Hi, Nybras...<br><br>You're still a bit turned around...<div><br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">That's great thank you very much. So if I wanted allow my users to only:<br>
</blockquote><div><br></div><div>Consulting the table at: �<a href="http://www.rabbitmq.com/access-control.html">http://www.rabbitmq.com/access-control.html</a></div><div><br></div><div>We see...</div><div>�</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
queue.bind</blockquote><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
queue.unbind<br></blockquote><div><br></div><div>Both require you to be able to write the queue and read the exchange.</div><div>�</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
basic.get�</blockquote><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
basic.consume<br></blockquote><div><br></div><div>Both requires you to be able to read the queue.</div><div>�</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Would I create a user account (say 'users') and fill in regex parts (im<br>
creating this in the Management Plugin)<br>
Write regexp = '^amq\.queue.bind|amq\.queue.unbind$'<br>
Read regexp = '^amq\.basic.get|amq\.basic.consume$'<br>
<br>Or have I completely misunderstood this?<br></blockquote><div><br></div><div>Your regexes are referring to the names of AMQP operations. �The regexes are supposed to match the names of the entities on which you're granting those permissions (whether they exist yet or not).</div>
<div><br></div><div>So suppose you wanted a user to be able to bind a queue named "fooqueue" to an exchange named "barexchange". �Then you need to do a queue.bind you need to make sure that whatever write permission regex you've given the user will match "fooqueue" and that whatever read permission you've given the user will match the name "barexchange."</div>
<div><br></div><div>Naturally this requires a bit of planning of your namespace.</div><div>�</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">My app is a publish/subscribe scenario where each user has their very own<br>
queue with multiple binds to various exchanges (the producers).</blockquote><div><br></div><div>Then a user coming in would need the configure permission with regex including whatever name he plans to queue.declare his queues under, a read regex that includes the names of those exchanges to which he may want to bind things, and a write regex that includes the name of the queue he wishes to bind.</div>
<div>�</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> I'm guessing<br>
to allow users to only consume from their own queue I would have to create a<br>
user account for each user of the app. Or I could randomly generate queue<br>
names for each user so that these queue names could not be guessed (which<br>
would be secure enough)??<br></blockquote><div><br></div><div>You certainly could do per user permissioning that only grants appropriate permissions on resources that match a naming convention of your devising. �I'd suggest you avoid the "generate obscure queue names" as a security policy. You might also consider declaring *exclusive* queues which can only be used by the declaring consumer. �Mixing those with the *auto-delete* property can be a convenient way to make transient, private queues that will go away when your consumer departs, which might be nice from a resource management standpoint if you have a lot of distinct user identities in the mix.</div>
<div><br></div><div>Best regards,</div><div>Jerry</div><div>�</div></div></div>