Hi, Nybras:<br><br><div class="gmail_quote">On Sat, Jan 26, 2013 at 11:27 AM, nybras <span dir="ltr"><<a href="mailto:brettflitter@gmail.com" target="_blank">brettflitter@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi I don't really understand how to use the regular expressions to dictate<br>
what the user can and can't do in the management plugin.<br></blockquote><div><br></div><div>Please see here: �<a href="http://www.rabbitmq.com/management.html">http://www.rabbitmq.com/management.html</a></div><div><br>
</div><div>Note also, that things changed and became a bit more flexibly a few versions ago.</div><div>�</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I'm also not really sure about how to go about security. At the moment I've<br>
created an app which connects just through one account (admin/root account)<br>
with no permission restrictions which I'm guessing is not good.</blockquote><div><br></div><div>Probably not. �You'd want to create a user account for that app, and then adorn it with the permissions needed to perform the various AMQP operations it needs to perform as it goes about its business.</div>
<div><br></div><div>See here for summary information: �<a href="http://www.rabbitmq.com/access-control.html">http://www.rabbitmq.com/access-control.html</a></div><div><br></div><div>Note that rather than an ACL, listing who can do a thing to an AMQP object, the permissions model works the other direction, perhaps slightly more akin to a bare bones capabilities system.</div>
<div><br></div><div>In the Rabbit model, a user has configure, read and write permissions. �Associated with each is a regex naming the resources that the user is allowed to configure/read/write. �Each AMQP command requires the resource it's trying to operate on to match the appropriate permission regex as summarized in the table at�<a href="http://www.rabbitmq.com/access-control.html">http://www.rabbitmq.com/access-control.html</a></div>
<div>�</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> �Do I create<br>
a 'user' account for each new user that uses my app or I do I create one<br>
'user' account with restricted permissions that all users can connect<br>
through??<br></blockquote><div><br></div><div>That depends on your application. �If the users of your messaging system really need disparate and partitioned access control, you may have to create multiple accounts. �Otherwise, it's common to see multiple logical applications in a broker (e.g. payment processing, status updates, etc.) and to perhaps create a user per logical app with suitable permissions, assuming of course there isn't going to be a single user whose concerns span the entities of both. �You can also segregate at the virtual host level which is an even sharper division.</div>
<div>�</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I've started using the http API so I can make requests to see how many<br>
bindings a user has made which is also currently being accessed through this<br>
'one admin account', should I just create a basic user account to allow<br>
these GET requests? Again I don't understand what to do with the regular<br>
expressions.<br></blockquote><div><br></div><div>For access to management capabilities themselves, things are a bit different. �The management plugin extends the basic AMQP permissions model up above and allows arbitrary tags to be attached to users. �The management plugin respects tags called "management", "monitoring" and "administrator," each of which has different powers over administrative functions as summarized at: �<a href="http://www.rabbitmq.com/management.html">http://www.rabbitmq.com/management.html</a></div>
<div><br></div><div>Give those links a look, see how well they digest, and by all means return if you have further questions!</div><div><br></div><div>Best regards,</div><div>Jerry</div><div><br></div></div>