delete queue permission

323 views
Skip to first unread message

Vilius Šumskas

unread,
May 26, 2022, 9:11:26 AM5/26/22
to rabbitm...@googlegroups.com

Hello,

 

we have two RabbitMQ users which are used by our application backend.

  1. standard-backend-user which has only read/write .* access to virtual host /. It is used by one application service to send/receive messages.
  2. admin-backend-user which doesn‘t have read/write access to virtual host /, but has „administrator“ tag. It is used by another application service to create/delete queues dynamically on demand.

 

Now the issue is that, with this setup, admin-backend-user can create queues, but cannot delete them. The error message complains:

Delete queue error: access to queue 'd7c230e.7daae7f' in vhost '/' refused for user 'admin-backend-user'

 

Is this a known issue? I would expect administrator user to be able to delete queues even if he doesn‘t have read access to them. Maybe we are using wrong API to delete it?

 

--

   Best Regards,

 

    Vilius Šumskas

    Rivile

    IT manager

    +370 614 75713

 

Michal Kuratczyk

unread,
May 26, 2022, 2:39:23 PM5/26/22
to rabbitm...@googlegroups.com
Hi,

Normal RabbitMQ permissions to resources still apply to monitors and administrators; just because a user is a monitor or administrator
does not grant them full access to exchanges, queues and bindings through the management plugin or other means.

And from https://www.rabbitmq.com/access-control.html#authorisation, you can see that "configure" permission is required to delete a queue.

Best,

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/AM8PR01MB769999F89BE07270DBB95F0C92D99%40AM8PR01MB7699.eurprd01.prod.exchangelabs.com.


--
Michał
RabbitMQ team

Vilius Šumskas

unread,
May 26, 2022, 4:54:05 PM5/26/22
to rabbitm...@googlegroups.com

I saw that, but since we are performing queue delete operations via HTTP management API, I assumed that AMQP permissions do not apply.

 

The section from management documentation also got me confused. On one hand it says that “permissions to resources still apply to monitors and administrators”, but it also says that administrators via management plugin have read access to all queues, and add/delete users, etc. So I assumed that “permissions to resources still apply to monitors and administrators” section is only valid if connecting via AMQP client.

 

Anyway, .* ^$ ^$ permission set probably will do the trick. Thank you!

 

--

    Vilius

Reply all
Reply to author
Forward
0 new messages