[rabbitmq-discuss] Per-queue/exchange ACL via LDAP plugin
Simon MacMullen
simon at rabbitmq.com
Mon Mar 11 14:53:40 GMT 2013
(By the way, that README is out of date, check
http://www.rabbitmq.com/ldap.html now.)
On 08/03/13 16:53, SteveO wrote:
> Assuming I had local database users named Test1 and Test2, I could ensure
> that only user Test1 could consume from queues starting with the name
> "Test1" and only user Test2 could consume from queues starting with the name
> "Test2" by doing the following...
>
> rabbitmqctl set_permissions -p /myvhost Test1 ".*" ".*" "^Test1.*"
> rabbitmqctl set_permissions -p /myvhost Test2 ".*" ".*" "^Test2.*"
>
> Hopefully my understanding is correct. Please let me know if I am way off :)
> It seems to be working to my understanding with the tests I have ran.
Yes, that's correct.
> What I wanted to to do was apply similar logic when using LDAP A/A. If the
> user was matched by user_dn or by group membership, that's fine. I preferred
> the group membership, but would settle for user_dn.
Group membership is definitely problematic.
> The "Test1" queue name
> was certainly an example. If "Test1" was considered a prefix to the queue
> name or the queue name itself, that's fine as well.
>
> Under the "resource_access_query" section in the readme here...
>
> https://github.com/rabbitmq/rabbitmq-auth-backend-ldap/blob/master/README-authorisation
> <https://github.com/rabbitmq/rabbitmq-auth-backend-ldap/blob/master/README-authorisation>
>
> ...how does the ${name} parameter work? That's how I though I'd make this
> happen, but my attempts have flailed so far.
${name} will substitute in for the name of the resource being queried.
So something like this:
{resource_access_query,
{for,
[{resource, exchange, {constant, false}},
{resource, queue,
{for, [{permission, configure, {constant, false}},
{permission, write, {constant, false}},
{permission, read,
{match, {string, "${name}"}, {string, "^${username}.*"}}
}
]}}
]}
}
might work for you. The first parameter to the {match} test is a string
(in this case evaluating to the name of the queue), the second is a
regular expression matching the username.
Cheers, Simon
--
Simon MacMullen
RabbitMQ, VMware
More information about the rabbitmq-discuss
mailing list