Can we make Rabbitmq queues private to specific users?

[Bil Gurung]

Is there any way to make rabbitmq queues private to specific users. For example : a client connects to rabbitmq broker with a username and creates a queue. Then the queue should be accessible by only that user and no other users ?

I achieved it by providing different vhosts for each users but it cannot send message across different vhost.

[Michael Klishin]

You can limit most queue operations to a connection by declaring it as exclusive. When that connection is

closed or gone (e.g. TCP connection is lost), the queue will be deleted.

Note that *publishing* to an exclusive queue is not limited but binding is, so it's your connection

that decides what will be routed there.

On Mon, Apr 18, 2016 at 2:03 PM, Bil Gurung <bil...@gmail.com> wrote:

Is there any way to make rabbitmq queues private to specific users. For example : a client connects to rabbitmq broker with a username and creates a queue. Then the queue should be accessible by only that user and no other users ?

I achieved it by providing different vhosts for each users but it cannot send message across different vhost.

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

MK

Staff Software Engineer, Pivotal/RabbitMQ

[Bil Gurung]

If clientA connects to broker with userA and creates queueA and clientB connects to broker with userB and creates queue queueB.  Now when userA logins to http://localhost:15672/ then it should access only queueA , not queueB. Is it possible?

[Michael Klishin]

Yes: use separate vhosts for this kind of isolation.

--

You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Bil Gurung]

Yes , that is the solution and thanks but we cannot send message between clients with different hosts. In my case the problem is clientA with vhostA cannot send message to clientB with vhostB since queues and exchanges inside a vhost is not accessible to other vhost. Or is there any other way??

On Monday, April 18, 2016 at 4:48:13 PM UTC+5:45, Bil Gurung wrote:

[Michael Klishin]

Using dynamic Shovels to move messages between

vhosts is the only thing I can think of.

--

[Laing, Michael]

You can also federate among vhosts, I seem to recall from testing I have done.

Haven't used in production, but perhaps that would work in this case.

We currently use shovels for this sort of thing.

[ni...@bluejeansnet.com]

The way we handle this is by setting permissions for every user so that they can only see queues that begin with their username followed by a delimiter.  Then if we need to have a master process/server that can see everybody's queues, we can set permissions on that user to see everything.

   Nick

[Bil Gurung]

The way we handle this is by setting permissions for every user so that they can only see queues that begin with their username followed by a delimiter.  Then if we need to have a master process/server that can see everybody's queues, we can set permissions on that user to see everything.

Can you explain a bit in detail??

On Monday, April 18, 2016 at 4:48:13 PM UTC+5:45, Bil Gurung wrote:

[Bil Gurung]

I set permission to a user like ^admin-.*  .*  .*   as username followed by delimiter . But this doesn't allow me to create new queue programmatically. How can I solve this??

On Monday, April 18, 2016 at 4:48:13 PM UTC+5:45, Bil Gurung wrote:

[Michael Klishin]

See the table on http://rabbitmq.com/access-control.html.

--

[ni...@bluejeansnet.com]

Sure.  Suppose we have a user, "nick" and we want him to only be able to consume his own resources.

I give him the permissions ^\Qnick\E\$.* ^\Qnick\E\$.* ^\Qnick\E\$.*  (\Q \E just in case the username has some character that means something to a regex).

Then he has to name his queues "nick$<something>" and he also has to bind to exchanges that also start with "nick$".

This necessarily means that you cannot create queues with auto-generated names, because you wouldn't have permission on the queue (or permission to create it from the client side) because they start with "amq." rather than "nick$".  However, it's very easy to write a little code to auto-generate a queue name for a given user if they all follow the same format.

Then you give your "root" user the permission .* .* .*, and it can do anything.

It's a little bit hacky, but it works very well.

   Nick

[Bil Gurung]

I got the your answer but its not making queue private to that user. Other users can also view and modify the queue. What I need is the queue should be visible to only that user and root users but not other users.

[Michael Klishin]

Bil,

We've laid out a few options for you: separate vhosts with Shovel or Federation links, exclusive queues, queue permissions (http://www.rabbitmq.com/access-control.html), application-level conventions, or some combination of them.

There is no way to make a queue "visible only to that use" unless it is in a dedicated vhost but there's plenty of ways to limit what can be done with it, or exchanges it is bound to.

Please investigate how the above options can be applied to your system, because there are no

others to recommend.

--

You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Bil Gurung]

Thanks for your suggestions Michael . Let me look into it.

[ni...@bluejeansnet.com]

No, other users can't modify or touch the other queues if they ALL have their permissions configured to only be able to operate on their own queues in the manner I described.  You do have to set up customized permissions for *every* user though, which is what we do.

[Bil Gurung]

Is there any way so that exchange shouldn't start with username i.e. ^nick$<exchange-name>. I want only queue to start with username??

[Michael Klishin]

Yes, see negations in regular expressions.

--

[Bil Gurung]

Its not working or may be my permission regexp is incorrect. Can you provide me an example??