RabbitMQ MQTT ACCESS_REFUSED - access to queue

[Andriy Varava]

Hi,

I am currently trying to add a permissions for user. And have troubleshooting with topic subscribing.

user: ava

exchange: ava.avatopic

permissions: ava .* ^ts$|ava\.avatopic ts|ava\.avatopic

When I trying to subscribe, I am getting an error:

....

....

** Reason for termination ==

** {{shutdown,

        {server_initiated_close,403,

            <<"ACCESS_REFUSED - access to queue 'mqtt-subscription-a4eb74517c1444088b5d1faddfb1fb40qos0' in vhost '/' refused for user 'ava'">>}},

    {gen_server,call,

        [<0.1864.0>,

         {call,

             {'basic.consume',0,

                 <<"mqtt-subscription-a4eb74517c1444088b5d1faddfb1fb40qos0">>,

                 <<>>,false,true,false,false,[]},

             none,<0.1855.0>},

         infinity]}}

By the way, with event publishing on topic, permissions work correctly. issue only with topic subscribing.

Please, advise how to resolve an issue.

[Michael Klishin]

The error says it all: your user doesn't have the permissions to consume form a queue.

See http://www.rabbitmq.com/access-control.html and `set_permissions` in rabbitmqctl(1).

> --
> You received this message because you are subscribed to the Google Groups "rabbitmq-users"
> group.
> To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
> To post to this group, send an email to rabbitm...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

--
MK

Staff Software Engineer, Pivotal/RabbitMQ

[Andriy Varava]

Thank you for quick response. Could you please advise, how to define a right permissions for user, for example for subscribe only on 'ts' topics?

Thank you in advance.

четвер, 16 лютого 2017 р. 15:29:15 UTC+2 користувач Michael Klishin написав:

[Arnaud Cogoluègnes]

MQTT topic subscription is translated into an AMQP exchange-to-queue binding. The user needs read permission on the corresponding queue, e.g. mqtt-subscription-a4eb74517c1444088b5d1faddfb1fb40qos0. 'mqtt-subscription-*' should do the job.

Topic authorisation [1] has been introduced in 3.7 and should fit better your needs. Give a try to the latest milestone we released.

[1] http://nextrabbitmq.cfapps.io/access-control.html#topic-authorisation

To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.

[Michael Klishin]

More precise, every subscription has a queue that's bound to the topic exchange MQTT plugin uses,
which is amq.topic by default. It's the basic.consume method that causes ACCESS_REFUSED,
so look into queue permissions, not the exchange ones.

On 16 February 2017 at 16:50:15, Arnaud Cogoluègnes (acogol...@pivotal.io) wrote:
> MQTT topic subscription is translated into an AMQP exchange-to-queue
> binding. The user needs read permission on the corresponding queue,
> e.g. mqtt-subscription-a4eb74517c1444088b5d1faddfb1fb40qos0.
> 'mqtt-subscription-*' should do the job.
>
> Topic authorisation [1] has been introduced in 3.7 and should fit better
> your needs. Give a try to the latest milestone we released.
>
> [1] http://nextrabbitmq.cfapps.io/access-control.html#topic-authorisation
>
> On Thu, Feb 16, 2017 at 2:35 PM, Andriy Varava

> > To post to this group, send email to rabbitm...@googlegroups.com.