Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

RabbitMQ + Web Stomp and security

RabbitMQ + Web Stomp is awesome. However, I have some topics I would like secure as read-only or write-only.

It seems the only mechanism to secure these are with rabbitmqctl. I can create a vhost, a user and then apply some permissions. However, this is where then Stomp and Rabbit implementation starts to break down.

topics take form: /topic/blah in stomp, which routes to "amq.topic" in Rabbit with a routing key "blah". It would seem there is no way to set permissions for the routing key. Seems:

rabbitmqctl set_permissions -p vhost user ".*" ".*" "^amq\.topic"

is the best I can do, which is still "ALL" topics. I've looked into exchanges as well, but there is no way in javascript to define these on the fly.

Am I missing something here?

Reference: http://www.rabbitmq.com/blog/2012/05/14/introducing-rabbitmq-web-stomp/

like image 788
jbg Avatar asked Sep 04 '12 12:09

jbg


2 Answers

Try this https://github.com/simonmacmullen/rabbitmq-auth-backend-http It's much more flexible. Basically it's small auth plugin for rabbit that delegates ACL decisions to a script over http (of which you have total control) which only has to reply with "allow" or "deny"

like image 163
Ruslan Talpa Avatar answered Nov 12 '22 12:11

Ruslan Talpa


Yes, with RabbitMQ-WebStomp you're pretty much limited to normal RabbitMQ permissions set. It's not ideal, but you should be able to get basic permission setup right. Take a look at RabbitMQ docs:

http://www.rabbitmq.com/access-control.html

Quickly looking at the stomp docs:

http://www.rabbitmq.com/stomp.html

yes, you can't set up permissions for a particular routing key. Maybe you should use the 'exchange' semantics, plus bind an exchange with a queue explicitly (ie: don't use topics):

/exchange/exchange_name[/routing_key].

Please, do ask concrete questions about RMQ permissions on rabbitmq-discuss mailing list. People there are really helpful.

Unfortunately, RMQ permission set is not enough for some more complex scenarios. In this case you may want to:

  • Use STOMP only to read data, and publish messages only using some external AJAX interface that can speak directly to rabbit internally.
  • or, don't use web-stomp plugin and write a simple bridge between SockJS and RabbitMQ manually. This gives you more flexibility but requires more work.
like image 34
Marek Avatar answered Nov 12 '22 14:11

Marek