Discussion:
[rabbitmq-users] How to restrict access to consume only from one queue?
Rock Duy
2015-02-01 16:21:36 UTC
Permalink
Hello all!

I'm wondering how to write regexp to allow `my_user` consuming only from
`my_queue`?

I have tried:


rabbitmqctl set_permissions my_user "my_queue.*" "^$"
"^(my_queue.queue.declare|my_queue.queue.consume)$"

but it doesn't work, I've got "403, ACCESS_REFUSED - access to queue
'my_queue' in vhost '/' refused for user 'my_user'".

Thank You
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+***@googlegroups.com.
To post to this group, send an email to rabbitmq-***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Michael Klishin
2015-02-01 16:49:49 UTC
Permalink
Post by Rock Duy
I'm wondering how to write regexp to allow `my_user` consuming
only from `my_queue`?
rabbitmqctl set_permissions my_user "my_queue.*" "^$" "^(my_queue.queue.declare|my_queue.queue.consume)$"
rabbitmqctl set_permissions my_user "my_queue" "my_queue" "my_queue"

will allow my_user to do anything on entities named "my_queue". 

How specific protocol operations map on configure/write/read permissions can be
seen on http://www.rabbitmq.com/access-control.html.
--
MK

Staff Software Engineer, Pivotal/RabbitMQ
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+***@googlegroups.com.
To post to this group, send an email to rabbitmq-***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Rock Duy
2015-02-01 16:54:38 UTC
Permalink
Post by Michael Klishin
rabbitmqctl set_permissions my_user "my_queue" "my_queue" "my_queue"
will allow my_user to do
But user shouldn't do anything on entities named "my_queue", It should only
to consume messages from "my_queue".
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+***@googlegroups.com.
To post to this group, send an email to rabbitmq-***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Michael Klishin
2015-02-01 17:49:38 UTC
Permalink
Then make write and configure permissions blank strings.

MK
But user shouldn't do anything on entities named "my_queue", It should only to consume messages from "my_queue".
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+***@googlegroups.com.
To post to this group, send an email to rabbitmq-***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Rock Duy
2015-02-01 18:01:24 UTC
Permalink
If I set:

rabbitmqctl set_permissions my_user "my_queue.*" "^$" "my_queue.*"

user can delete queue, purge queue, declare a new exchange etc, but it
shouldn't.

How to use "AMPQ command" in permissions regexp?
[http://www.rabbitmq.com/access-control.html]
Post by Michael Klishin
Then make write and configure permissions blank strings.
MK
Post by Rock Duy
But user shouldn't do anything on entities named "my_queue", It should
only to consume messages from "my_queue".
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+***@googlegroups.com.
To post to this group, send an email to rabbitmq-***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Michael Klishin
2015-02-01 18:31:41 UTC
Permalink
You don't specify protocol commands in the regexes. There are 3 regexes for 3 groups of operations, queue names are matched against them. You want to only enable reads on "my_queue".

MK
Post by Rock Duy
rabbitmqctl set_permissions my_user "my_queue.*" "^$" "my_queue.*"
user can delete queue, purge queue, declare a new exchange etc, but it shouldn't.
How to use "AMPQ command" in permissions regexp? [http://www.rabbitmq.com/access-control.html]
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+***@googlegroups.com.
To post to this group, send an email to rabbitmq-***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Loading...