[rabbitmq-discuss] Management plugin

[Simon MacMullen]

On 08/04/11 21:26, Dave Greggory wrote:
> It looks like the management plugin does not allow non-admin users to do GETs on
> /api/connections or /api/nodes/<name>.

It should allow non-admins to GET /api/connections - however, they 
should only be able to learn about their *own* connections, not anybody 
else's.

> It silents returns empty data for those urls.

You should get a 403 for /api/nodes.

> We'd like to create non-admin users who are just used by our monitoring
> application to hit these pages. Is there any reason (security or otherwise) why
> you decided that admin access is required for these URLs (my understanding is
> that no changes take place as they're restful GETs)?

The reason is that non-admin users are not supposed to be able to spy on 
other users. This should be fairly obvious for /api/connections, and for 
/api/nodes the concern is that non-admin users could infer what other 
users are doing by watching things like the number of sockets used.

That said, your requirement seems reasonable. We probably need more than 
a boolean to control this sort of thing. We have a bug open for this but 
it's not receiving attention at the moment.

In the mean time, if you're comfortable building from source the 
attached patch will allow non-admins access to nodes and the connection 
and channel lists. Since it was a 5 min hack, note that it won't allow 
access to connection details (since you can DELETE i.e. close those...)

Cheers, Simon

-- 
Simon MacMullen
Staff Engineer, RabbitMQ
SpringSource, a division of VMware

-------------- next part --------------
A non-text attachment was scrubbed...
Name: non_admin_monitoring.patch
Type: text/x-patch
Size: 2796 bytes
Desc: not available
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20110411/a9576d3f/attachment.bin>