[rabbitmq-discuss] RabbitMQ ACL suggestions?

Gavin M. Roy gmr at myyearbook.com
Wed Jun 29 23:17:03 BST 2011


I wanted to see what the current thinking about the state of ACL's in
RabbitMQ are. I've been trying to lock down my clusters and have run into
some quirks:

We've looked at doing passive queue declares to get queue depths for
alerting, reporting and auto-scaling of our consumers. Unfortunately passive
queue declares appear to require configure access. I can see why
queue.declare requires this but passive commands perhaps should have a
different bit setting?

Another one that seems a bit strange is in order to acknowledge message
receipt (i.e. Basic.Ack) it appears that one has to have the write
permission set for the given user+queue. I wanted to lock consumers to read
and publishers to write but at least in the case of consuming without using
autoAck, this is not possible.

In addition, we are currently doing all of our monitoring via the Management
Plugin's API. Unfortunately to get any data, the user calling the API to
list information requires administration access. I'd love to be able to let
Nagios/Your_Monitoring_Solution_Here poll the Rabbit node and get data
without giving it access to change all of the configuration state and remove
users.

Are there any changes related to these areas planned for future releases?

Regards,

Gavin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20110629/8a063c21/attachment.htm>


More information about the rabbitmq-discuss mailing list