"topic_access_query" ${routing_key} parsing to extract deviceID for authorization

[kenjk...@gmail.com]

Hi Folks, 

  I have a working solution but it is not ideal.

  

I'm looking for someone familiar with RabbitMQ's implementation of LDAP authorization for "topic_access_query". Also anyone using RabbitMQ for SCADA Sparkplug might have this same issue.

My problem: 

1) I have topics that looks like this "myservice.deviceIDyyyy.writecommands" and "myservice.deviceIDyyyy.updatestatus" where the yyyy is unique per device. 

2) I need to allow 'write' authorization (see my advanced.conf snippet below) for specific admins assigned to each specific device to allow any write (any topic) for a device.

3) In LDAP I want to have each device listed by serialNumber=deviceIDyyyy in the DN, but I seem to be forced to list them under serialNumber=xxxxx.deviceIDyyyy.zzzz because I can only get the entire ${routing_key} to create the in_group DN.

SO, instead of a group DN looking like this: cn=group_admins,serialNumber=deviceIDyyy,ou=devices,ou=model1,ou=iot,dc=mycompany,dc=com

it looks like this: cn=group_admins,serialNumber=myservice.deviceIDyyy.writecommands,ou=devices,ou=model1,ou=iot,dc=mycompany,dc=com 

Thus serialNumber does not indicate a device but rather a specific one of many possible routing_keys for a device.

 

in 'advanced.conf':

{topic_access_query,

      {for, [   

{permission, write, {'or', [

{in_group, "cn=group_device_super_admins,ou=devices,ou=model1,ou=iot,dc=mycompany,dc=com", "uniqueMember"},

{in_group, "cn=group_admins,serialNumber=${routing_key},ou=devices,ou=model1,ou=iot,dc=mycompany,dc=com","uniqueMember"}

]}},      

              {permission, read,  {constant, true}}

            ]

      }

}

What I would like is to be able to, within advaced.conf, parse the ${routing_key} down to the "deviceIDyyy" via a regex like "^(?:\.[a-z0-9]+?\.)([a-zA-Z0-9]+?)(?:\.[a-zA-Z0-9]+?$)", which pulls out the middle deviceID.

Is there a way to parse out a ${routing_key} within a Rabbitmq topic_access_query to use with an "in_group" LDAP Query?

{Note: SCADA Sparkplug's topic structure puts deviceIDs into the topic also). Does anyone checking SCADA Sparkplug per-device authorization on RabbitMQ have a solution?    

 Ken

[M K]

advanced.config cannot contain any code and the LDAP plugin only exposes certain specific variables. So you cannot

parse its value using a regular expression, neither plugin configuration nor the query variable system support execution of arbitrary code

or user-defined variables.

[kenjk...@gmail.com]

OK, thank you for confirming that. I had hoped I was missing something. 

[Michael Uray]

Is this actually still the case?

I noticed that there is is a  String Sub-query in the current documentation, is that reqex query maybe possible in the meanwhile?