[rabbitmq-discuss] Fine-grained LDAP access to resources
James McClelland
jamesmcc at gmail.com
Fri Sep 20 22:35:08 BST 2013
Hello,
I'm in the process of configuring RabbitMQ to leverage LDAP. I have it
configured and working but I'm now looking to lock down the access using a
finer grain. Right now I'm doing this for resource control:
{permission, configure,
{for, [
{resource, queue,
{in_group, "CN=rmq-${vhost}-queue,OU=xxx,OU=xxx,DC=xxx,DC=xxx"}}]}}
Using this method, anyone in a matching group can create any queue anywhere
inside the vhost. What I'd like is to provide them access to create queues
only with a specific prefix based on group name.
It seems you could kind of do this by using CN=rmq-${vhost}-${name}-queue
but that would expand to the full resource name and would require multiple
ldap groups for every single object in the vhost which quickly becomes
maintainable and non dynamic.
I'm wondering if there's some way I could get functionality similar to
{in_group, CN=rmq-${vhost}-${prefix}-queue} where ${prefix} is the first
token in a period delimited string.
Any thoughts?
Thank you,
James M.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20130920/85589553/attachment.htm>
More information about the rabbitmq-discuss
mailing list