Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

RabbitMQ user permission to pub/sub on a pre-created queue

I have a use case where i need to create a user and give him permission to only pub/sub on an existing queue, here's an example:

  • Vhost "mainvhost" (is the same for all users)
  • Inside the vhost, i have Q-foo and Q-bar queues
  • User "foo" can only pub/sub to Q-foo
  • User "bar" can only pub/sub to Q-bar

I didnt get the way to setup such user management policy, the only way i found is to create one vhost for each user, this way, user will have full access in its own vhost but there's a big downside: i have a consumer application that's subscribing to all queues and wait user inputs, if every user has its own vhost, then i need to have 1 consumer per vhost since i didnt get a way to consume from multiple vhosts using same connection to rabbitmq.

like image 631
zfou Avatar asked Sep 03 '15 15:09

zfou


1 Answers

small point of clarity: you should publish to an exchange, and subscribe to a queue. that being said, you may want an "ex-foo" and "ex-bar" for your exchanges... one per user, basically. it can be done differently, but this would work.


when adding permissions, you can use regular expressions to set what the user is allowed to do.

for example, using the rabbitmqctl command line to set permissions, you can do this:

rabbitmqctl set_permissions -p /myvhost tonyg "^tonyg-.*" ".*" ".*"

This command instructs the RabbitMQ broker to grant the user named tonyg access to the virtual host called /myvhost, with configure permissions on all resources whose names starts with "tonyg-", and write and read permissions on all resources.

note that the order of permissions in the three "quotes" is: configure, write, read.

in your case, you would want to set permissions like this:

  • vhost: mainvhost
  • user: foo
  • configure: ""
  • write: "^[ex-foo|Q-foo].*"
  • read: "^[ex-foo|Q-foo].*"

this will grant permissions for the foo user to read and write to any exchange or queue that starts with ex-foo or Q-foo

You may be able to get away with something more restrictive, like

  • write: "^ex-foo.*"
  • read: "^Q-foo.*"

I'm not sure if you need write permissions to the queue, when publishing through an exchange. I haven't had to set up this level of granularity in my security, yet.

like image 105
Derick Bailey Avatar answered Oct 25 '22 16:10

Derick Bailey