[rabbitmq-discuss] User Permissions

Jerry Kuch jerryk at rbcon.com
Wed Jan 30 19:33:45 GMT 2013


Hi, Nybras...

You're still a bit turned around...

That's great thank you very much. So if I wanted allow my users to only:
>

Consulting the table at:  http://www.rabbitmq.com/access-control.html

We see...


> queue.bind

queue.unbind
>

Both require you to be able to write the queue and read the exchange.


> basic.get

basic.consume
>

Both requires you to be able to read the queue.


> Would I create a user account (say 'users') and fill in regex parts (im
> creating this in the Management Plugin)
> Write regexp = '^amq\.queue.bind|amq\.queue.unbind$'
> Read regexp = '^amq\.basic.get|amq\.basic.consume$'
>
> Or have I completely misunderstood this?
>

Your regexes are referring to the names of AMQP operations.  The regexes
are supposed to match the names of the entities on which you're granting
those permissions (whether they exist yet or not).

So suppose you wanted a user to be able to bind a queue named "fooqueue" to
an exchange named "barexchange".  Then you need to do a queue.bind you need
to make sure that whatever write permission regex you've given the user
will match "fooqueue" and that whatever read permission you've given the
user will match the name "barexchange."

Naturally this requires a bit of planning of your namespace.


> My app is a publish/subscribe scenario where each user has their very own
> queue with multiple binds to various exchanges (the producers).


Then a user coming in would need the configure permission with regex
including whatever name he plans to queue.declare his queues under, a read
regex that includes the names of those exchanges to which he may want to
bind things, and a write regex that includes the name of the queue he
wishes to bind.


> I'm guessing
> to allow users to only consume from their own queue I would have to create
> a
> user account for each user of the app. Or I could randomly generate queue
> names for each user so that these queue names could not be guessed (which
> would be secure enough)??
>

You certainly could do per user permissioning that only grants appropriate
permissions on resources that match a naming convention of your devising.
 I'd suggest you avoid the "generate obscure queue names" as a security
policy. You might also consider declaring *exclusive* queues which can only
be used by the declaring consumer.  Mixing those with the *auto-delete*
property can be a convenient way to make transient, private queues that
will go away when your consumer departs, which might be nice from a
resource management standpoint if you have a lot of distinct user
identities in the mix.

Best regards,
Jerry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20130130/c3d0cda4/attachment.htm>


More information about the rabbitmq-discuss mailing list