[rabbitmq-discuss] ACLs

Ben Hood 0x6e6562 at gmail.com
Thu Jan 22 23:14:10 GMT 2009


Dear List,

Those of you who have following the recent discussion about ACLs may
be interested in the merge of the new ACL functionality into the
server mainline.

This will go out as part of the next major release.

For now, you can access this from the default branch in hg.

I've attached a synopsis of the new functionality.

Thanks go to Matthias for getting this done so quickly.

Ben

--snip--

Access control

When an AMQP client establishes a connection to an AMQP server, it
specifies a virtual host within which it intends to operate. A first
level of access control is enforced at this point, with the server
checking whether the user has any permissions to access the virtual
hosts, and rejecting the connection attempt otherwise.

Resources, i.e. exchanges and queues, are named entities inside a
particular virtual host; the same name denotes a different resource in
each virtual host. A second level of access control is enforced when
certain operations are performed on resources.

RabbitMQ distinguishes between configuration and messaging operations
on a resource. The former alter the messaging topology. Examples are
exchange and queue declaration and binding. The latter involve
messaging operations such as publication, setting up consumers, and
purging queues.

In order to perform an operation on a resource the user must have been
granted the appropriate permissions for it. The permissions are
expressed as a pair of regular expressions - one for configuration and
one for messaging - on per-vhost basis. The user is granted the
respective permission for operations on all resources with names
matching the regular expressions. (Note: For convenience RabbitMQ maps
AMQP's default exchange's blank name to 'amq.default' when performing
permission checks.)

Some AMQP operations can create resources with server-generated names.
Every user has configuration and messaging permissions for such
resources. However, the names are strong and not discoverable as part
of the protocol, only through management functionality. Therefore
these resources are in effect private to the user unless they choose
to dilvuge their names to other users.
Creating a virtual host

rabbitmqctl add_vhost vhostpath

vhostpath
    The name of the virtual host entry to create.

For example:

rabbitmqctl add_vhost test

This command instructs the RabbitMQ broker to create a new virtual
host called test.
Deleting a virtual host

rabbitmqctl delete_vhost vhostpath

vhostpath
    The name of the virtual host entry to delete.

Deleting a virtual host deletes all its exchanges, queues, user
mappings and associated permissions.

For example:

rabbitmqctl delete_vhost test

This command instructs the RabbitMQ broker to delete the virtual host
called test.
Listing virtual hosts

rabbitmqctl list_vhosts

For example:

rabbitmqctl list_vhosts

This command instructs the RabbitMQ broker to list all virtual hosts.
Setting user permissions

rabbitmqctl set_permissions [-p vhostpath] username regexp regexp

vhostpath
    The name of the virtual host to which to grant the user access,
defaulting to /.
username
    The name of the user to grant access to the specified virtual host.
regexp
    The regular expressions for matching resource names for which the
user is granted configuration and messaging permissions, respectively.

For example:

rabbitmqctl set_permissions -p /myvhost tonyg "^tonyg-.*" ".*"

This command instructs the RabbitMQ broker to grant the user named
tonyg access to the virtual host called /myvhost, with configuration
permissions on all resources whose names starts with "tonyg-", and
messaging permissions on all resources.
Clearing user permissions

rabbitmqctl clear_permissions [-p vhostpath] username

vhostpath
    The name of the virtual host to which to deny the user access,
defaulting to /.
username
    The name of the user to grant access to the specified virtual host.

For example:

rabbitmqctl clear_permissions -p /myvhost tonyg

This command instructs the RabbitMQ broker to deny the user named
tonyg access to the virtual host called /myvhost.
Listing permissions in a virtual host

rabbitmqctl list_permissions [-p vhostpath]

vhostpath
    The name of the virtual host for which to list the users that have
been granted access to it, and their permissions. Defaults to /.

For example:

rabbitmqctl list_permissions -p /myvhost

This command instructs the RabbitMQ broker to list all the users which
have been granted access to the virtual host called /myvhost, and the
permissions they have for operations on resources in that virtual
host.
Listing user permissions

rabbitmqctl list_user_permissions username

username
    The name of the user for which to list the permissions.

For example:

rabbitmqctl list_user_permissions tonyg

This command instructs the RabbitMQ broker to list all the virtual
hosts to which the user named tonyg has been granted access, and the
permissions the user has for operations on resources in these virtual
hosts.




More information about the rabbitmq-discuss mailing list