[rabbitmq-discuss] rabbit_auth_backend_ldap granular permissions?

Jared Kauppila jared at kauppi.la
Wed Aug 7 04:05:11 BST 2013


Greetings,

I was curious how granular you get set permissions using the
rabbit_auth_backend_ldap plugin? Is it possible to define permissions to a
particular vhost/exchange/queue explicitly defining these resources and the
AD groups that have access to them in the config? Our current use case is
defining static exchanges and queues and restricting access to those
resources via AD groups that would grant developers and service accounts
access per development group. We will have a number of applications that
will push messages to the exchanges, with another set of applications
consuming these messages via their own queue. We would ideally restrict
access to each queue per it's defined app, likewise for the exchanges.

It looks like this achievable fairly easily using the baked in user
accounts, can this be defined for LDAP groups/users and resources?

It was discussed some here,
http://rabbitmq.1065348.n5.nabble.com/Per-queue-exchange-ACL-via-LDAP-plugin-td25331.html,
which shows how to match queue to a username. Is it not possible for group
membership or explicitly defining the resource and group?

Thanks,

Jared
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20130806/e06991c0/attachment.htm>


More information about the rabbitmq-discuss mailing list