rabbitmq.config and resource_access_query and assigning permission to more than one group?

307 views
Skip to first unread message

David Shapiro

unread,
Dec 6, 2017, 9:22:17 AM12/6/17
to rabbitmq-users
Good morning,

The basic examples out there for resource_access_query work for us for the most part, but we do have a scenario I need your help with to get it easier to manage.

We are trying to use active directory for authorization and authentication.  For the most part we got that working.  We have been using vips and creating two groups for each:  vipname-users, and vipname-admins.  This was done to attempt to fit this in to the existing examples that are out on the web.

{resource_access_query,
             {for, [
                 %%create, destroy, or alter behaviour
                 {permission, configure,
                     {for, [{resource, queue, {in_group, "cn=${vhost}-admins,ou=vhosts,ou=IT,ou=US,ou=Servers,dc=company,dc=com"}},
                            {resource, exchange, {in_group, "cn=${vhost}-admins,ou=vhosts,ou=IT,ou=US,ou=Servers,dc=company,dc=com"}}]}},

                 %%write messages
                 {permission, write,
                     {for, [
                            {resource, queue, {in_group, "cn=${vhost}-users,ou=vhosts,ou=IT,ou=US,ou=Servers,dc=company,dc=com"}},
                            {resource, exchange, {in_group, "cn=${vhost}-users,ou=vhosts,ou=IT,ou=US,ou=Servers,dc=company,dc=com"}}]}},
                 %%read messages
                 {permission, read,
                     {for, [
                            {resource, queue, {in_group, "cn=${vhost}-users,ou=vhosts,ou=vhosts,ou=IT,ou=US,ou=Servers,dc=company,dc=com"}},
                            {resource, exchange, {in_group, "cn=${vhost}-users,ou=vhosts,ou=IT,ou=US,ou=Servers,dc=company,dc=com"}}]}}
    ]
    }},

The problem with this is two fold. First, the ${vhost-admins} need read and write as well.  I have been adding until I know how to fix this the admin users to both the active directory groups ${vhost}-admins and ${vhost}-users.  This works.  
Ideally, though, I would rather the resource_access_query allow the admins configure, read, and write.  

I tried for example for write permission something like (add admins to it):

{permission, write,
                     {for, [
                            {resource, queue, {in_group, "cn=${vhost}-admins,ou=vhosts,ou=IT,ou=US,ou=Servers,dc=company,dc=com"}},
                            {resource, exchange, {in_group, "cn=${vhost}-admins,ou=vhosts,ou=IT,ou=US,ou=Servers,dc=company,dc=com"}},
                            {resource, queue, {in_group, "cn=${vhost}-users,ou=vhosts,ou=IT,ou=US,ou=Servers,dc=company,dc=com"}},
                            {resource, exchange, {in_group, "cn=${vhost}-users,ou=vhosts,ou=IT,ou=US,ou=Servers,dc=company,dc=com"}}]}},

rabbitmq starts up fine, but surprise, it seem to read the first entry for queue and the first for exchange and ignore the rest.  
There is no in_groups.  Does {in_group [ "$vhost-users", "$vhost-admins" ]} work?

I see there is ways to use 'and', 'or', and 'but', but format is royally confusing.   I would appreciate getting an example that shows what I am trying to accomplish.  

There is a side question to all this too. Do consumers even need write?  I think I was binding a queue to an exchange in my consumer code, and I think that was making it so I had to give ${vhost-users} write permission.  I am going to test tha out.


Luke Bakken

unread,
Dec 11, 2017, 3:05:27 PM12/11/17
to rabbitmq-users
Hi David,

There is a table on this page that outlines which permissions are needed for AMQP operations: https://www.rabbitmq.com/access-control.html

I can't speak to your LDAP questions but I will see if someone else on the RabbitMQ team has more experience with it. If you can provide a sample LDAP database that I could use to reproduce your problem, I may be able to research it further.

Thanks,
Luke

David Shapiro

unread,
Dec 12, 2017, 9:37:56 AM12/12/17
to rabbitmq-users

Thanks Luke, 

I have seen the permissions table you mention.  Is more how to use the boolean query to get what I need that I need help with.  Please see https://www.rabbitmq.com/ldap.html for sections showing boolean query options.


For example, how to do I say:  for permission configure, active directory group vhost-admins can configure exchanges and queues, but vhost-users can configure just queues, and then for permission read and write, both of those groups have the permissions for both queues and exchanges?

My apology, but I have no way to provide you an ldap database that I know, but I did list the ldap for the two groups in the question:

"cn=${vhost}-admins,ou=vhosts,ou=IT,ou=US,ou=Servers,dc=company,dc=com"
"cn=${vhost}-users,ou=vhosts,ou=IT,ou=US,ou=Servers,dc=company,dc=com"




 

dfed...@pivotal.io

unread,
Dec 13, 2017, 9:09:51 AM12/13/17
to rabbitmq-users
Hi. 

I believe "or" query is what you need.
You cannot have multiple type-key pairs in "for" query, you have to break down queries to a query per permission.
E.g. {for, [{resource, exchange, {for, [{permission, configure, (query)}, {permission, read, (other query)}]}]}
And queries will be {or, [{in_group, (one-group)}, {in_group, (another group)}]}

In your case it will be something like:

{for, [{resource, exchange,
        {for, [{permission, configure, {in_group, (vhost-admins group)}},
               {permission, write, {or, [{in_group, (vhost-admins group)}
                                         {in_group, (vhost-users group)}]}},
               {permission, read, {or, [{in_group, (vhost-admins group)}
                                        {in_group, (vhost-users group)}]}}
              ]}},
       {resource, queue,
        {for, [{permission, configure, {or, [{in_group, (vhost-admins group)},
                                             {in_group, (vhost-users group)}]}},
               {permission, write, {or, [{in_group, (vhost-admins group)}
                                         {in_group, (vhost-users group)}]}},
               {permission, read, {or, [{in_group, (vhost-admins group)}
                                        {in_group, (vhost-users group)}]}}
              ]}}]}

Hope it helps

David Shapiro

unread,
Dec 14, 2017, 8:54:25 AM12/14/17
to rabbitmq-users
Thank you, I will give this a whirl.  For:

{permission, write, {or, [{in_group, (vhost-admins group)}
                                         {in_group, (vhost-users group)}]}},

Should there be a comma after vhost-admins?

In that,

{permission, write, {or, [{in_group, (vhost-admins group)},                     <---------- comma here?
                                         {in_group, (vhost-users group)}]}},

Is there such thing as a syntax checker page where you can cut/paste yoru stuff and it will see errors and highlight them to help you correct?  I have intellij.  I am not sure if there is something in it to help as another option.  It is just so easy to get lost in commas, brackets, etc.

David

dfed...@pivotal.io

unread,
Dec 15, 2017, 6:18:19 AM12/15/17
to rabbitmq-users
Right, there should be a comma. This configurations are erlang terms, so any erlang syntax checker will do. 
Reply all
Reply to author
Forward
0 new messages