[rabbitmq-discuss] Per-queue/exchange ACL via LDAP plugin

Simon MacMullen simon at rabbitmq.com
Mon Mar 11 14:53:40 GMT 2013

(By the way, that README is out of date, check 
http://www.rabbitmq.com/ldap.html now.)

On 08/03/13 16:53, SteveO wrote:
> Assuming I had local database users named Test1 and Test2, I could ensure
> that only user Test1 could consume from queues starting with the name
> "Test1" and only user Test2 could consume from queues starting with the name
> "Test2" by doing the following...
> rabbitmqctl set_permissions -p /myvhost Test1 ".*" ".*" "^Test1.*"
> rabbitmqctl set_permissions -p /myvhost Test2 ".*" ".*" "^Test2.*"
> Hopefully my understanding is correct. Please let me know if I am way off :)
> It seems to be working to my understanding with the tests I have ran.

Yes, that's correct.

> What I wanted to to do was apply similar logic when using LDAP A/A. If the
> user was matched by user_dn or by group membership, that's fine. I preferred
> the group membership, but would settle for user_dn.

Group membership is definitely problematic.

> The "Test1" queue name
> was certainly an example. If "Test1" was considered a prefix to the queue
> name or the queue name itself, that's fine as well.
> Under the "resource_access_query" section in the readme here...
> https://github.com/rabbitmq/rabbitmq-auth-backend-ldap/blob/master/README-authorisation
> <https://github.com/rabbitmq/rabbitmq-auth-backend-ldap/blob/master/README-authorisation>
> ...how does the ${name} parameter work? That's how I though I'd make this
> happen, but my attempts have flailed so far.

${name} will substitute in for the name of the resource being queried.

So something like this:

   [{resource, exchange, {constant, false}},
    {resource, queue,
     {for, [{permission, configure, {constant, false}},
            {permission, write,     {constant, false}},
            {permission, read,
             {match, {string, "${name}"}, {string, "^${username}.*"}}

might work for you. The first parameter to the {match} test is a string 
(in this case evaluating to the name of the queue), the second is a 
regular expression matching the username.

Cheers, Simon

Simon MacMullen
RabbitMQ, VMware

More information about the rabbitmq-discuss mailing list