[rabbitmq-discuss] How to grant only read access to a specific STOMP queue?

joshua__lim joshua__lim at hotmail.com
Sun Feb 23 08:25:12 GMT 2014


Michael Klishin-2 wrote
> On 22 Feb 2014, at 20:35, joshua__lim <

> joshua__lim@

> > wrote:
> 
>> This time it worked but it also means the guest user can publish to all
>> queues!  Is there a way to restrict publishing to a specific queue?
> 
> You don’t publish to queues in RabbitMQ. You publish to exchanges. It is
> possible
> to restrict queue.bind.
> 
> MK
> 
> Software Engineer, Pivotal/RabbitMQ


Thanks for your reply once again.

Unless I've interpreted this incorrectly -
http://www.rabbitmq.com/access-control.html - the reference here says that
queue.bind is controlled via <write> (to queue) and <read> (from exchange).


I ran set permission for guest user, set <conf> to "testqueue".

//set_permissions [-p <vhostpath>] <user> <conf> <write> <read> 
rabbitmqctl set_permissions guest "testqueue" "amq.default" "testqueue"


After that, I tried sending to "testqueue1", and got the following error.

{amqp_error,access_refused,
            "access to queue 'testqueue1' in vhost '/' refused for user
'guest'",
            'queue.declare'}


This test proves that I can limit a user to accessing a specific queue only
(be it to send to or to subscribe to) by limiting the configure operation to
that queue.

To allow the guest user to be able to "only" send to "testqueue1", and as
well as be able to "only" read from "testqueue2", I try the following:

rabbitmqctl set_permissions guest "^(testqueue1|testqueue2)$" "amq.default"
"testqueue2"


However, this will give permission to the guest user to send to "testqueue2"
(I only want guest user to read from "testqueue2").

If I were to remove "testqueue2" from <conf>, guest user won't be able to
send to "testqueue2" but will also be unable to read from "testqueue2" - the
following error appears:

=ERROR REPORT==== 23-Feb-2014::16:08:03 ===
connection <0.1780.0>, channel 1 - soft error:
{amqp_error,access_refused,
            "access to queue 'testqueue2' in vhost '/' refused for user
'guest'",
            'queue.declare'}


How can I allow a user to only be able to read from a specific queue while
be able to send to another queue at the same time?



--
View this message in context: http://rabbitmq.1065348.n5.nabble.com/How-to-grant-only-read-access-to-a-specific-STOMP-queue-tp33549p33575.html
Sent from the RabbitMQ mailing list archive at Nabble.com.


More information about the rabbitmq-discuss mailing list