[rabbitmq-discuss] Advanced per-user authorization
Emile Joubert
emile at rabbitmq.com
Wed Nov 21 16:32:59 GMT 2012
Hi Jonas,
On 21/11/12 14:40, Jonas Schwertfeger wrote:
> They way I would solve this is by having the producer create a topic
> exchange per user and only give that particular user the right to bind
> its queues against it. Private messages would be published to the target
> user's topic exchange while public messages would be published to amq.topic.
>
> Is this secure or am I missing something?
This question was followed up by a conversation on IRC where you
mentioned that consumers would connect using MQTT. It is currently only
possible to use one topic exchange via the RabbitMQ MQTT adapter, so any
authentication mechanism relying on different exchange permissions won't
work.
Other MQTT brokers solve this problem by granting permissions to
different parts of the topic hierarchy in a static ACL configuration
file (e.g. RSMB does this). Unfortunately RabbitMQ does not currently
offer the granularity of access control that allows you to grant access
based on routing key patterns.
You could use public key encryption to prevent eavesdropping. Private
messages could be encrypted so that only the intended recipient can
decrypt it. Though this does run counter to the light-eight nature of MQTT.
-Emile
More information about the rabbitmq-discuss
mailing list