RabbitMQ Access Control
68 views
Skip to first unread message
Tom van Leeuwen
Jun 24, 2015, 2:20:48 AM6/24/15
to rabbitm...@googlegroups.com
Hi guys,
I have implemented the rpc_server / rpc_client pattern.
I have a rpc_server that creates queue 'echo' and a rpc_client that creates a reply queue 'echo-client_a94c8432fe990d'.
I've created user 'echo-client' which the rpc_client uses.
Now I would like to restrict this 'echo-client' to only sent messages to the 'echo' queue.
I would have expect to set the following permissions:
configure: '^echo-client_.*'
write: '^echo$'
read: '^echo-client_.*'
This does not work however, after reading and guessing a lot of posts, I've come to the following:
rabbitmqctl set_permissions echo-client 'echo-client_.*' 'amq.default' 'echo-client_.*'
I don't understand why I have to put amq.default in order to write to the 'echo' queue.
And this allows write permissions to all queues if I'm not mistaken.
I think I'm mixing up the permissions and terms like exchanges and queues.
Can somebody shed some light on how to implement what I'm trying to accomplish?
Any help is greatly appreciated!
Kind regards,
Tom van Leeuwen
Michael Klishin
Jun 24, 2015, 3:22:54 AM6/24/15
to rabbitm...@googlegroups.com, Tom van Leeuwen
On 24 June 2015 at 09:20:50, Tom van Leeuwen (drabb...@gmail.com) wrote:
> I don't understand why I have to put amq.default in order to write
> to the 'echo' queue.
> And this allows write permissions to all queues if I'm not mistaken.
Because you do not publish to queues, you publish to exchanges, and in request/reply
> I don't understand why I have to put amq.default in order to write
> to the 'echo' queue.
> And this allows write permissions to all queues if I'm not mistaken.
implementations this often happens over the default exchange (amq.default when setting
up permissions, empty string in other cases).
http://www.rabbitmq.com/tutorials/amqp-concepts.html
--
MK
Staff Software Engineer, Pivotal/RabbitMQ
Tom van Leeuwen
Jun 24, 2015, 4:04:54 AM6/24/15
to rabbitm...@googlegroups.com, drabb...@gmail.com
Hi Michael,
Thanks for explaining. It seems then that it is not possible to restrict access to queues in the default exchange using the RabbitMQ permission controls right?
I'll have to implement authorization on the application level then?
Thanks for the link! It is really interesting!
Kind regards,
Tom van Leeuwen
Michael Klishin
Jun 24, 2015, 4:16:40 AM6/24/15
to rabbitm...@googlegroups.com, Tom van Leeuwen
On 24 June 2015 at 11:04:56, Tom van Leeuwen (drabb...@gmail.com) wrote:
> Thanks for explaining. It seems then that it is not possible
> to restrict access to queues in the default exchange using the
> RabbitMQ permission controls right?
> I'll have to implement authorization on the application level
> then?
You can prohibit publishing to the default exchange (note: it may be used by plugins
> Thanks for explaining. It seems then that it is not possible
> to restrict access to queues in the default exchange using the
> RabbitMQ permission controls right?
> I'll have to implement authorization on the application level
> then?
such as Shovel and Federation) and use a separate one. Default exchange is not really
special: it's a direct exchange that is automatically bound to every queue declared
using routing key that equals queue name. You can do the same in your code if
having such restrictions in place is worth an extra network roundtrip (queue.bind)
for every response queue.
This comes up from time to time on this list, e.g.
https://groups.google.com/d/msg/rabbitmq-users/XOvzq-7F0bs/sN48Db2JqWIJ
Reply all
Reply to author
Forward
0 new messages