RabbitMQ internal user write permissions not working on rabbitmq 3.6.6

1,346 views
Skip to first unread message

Raul Kaubi

unread,
Jun 7, 2017, 3:06:13 AM6/7/17
to rabbitmq-users

Hi

I have a multiple queues with names starting "ha.ettest.", so I wanted to add user permission based on queue name.

For example queue name is "ha.ettest.adddd"

Permissions for user are:

With this setup, I can get messages from queue, but I cannot publish messages to queue, this action follows error:


=ERROR REPORT==== 7-Jun-2017::09:56:13 ===
Channel error on connection <#########> (<###########>, vhost: '/', user: 'taustaprotsess.tool'), channel 1:
operation basic.publish caused a channel exception access_refused: "access to exchange 'amq.default' in vhost '/' refused for user 'taustaprotsess.tool'"

If I set Write regexp like it is with default, then I can publish messages into that queue. 










Any suggestions, I mean did I do something wrong..?

RabbitMQ: 3.6.6
Erlang: 19.2

Regards
Raul

Karl Nilsson

unread,
Jun 7, 2017, 4:27:24 AM6/7/17
to rabbitm...@googlegroups.com
Hi,

The default exchange is another resource and thus access need to be granted. Try something like (untested): '^(ha.ettest.*|amq\.default)'

Cheers
Karl

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--
Karl Nilsson

Pivotal/RabbitMQ

Raul Kaubi

unread,
Jun 7, 2017, 4:39:45 AM6/7/17
to rabbitmq-users
Hi

Oh yeah, that works. Thanks. So publishing messages, needs to have write permissions for certain exchange..

One more question, can I forbid users not to purge queues (at the same time allowing publishing and getting messages from the same queues)..? While I tested it, am I correct that purging is allowed through "Read regexp:" permission..?


Raul


On Wednesday, June 7, 2017 at 11:27:24 AM UTC+3, Karl Nilsson wrote:
Hi,

The default exchange is another resource and thus access need to be granted. Try something like (untested): '^(ha.ettest.*|amq\.default)'

Cheers
Karl
On 7 June 2017 at 08:06, Raul Kaubi <raul...@gmail.com> wrote:

Hi

I have a multiple queues with names starting "ha.ettest.", so I wanted to add user permission based on queue name.

For example queue name is "ha.ettest.adddd"

Permissions for user are:

With this setup, I can get messages from queue, but I cannot publish messages to queue, this action follows error:


=ERROR REPORT==== 7-Jun-2017::09:56:13 ===
Channel error on connection <#########> (<###########>, vhost: '/', user: 'taustaprotsess.tool'), channel 1:
operation basic.publish caused a channel exception access_refused: "access to exchange 'amq.default' in vhost '/' refused for user 'taustaprotsess.tool'"

If I set Write regexp like it is with default, then I can publish messages into that queue. 










Any suggestions, I mean did I do something wrong..?

RabbitMQ: 3.6.6
Erlang: 19.2

Regards
Raul

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.



--
Karl Nilsson

Pivotal/RabbitMQ

Karl Nilsson

unread,
Jun 7, 2017, 5:04:28 AM6/7/17
to rabbitm...@googlegroups.com
As you only require read permissions to purge a queue so that may be difficult achieve. Why would you want to allow one state changing action (consuming) whilst disallowing another (purging)? The are semantically very similar if you think of it.


To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.



--
Karl Nilsson

Pivotal/RabbitMQ

Raul Kaubi

unread,
Jun 7, 2017, 5:37:42 AM6/7/17
to rabbitmq-users
I was just wondering if it would be possible somehow.
But ok, then.

Raul

Michael Klishin

unread,
Jun 7, 2017, 7:59:01 AM6/7/17
to rabbitm...@googlegroups.com
To clarify why queue.purge is considered a read operation: it's no different
from consuming and voiding all messages "in a loop" with a client.

To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.



--
MK

Staff Software Engineer, Pivotal/RabbitMQ
Reply all
Reply to author
Forward
0 new messages