[rabbitmq-discuss] Advanced per-user authorization

Emile Joubert emile at rabbitmq.com
Wed Nov 21 16:32:59 GMT 2012


Hi Jonas,

On 21/11/12 14:40, Jonas Schwertfeger wrote:
> They way I would solve this is by having the producer create a topic
> exchange per user and only give that particular user the right to bind
> its queues against it. Private messages would be published to the target
> user's topic exchange while public messages would be published to amq.topic.
>
> Is this secure or am I missing something?

This question was followed up by a conversation on IRC where you 
mentioned that consumers would connect using MQTT. It is currently only 
possible to use one topic exchange via the RabbitMQ MQTT adapter, so any 
authentication mechanism relying on different exchange permissions won't 
work.

Other MQTT brokers solve this problem by granting permissions to 
different parts of the topic hierarchy in a static ACL configuration 
file (e.g. RSMB does this). Unfortunately RabbitMQ does not currently 
offer the granularity of access control that allows you to grant access 
based on routing key patterns.

You could use public key encryption to prevent eavesdropping. Private 
messages could be encrypted so that only the intended recipient can 
decrypt it. Though this does run counter to the  light-eight nature of MQTT.



-Emile






More information about the rabbitmq-discuss mailing list