[rabbitmq-discuss] rabbit_auth_backend_ldap granular permissions?

Simon MacMullen simon at rabbitmq.com
Thu Aug 8 11:41:53 BST 2013


I'm not quite sure what you're asking, but if you want to create a group 
for each queue you could do something like:

{resource_access_query,
  {for,
   [{resource, queue,
     {for,
      [{permission, configure, {constant, false}},
       {permission, write,
        {in_group, "cn=access-${name},ou=groups,dc=example,dc=com"}},
         <etc>

- then to write to "myqueue" the user would need to be in the group 
"cn=access-myqueue,ou=groups,dc=example,dc=com".

Alternatively, if you want to statically list the queue -> group 
mapping, you could do something like:

{resource_access_query,
  {for,
   [{resource, queue,
     {for,
      [{permission, configure, {constant, false}},
       {permission, write,
        {for,
         [{name, <<"queue1">>,
           {in_group, "cn=simonsqueue,ou=groups,dc=example,dc=com"}},
          {name, <<"queue2">>,
           {in_group, "cn=anotherqueue,ou=groups,dc=example,dc=com"}},

Cheers, Simon


On 07/08/2013 4:05AM, Jared Kauppila wrote:
> Greetings,
>
> I was curious how granular you get set permissions using the
> rabbit_auth_backend_ldap plugin? Is it possible to define permissions to
> a particular vhost/exchange/queue explicitly defining these resources
> and the AD groups that have access to them in the config? Our current
> use case is defining static exchanges and queues and restricting access
> to those resources via AD groups that would grant developers and service
> accounts access per development group. We will have a number of
> applications that will push messages to the exchanges, with another set
> of applications consuming these messages via their own queue. We would
> ideally restrict access to each queue per it's defined app, likewise for
> the exchanges.
>
> It looks like this achievable fairly easily using the baked in user
> accounts, can this be defined for LDAP groups/users and resources?
>
> It was discussed some here,
> http://rabbitmq.1065348.n5.nabble.com/Per-queue-exchange-ACL-via-LDAP-plugin-td25331.html,
> which shows how to match queue to a username. Is it not possible for
> group membership or explicitly defining the resource and group?
>
> Thanks,
>
> Jared
>
>
> _______________________________________________
> rabbitmq-discuss mailing list
> rabbitmq-discuss at lists.rabbitmq.com
> https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
>

-- 
Simon MacMullen
RabbitMQ, Pivotal


More information about the rabbitmq-discuss mailing list