STOMP/Web STOMP: operation queue.declare caused a channel exception access_refused with x-queue-name
365 views
Skip to first unread message
Vito Macchia
Apr 23, 2020, 1:29:12 PM4/23/20
to rabbitmq-users
Hello,
I want to implement a pub/sub with topic exchange that can be used by both AMQP and STOMP/WebSTOMP clients, with 1 access per user.
I want to implement a pub/sub with topic exchange that can be used by both AMQP and STOMP/WebSTOMP clients, with 1 access per user.
I am trying to subscribe to an exsisting queue using "x-queue-name", because I'd like to subscribe my client to matching routing keys only, but not having to re-declare a queue if already exists.
Furthermore I don't want my users to be allowed to create any resources (e.g. queues), only to read from them.
For this, I thought of using a convention, in my setup, that is each user is given a single queue where he can write or read from and that's all:
myuser --> qmyuser
User permissions are set as follows:
| Virtual host | Configure regexp | Write regexp | Read regexp | |
|---|---|---|---|---|
| example | ^$ | ^(qmyuser.*|amq.topic.*)$ | .* |
As you can see, users have no Configure permissions.
I have also restricted the topic list they can subscribe or publish to:
| Virtual host | Exchange | Write regexp | Read regexp | |
|---|---|---|---|---|
| example | amq.topic | ^(topic1.*.*.*|anothertopic|generic.#)$ | ^(topic1.*.*.*|anothertopic|generic.#)$ |
This works fine when using AMQP, meaning that I can bind qmyuser to whatever topic (limited by the patterns set by the topic permission) I need, from 0 to N topics.
But when using Web STOMP it does not work as expected.
For instance, sending:
But when using Web STOMP it does not work as expected.
For instance, sending:
SUBSCRIBE
durable:true
exclusive:true
auto-delete:false
x-queue-name:qmyuser
id:sub-0
destination:/exchange/amq.topic/mytopic
I would expect that this frame binds the queue qmyuser to the topic mytopic (or any valid topic expression) setting a routing key from amq.topic to qmyuser. That's what happens in AMQP, basically.
Instead, the above frame causes the following error:
operation queue.declare caused a channel exception access_refused: access to queue 'qmyuser ' in vhost 'example' refused for user 'myuser '
I would expect just that
subscribe -> create a queue if not exists, then set routing keys as per destination header
unsubscribe -> remove routing key
This way I could select which topics to listen to (e.g. only topic1.something.*).
If I use /amq/qmyuser I get subscribed to ALL topics, which does not make sense in my use case.
subscribe -> create a queue if not exists, then set routing keys as per destination header
unsubscribe -> remove routing key
This way I could select which topics to listen to (e.g. only topic1.something.*).
If I use /amq/qmyuser I get subscribed to ALL topics, which does not make sense in my use case.
Notice that the headers
durable:true
exclusive:true
auto-delete:false
match the queue configuration provided by the admins.
System Info:
RabbitMQ 3.8.3 with admin and stomp/webstomp plugins, running in docker container with the official image
System Info:
RabbitMQ 3.8.3 with admin and stomp/webstomp plugins, running in docker container with the official image
Reply all
Reply to author
Forward
0 new messages