[rabbitmq-discuss] Per-queue/exchange ACL via LDAP plugin

SteveO steveolivier22 at gmail.com
Fri Mar 8 16:53:23 GMT 2013


Assuming I had local database users named Test1 and Test2, I could ensure
that only user Test1 could consume from queues starting with the name
"Test1" and only user Test2 could consume from queues starting with the name
"Test2" by doing the following...

rabbitmqctl set_permissions -p /myvhost Test1 ".*" ".*" "^Test1.*"
rabbitmqctl set_permissions -p /myvhost Test2 ".*" ".*" "^Test2.*"

Hopefully my understanding is correct. Please let me know if I am way off :)
It seems to be working to my understanding with the tests I have ran.

What I wanted to to do was apply similar logic when using LDAP A/A. If the
user was matched by user_dn or by group membership, that's fine. I preferred
the group membership, but would settle for user_dn. The "Test1" queue name
was certainly an example. If "Test1" was considered a prefix to the queue
name or the queue name itself, that's fine as well. 

Under the "resource_access_query" section in the readme here...

https://github.com/rabbitmq/rabbitmq-auth-backend-ldap/blob/master/README-authorisation
<https://github.com/rabbitmq/rabbitmq-auth-backend-ldap/blob/master/README-authorisation>  

...how does the ${name} parameter work? That's how I though I'd make this
happen, but my attempts have flailed so far.

thanks

s








--
View this message in context: http://rabbitmq.1065348.n5.nabble.com/Per-queue-exchange-ACL-via-LDAP-plugin-tp25331p25343.html
Sent from the RabbitMQ mailing list archive at Nabble.com.


More information about the rabbitmq-discuss mailing list