[rabbitmq-discuss] Multi vhost access with static LDAP

MyOwnFitness myownfitness at gmail.com
Tue Oct 8 20:34:55 BST 2013 

Hey Everyone!

I have been trying to figure this out for a couple days, and have made
progress due to this post:

http://rabbitmq.1065348.n5.nabble.com/Per-queue-exchange-ACL-via-LDAP-plugin-td25331.html

I guess my question stems from that post.

I currently have multiple users and vhost's. Some users need to read queues
on different vhost's and some need to configure the vhost. At the bottom
the tag_queries works, but i need to remove management.

Here is what i was hoping to get help with:

1. I need to be able to have TestUser2 configure queues, exchanges, etc...
on vhost "One_".

The easy:
2. TestUser3 to read the queues from "One_" (easy).

Now the twist:
3. TestUser4 is on a different vhost "Sec_" that should be able to
configure, and they should have no access to "One_" vhost, they will also
have another user consuming.

My question is how do i separate the two vhost's in the config file, and
still maintain access control?

Do i have 2 "vhost_access_query"? but then how do i set the permissions for
each?

** Also, all LDAP is 100% static, i cannot add groups or attributes. **


Here is the sample of the excerpt from my rabbitmq.conf:

{rabbitmq_auth_backend_ldap,
>
>                 [{servers, ["ldap_server.com"]},
>
>                 {user_dn_pattern, "cn=${username},ou=System,dc=Test"},
>
>                 {use_ssl, true},
>
>                 {ssl_options, {certfile, "/etc/rabbitmq/ssl/test.cer"}},
>
>                 {port, 443},
>
>                 {log, true},
>
>                 {other_bind, as_user},
>
>                 {resource_access_query,
>
>                         {for, [{resource, exchange, {constant, false}},
>
>                                 {resource, queue,
>
>                                 {for, [{permission, configure, {constant,
>> false}},
>
>                                     {permission, write, {constant,
>> false}},
>
>                                     {permission, read,
>
>                                         {match, {string, "TestUser3"},
>> {string, "^${username}"}}
>
>                                     }]}}
>
>                         ]}
>
>                 }
>
>                 {tag_queries, [{administrator, {match, {string,
>> "TestUser1"}, {string, "^${username}"}}}]}
>
>         ]}
>
>

As always, thank you for any help or direction you can point me in!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20131008/90ea4378/attachment.htm>

More information about the rabbitmq-discuss mailing list