[Other] How to set permissions for producer and consumer users

[aranvir]

Community Support Policy

• I have read RabbitMQ's Community Support Policy

RabbitMQ version used

3.13.7 or older

How is RabbitMQ deployed?

Community Docker image

Steps to reproduce the behavior in question

Hi I have a hard time wrapping my header around the permission definition https://www.rabbitmq.com/docs/3.13/access-control#authorisation. I want to have a separate publisher and consumer user. For the publisher it is fine to have access rights to everything. However, I want the consumer user to be constraint to, well, consuming. I imagine those are quite basic rabbitmq questions but I just couldn't find a clear explanation on this in the docs.

This consumer user needs the permissions to create a queue, bind it to the exchange, and to read messages from the queue. Here, I want to allow ad-hoc subscriptions of new clients. By default, the expectation is that each client will have its own queue. However, I cannot figure out which permissions to set to make this work.

From the docs, I know that I have to set configure, write, and read permissions. Furthermore, I assume the regex string just specifies "grant X on exchange". For example, does this mean I have to give either ALL or NO configuration rights for an exchange?

Lastly - from the permission table I assume the following:

• Queue declaration: Need configuration permission (for a queue that doesn't yet exist...how does that work)
• Queue binding: Need write permission (for a queue that doesn't yet exist...how does that work)
• Queue read: Need reed permission (can be covered with ALL permissions)

The only way I could figure out to make it work is to set config and write permissions to ^q-.*$ and then make it mandatory to have queue names start with q-. Is that how it's supposed to work? Is there no way to give permissions based on "category" like all exchanges or all queues?

[michaelklishin]

@aranvir RabbitMQ 3.13.x is out of community support.

Permissions are based on entity names and thus apply to both current and future queues, streams, exchanges.

I don't know what you mean by "set config" since except for the default user permissions, none of the permissions are managed via rabbitmq.conf.

I don't understand what you mean by "ALL or NO" but yes, that's how the permission works: a given user either has a permission on a given entity (based on what the user's permission pattern matches), or does not.

Separating publishers is a matter of limiting what exchanges they can access. Publishers often do not need to bind an exchange to anything, consumers do all that. I'd start by picking a naming convention for the exchanges you need (unless you plan on using only the built-in amq.* ones), then separating the publishers.

[aranvir]

Thanks for the feedback! I'll switch to v4 asap.

I'm quite new to rabbitmq and other permission concepts I'm used for distinct between using resources and managing resources. Binding a queue to an exchange, creating an exchange, or deleting an exchange are to me very different things. So, I expected that I can give rights to just create queues but not to create exchanges.

The naming convention is a good suggestion. I will apply this.

[michaelklishin]

If your exchanges and queues/streams use different naming patterns — which is the case with the built-in exchanges due to the special prefix they all use — you can grant a user permissions to only exchanges or only queues/streams.