[rabbitmq-discuss] Advanced per-user authorization
Jonas Schwertfeger
jschwertfeger at gmail.com
Wed Nov 21 14:40:43 GMT 2012
Hi there,
I'm working on an application where untrusted clients connect to RabbitMQ
as consumers in a pub/sub scheme. Clients can connect either as anonymous
guests or as registered users via username/password.
I have a backend that acts as a producer. The producer publishes two types
of messages:
1) Public messages with information that every client should be able to
consume by binding their queues to the relevant topic exchange and routing
key.
2) Private messages that are targeted at specific users (each message is
targeted at one particular user). Clients should only be able to consume
messages targeted at the user with which they connected.
My question now is, how to best enforce this authorization scheme. It
doesn't seem like RabbitMQ supports authorization based on routing keys but
only on vhosts, exchanges and queues.
They way I would solve this is by having the producer create a topic
exchange per user and only give that particular user the right to bind its
queues against it. Private messages would be published to the target user's
topic exchange while public messages would be published to amq.topic.
Is this secure or am I missing something?
How light-weight are exchanges in RabbitMQ? What dose the memory and
computational complexity look like if there are N exchanges? O(1) or worse?
We are not talking about a few hundred users but hundreds of thousands, if
not millions, of users - and hence millions of exchanges.
-Jonas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20121121/df95ddb6/attachment.htm>
More information about the rabbitmq-discuss
mailing list