non-admin users to do GETs on
> /api/connections or /api/nodes/<name>.
It should allow non-admins to GET /api/connections - however, they
should only be able to learn about their *own* connections, not anybody
else's.
> It silents returns empty data for those urls.
You should get a 403 for /api/nodes.
> We'd like to create non-admin users who are just used by our monitoring
> application to hit these pages. Is there any reason (security or otherwise) why
> you decided that admin access is required for these URLs (my understanding is
> that no changes take place as they're restful GETs)?
The reason is that non-admin users are not supposed to be able to spy on
other users. This should be fairly obvious for /api/connections, and for
/api/nodes the concern is that non-admin users could infer what other
users are doing by watching things like the number of sockets used.
That said, your requirement seems reasonable. We probably need more than
a boolean to control this sort of thing. We have a bug open for this but
it's not receiving attention at the moment.
In the mean time, if you're comfortable building from source the
attached patch will allow non-admins access to nodes and the connection
and channel lists. Since it was a 5 min hack, note that it won't allow
access to connection details (since you can DELETE i.e. close those...)
Cheers, Simon
--
Simon MacMullen
Staff Engineer, RabbitMQ
SpringSource, a division of VMware
-------------- next part --------------
A non-text attachment was scrubbed...
Name: non_admin_monitoring.patch
Type: text/x-patch
Size: 2796 bytes
Desc: not available
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20110411/a9576d3f/attachment.bin>
More information about the rabbitmq-discuss
mailing list