RabbitMQ separate permissions - ldap users
1,388 views
Skip to first unread message
Avram Remus
Aug 20, 2014, 3:52:59 AM8/20/14
to rabbitm...@googlegroups.com
|
I installed RabbitMQ Server 3.3.4 and it's working fine. Users are connected via ldap. Configuration file, rabbitmq.config, looks like this:
In this moment all the users which are connected through ldap have tag management. I would like some users (who are connected thorough ldap) to have other permissions, like administrator, etc. Is there any possibility to assign others tags to separate users (who are connected through ldap) in this config file? |
Simon MacMullen
Aug 20, 2014, 4:55:12 AM8/20/14
to Avram Remus, rabbitm...@googlegroups.com
On 20/08/14 08:52, Avram Remus wrote:
> I would like some users (who are connected thorough ldap) to have other
> permissions, like administrator, etc.
>
> Is there any possibility to assign others tags to separate users (who
> are connected through ldap) in this config file?
You can assign queries to tags like you can to resource access, see
> I would like some users (who are connected thorough ldap) to have other
> permissions, like administrator, etc.
>
> Is there any possibility to assign others tags to separate users (who
> are connected through ldap) in this config file?
http://www.rabbitmq.com/ldap.html#query-reference
e.g. you could use an in_group query to assign the administrator tag to
users in a certain group.
Cheers, Simon
Avram Remus
Aug 20, 2014, 12:35:19 PM8/20/14
to rabbitm...@googlegroups.com, remus....@gmail.com
I assign queries to tags like I did for resource access but I got an error when I try to login on web.
rabbitmq.config files looks like this:
rabbitmq.config files looks like this:
[
{rabbit, [{auth_backends, [rabbit_auth_backend_ldap, rabbit_auth_backend_internal]}]},
{rabbitmq_auth_backend_ldap,
[ {servers, ["ldap.test.intern"]},
{user_dn_pattern, "uid=${username},ou=people,dc=test,dc=de"},
{use_ssl, false},
{port, 389},
{log, network},
{resource_access_query,
{for, [{permission, configure, {in_group, "uid=${username},dc=test,dc=de"}},
{permission, write,
{for, [{resource, queue, {in_group, "uid=${username},dc=test,dc=de"}},
{resource, exchange, {constant, true}}]}},
{permission, read,
{for, [{resource, exchange, {in_group, "uid=${username},dc=test,dc=de"}},
{resource, queue, {constant, true}}]}}]
}
},
{tag_queries,
{for, [{permission, configure, {in_group, "uid=${username},dc=test,dc=de"}},
{rabbit, [{auth_backends, [rabbit_auth_backend_ldap, rabbit_auth_backend_internal]}]},
{rabbitmq_auth_backend_ldap,
[ {servers, ["ldap.test.intern"]},
{user_dn_pattern, "uid=${username},ou=people,dc=test,dc=de"},
{use_ssl, false},
{port, 389},
{log, network},
{resource_access_query,
{for, [{permission, configure, {in_group, "uid=${username},dc=test,dc=de"}},
{permission, write,
{for, [{resource, queue, {in_group, "uid=${username},dc=test,dc=de"}},
{resource, exchange, {constant, true}}]}},
{permission, read,
{for, [{resource, exchange, {in_group, "uid=${username},dc=test,dc=de"}},
{resource, queue, {constant, true}}]}}]
}
},
{tag_queries,
{for, [{permission, configure, {in_group, "uid=${username},dc=test,dc=de"}},
{permission, administrator,
{for, [{tag, queue, {in_group, "uid=${username},dc=test,dc=de"}},
{tag, exchange, {constant, true}}]}}]
}
}
]
}
].
The error message from RabbitMQ Management is:
I expect that the rabbitmq.config file is not written correctly.
Could you please write an example of query for tag for me? I didn't find on internet this. All the queries for tag was constant query...
Thanks a lot!
Cheers,
Remus
{for, [{tag, queue, {in_group, "uid=${username},dc=test,dc=de"}},
{tag, exchange, {constant, true}}]}}]
}
}
]
}
].
The error message from RabbitMQ Management is:
Got response code 500 with body
Internal Server Error
The server encountered an error while processing this request:{error,function_clause,
[{rabbit_auth_backend_ldap,'-do_login/4-lc$^0/1-0-',
[{for,
[{permission,configure,
{in_group,"uid=${username},dc=test,dc=de"}},
{permission,administrator,
{for,
[{tag,queue,
{in_group,"uid=${username},dc=test,dc=de"}},
{tag,exchange,{constant,true}}]}}]},
{user,<<"testertr">>,undefined,rabbit_auth_backend_ldap,
{impl,"uid=testertr,ou=people,dc=test,dc=de",
<<"password">>}},
<0.283.0>,<<"testertr">>,"uid=testertr,ou=people,dc=test,dc=de"]},
{rabbit_auth_backend_ldap,do_login,4},
{rabbit_auth_backend_ldap,with_ldap,3},
{rabbit_auth_backend_ldap,check_user_login,2},
{rabbit_access_control,try_login,3},
{lists,foldl,3},
{rabbit_access_control,check_user_login,2},
{rabbit_mgmt_util,is_authorized,6}]}I expect that the rabbitmq.config file is not written correctly.
Could you please write an example of query for tag for me? I didn't find on internet this. All the queries for tag was constant query...
Thanks a lot!
Cheers,
Remus
Simon MacMullen
Aug 21, 2014, 5:09:44 AM8/21/14
to Avram Remus, rabbitm...@googlegroups.com
On 20/08/14 17:35, Avram Remus wrote:
> I assign queries to tags like I did for resource access but I got an
> error when I try to login on web.
>
> rabbitmq.config files looks like this:
>
> /[
> I assign queries to tags like I did for resource access but I got an
> error when I try to login on web.
>
> rabbitmq.config files looks like this:
>
<snip>
> {tag_queries,
> {for, [{permission, configure, {in_group,
> "uid=${username},dc=test,dc=de"}},
> {permission, administrator,
> {for, [{tag, queue, {in_group,
> "uid=${username},dc=test,dc=de"}},
> {tag, exchange, {constant, true}}]}}]
> }
> }
> ]
> }
You could try something like this:
{tag_queries,
[{administrator, {in_group, "cn=adminusers,dc=example,dc=com"}},
{management, {constant, true}}]}
Tags don't get subdivided based on anything like configure/read/write or
queue/exchange. They're just something a user has or not.
Cheers, Simon
Reply all
Reply to author
Forward
0 new messages