[rabbitmq-discuss] User Permissions

Jerry Kuch jerryk at rbcon.com
Mon Jan 28 18:54:37 GMT 2013

Hi, Nybras:

On Sat, Jan 26, 2013 at 11:27 AM, nybras <brettflitter at gmail.com> wrote:

> Hi I don't really understand how to use the regular expressions to dictate
> what the user can and can't do in the management plugin.

Please see here:  http://www.rabbitmq.com/management.html

Note also, that things changed and became a bit more flexibly a few
versions ago.

> I'm also not really sure about how to go about security. At the moment I've
> created an app which connects just through one account (admin/root account)
> with no permission restrictions which I'm guessing is not good.

Probably not.  You'd want to create a user account for that app, and then
adorn it with the permissions needed to perform the various AMQP operations
it needs to perform as it goes about its business.

See here for summary information:

Note that rather than an ACL, listing who can do a thing to an AMQP object,
the permissions model works the other direction, perhaps slightly more akin
to a bare bones capabilities system.

In the Rabbit model, a user has configure, read and write permissions.
 Associated with each is a regex naming the resources that the user is
allowed to configure/read/write.  Each AMQP command requires the resource
it's trying to operate on to match the appropriate permission regex as
summarized in the table at http://www.rabbitmq.com/access-control.html

>  Do I create
> a 'user' account for each new user that uses my app or I do I create one
> 'user' account with restricted permissions that all users can connect
> through??

That depends on your application.  If the users of your messaging system
really need disparate and partitioned access control, you may have to
create multiple accounts.  Otherwise, it's common to see multiple logical
applications in a broker (e.g. payment processing, status updates, etc.)
and to perhaps create a user per logical app with suitable permissions,
assuming of course there isn't going to be a single user whose concerns
span the entities of both.  You can also segregate at the virtual host
level which is an even sharper division.

> I've started using the http API so I can make requests to see how many
> bindings a user has made which is also currently being accessed through
> this
> 'one admin account', should I just create a basic user account to allow
> these GET requests? Again I don't understand what to do with the regular
> expressions.

For access to management capabilities themselves, things are a bit
different.  The management plugin extends the basic AMQP permissions model
up above and allows arbitrary tags to be attached to users.  The management
plugin respects tags called "management", "monitoring" and "administrator,"
each of which has different powers over administrative functions as
summarized at:  http://www.rabbitmq.com/management.html

Give those links a look, see how well they digest, and by all means return
if you have further questions!

Best regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20130128/3e6f6c79/attachment.htm>

More information about the rabbitmq-discuss mailing list