[rabbitmq-discuss] Issue: user is able to publish to queue that he does not have write permission to

Bill Gerrard billg at nffs.com
Fri Sep 2 16:14:17 BST 2011


Testing permissions and discovered user is able to publish to queue that 
he does not have write permission to.

Can anyone else duplicate?  If so, is this fixed on 2.6.0?

Running RabbitMQ 2.5.1 on debian

Permissions on /:
user    configure    write                read
nf    .*    ^nf_to_da.*|amq\\.default|test_.*    ^da_to_nf.*|test_.*

testing as user nf:
1) publish to nf_to_da queue -> publish successful (correct)
2) read from da_to_nf queue -> read successful (correct)
3) publish to da_to_nf queue -> publish successful! (should be denied) <====
4) read from nf_to_da queue -> read denied (correct)


Client is written in perl using Net::RabbitMQ (same results when using 
python examples from tutorial)
Logged in as user 'nf'
publish to nf_to_da
...success
publish to da_to_nf (should fail)
...success
consume from da_to_nf
...success
consume from nf_to_da (should fail)
Get failure for queue 'nf_to_da': Consume queue: server channel error 
403, message: ACCESS_REFUSED - access to queue 'nf_to_da' in vhost '/' 
refused for user 'nf'



Log from RabbitMQ message broker:

=INFO REPORT==== 2-Sep-2011::09:01:58 ===
accepted TCP connection on [::]:5672 from 10.1.0.27:43796

=INFO REPORT==== 2-Sep-2011::09:01:58 ===
starting TCP connection <0.11704.25> from 10.1.0.27:43796

=INFO REPORT==== 2-Sep-2011::09:01:58 ===
closing TCP connection <0.11704.25> from 10.1.0.27:43796


=INFO REPORT==== 2-Sep-2011::09:01:58 ===
accepted TCP connection on [::]:5672 from 10.1.0.27:43797

=INFO REPORT==== 2-Sep-2011::09:01:58 ===
starting TCP connection <0.11711.25> from 10.1.0.27:43797

=INFO REPORT==== 2-Sep-2011::09:01:58 ===
closing TCP connection <0.11711.25> from 10.1.0.27:43797


=INFO REPORT==== 2-Sep-2011::09:01:58 ===
accepted TCP connection on [::]:5672 from 10.1.0.27:43798

=INFO REPORT==== 2-Sep-2011::09:01:58 ===
starting TCP connection <0.11719.25> from 10.1.0.27:43798

=INFO REPORT==== 2-Sep-2011::09:01:58 ===
closing TCP connection <0.11719.25> from 10.1.0.27:43798


=INFO REPORT==== 2-Sep-2011::09:01:58 ===
accepted TCP connection on [::]:5672 from 10.1.0.27:43799

=INFO REPORT==== 2-Sep-2011::09:01:58 ===
starting TCP connection <0.11733.25> from 10.1.0.27:43799

=ERROR REPORT==== 2-Sep-2011::09:01:58 ===
connection <0.11733.25>, channel 1 - error:
{amqp_error,access_refused,
             "access to queue 'nf_to_da' in vhost '/' refused for user 
'nf'",
             'basic.consume'}

=INFO REPORT==== 2-Sep-2011::09:01:58 ===
closing TCP connection <0.11733.25> from 10.1.0.27:43799



More information about the rabbitmq-discuss mailing list