Why does the "read" permission level allow users to purge the queue?
895 views
Skip to first unread message
Ryan Zink
Sep 22, 2015, 3:43:06 PM9/22/15
to rabbitmq-users
I am running RabbitMQ instances in an environment where we anticipate having a kiosk of sorts viewing the management plugin in a browser. We have created a new user for this kiosk, which has monitoring access and only read permissions to the "/" vhost. We have confirmed that this is working as expected, that users can't delete queues, etc. However I was surprised that read users can purge the queue (and I saw that is documented here: https://www.rabbitmq.com/access-control.html).
What is the rationale for this? I guess I understand from a messaging perspective that a read user should be able to read all messages (equivalent to a purge) but it makes using the read permission in our use case somewhat limited. Is there some other way to restrict which actions the management plugin users can delete?
Thanks,
Ryan
Michael Klishin
Sep 22, 2015, 4:08:53 PM9/22/15
to rabbitm...@googlegroups.com, Ryan Zink
“read all” by some. I personally would consider reviewing it for 3.6.0.
There is no way to restrict access beyond what’s in the table linked.
If the kiosk is going to use HTTP API, however, you can run Nginx (or similar)
in front of it and try limiting access to the purge operation endpoint:
DELETE /api/queues/{vhost} /{name}/contents
--
MK
Staff Software Engineer, Pivotal/RabbitMQ
Ryan Zink
Sep 23, 2015, 12:54:45 PM9/23/15
to rabbitmq-users, ryan...@gmail.com
I guess then the problem might be best related to the rabbitmq-management plugin more so than the server itself. The lowest level access to the management plugin, "management", when given only read access to the vhost, will prevent deletion of the queues but will not prevent purging the queues.
Given our use case, is there a way to create another, truly "read-only" user that doesn't have the ability to perform destructive actions (maybe by not having the purge button, etc.)? Is something like that on the roadmap at all?
full19...@gmail.com
Apr 29, 2018, 12:24:32 PM4/29/18
to rabbitmq-users
full19...@gmail.com
Apr 29, 2018, 12:26:58 PM4/29/18
to rabbitmq-users
Ryan, I have run into the same issue when trying to setup a 'read-only' user. Did you ever find a solution? If so, [please share...it would be greatly appreciated!
Thanks
AlonnaG
Ryan Zink
Apr 30, 2018, 7:40:07 PM4/30/18
to rabbitmq-users
Hi Alonna,
Unfortunately, since it's a design decision we didn't come up with a good solution to this. I suppose you could create a wrapper for the management plugin using the management API and obfuscate the ability to delete or purge messages, but it wasn't something we wanted to invest time in.
Ryan
Unfortunately, since it's a design decision we didn't come up with a good solution to this. I suppose you could create a wrapper for the management plugin using the management API and obfuscate the ability to delete or purge messages, but it wasn't something we wanted to invest time in.
Ryan
Reply all
Reply to author
Forward
0 new messages