Menu
I have a use case where i need to create a user and give him permission to only pub/sub on an existing queue, here's an example:
I didnt get the way to setup such user management policy, the only way i found is to create one vhost for each user, this way, user will have full access in its own vhost but there's a big downside: i have a consumer application that's subscribing to all queues and wait user inputs, if every user has its own vhost, then i need to have 1 consumer per vhost since i didnt get a way to consume from multiple vhosts using same connection to rabbitmq.
631
small point of clarity: you should publish to an exchange, and subscribe to a queue. that being said, you may want an "ex-foo" and "ex-bar" for your exchanges... one per user, basically. it can be done differently, but this would work.
when adding permissions, you can use regular expressions to set what the user is allowed to do.
for example, using the rabbitmqctl command line to set permissions, you can do this:
rabbitmqctl set_permissions -p /myvhost tonyg "^tonyg-.*" ".*" ".*"
This command instructs the RabbitMQ broker to grant the user named tonyg access to the virtual host called /myvhost, with configure permissions on all resources whose names starts with "tonyg-", and write and read permissions on all resources.
note that the order of permissions in the three "quotes" is: configure, write, read.
in your case, you would want to set permissions like this:
this will grant permissions for the foo user to read and write to any exchange or queue that starts with ex-foo or Q-foo
You may be able to get away with something more restrictive, like
I'm not sure if you need write permissions to the queue, when publishing through an exchange. I haven't had to set up this level of granularity in my security, yet.
105
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
