[rabbitmq-discuss] AMQP Permission Granularity

Ben Hood 0x6e6562 at gmail.com
Thu Aug 6 11:33:57 BST 2009


On Thu, Aug 6, 2009 at 1:57 AM, tsuraan<tsuraan at gmail.com> wrote:
> Suppose I want to use AMQP to replace RSS (real-time feeds only
> though, no history).  Ideally, anybody on the entire 'net would be
> able to connect to my Rabbit server and create a queue that's bound to
> my "RSS" exchange.  That queue would be temporary and exclusive, so
> its lifetime is tied to the client's connection.  Is there any way, in
> Rabbit, to create a user that only has the ability to create temporary
> exclusive queues, and to bind those queues to an exchange?
> It doesn't look like Rabbit's permissions really have this sort of
> usage in mind, but I thought I'd ask just to be sure.

No, the privileges for declaring queues are not fine grained enough to
do something like this.

You could define permissions to prevent binding based on a regex, but
it seems that your issue is preventing access based on type as opposed
to names. One option may be to use a strong name for the exchange, but
I don't know if that will work in your case.

For note, there was a discussion when we did the permission mechanism
about whether to go for a simple ACL scheme as opposed to user-defined
capabilities - for simplicity's sake we opted for the former.


More information about the rabbitmq-discuss mailing list