[rabbitmq-discuss] Access control in RabbitMQ 2.0.0

Alexandru Scvorţov alexandru at rabbitmq.com
Thu Aug 26 10:22:01 BST 2010


Hi Jiri,

> 1) You mention that permissions with client scope are enforced only  
> for client-named resources, others for all resources. But which  
> permissions have which scope?

In previous releases, resources with server generated names (i.e.
anything starting with amq.gen) were NOT checked for permissions.  Only
resources with client specified names were.  This is what we now call
``client'' scope permissions.  So,
  - clients can do whatever they want with sever-generated names (they
    have full access to amq.gen resources),
  - permissions are enforced only for client named resources (so, you
    can restrict a client from creating named queues, etc.)

Permissions with ``all'' scope are applied to everything -- server-named
resources are NOT treated differently than client-named ones.

The "all" scope gives you a way to specify more fine-grained
permissions, if need them.  If you don't, you can just do everything as
before.

> 2) Server generated names seem to have prefix "amq.gen-", not  
> "amq.gen.", as stated here.

Actually they just have the prefix "amq.gen", so the only problem is
that the regexp is one character longer than it could be.  Good catch;
we'll fix it.

> 3) The paragraph starting with "The regular expression ^$" seems to be  
> obsolete.

Permissions are regular expressions.  The regular expression "^$"
matches nothing.  The regular expressions "" matches everything,
so it would mean allow-everything.  We found this confusing, so "" is now
treated specially to mean "^$".  That paragraph explains this.


Cheers,
Alex

On Thu, Aug 26, 2010 at 10:50:24AM +0200, jiri at krutil.com wrote:
> Hi all
> 
> It seems that the Access Control seciton of the server Admin Guide [1]  
> has been updated for release 2.0.0. When reading this, I'm confused:
> 
> 1) You mention that permissions with client scope are enforced only  
> for client-named resources, others for all resources. But which  
> permissions have which scope?
> 
> 2) Server generated names seem to have prefix "amq.gen-", not  
> "amq.gen.", as stated here.
> 
> 3) The paragraph starting with "The regular expression ^$" seems to be  
> obsolete.
> 
> Can someone please clarify this?
> 
> Cheers
> Jiri
> 
> 
> [1] http://www.rabbitmq.com/admin-guide.html#access-control
> 
> _______________________________________________
> rabbitmq-discuss mailing list
> rabbitmq-discuss at lists.rabbitmq.com
> https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss


More information about the rabbitmq-discuss mailing list