No matter we are through the web page or through the command line tool to create user objects, just created user objects are not directly used, we need to first put the user under a certain Vhost, and then give its permission, with the permission, the user can be used normally.

So today we’ll take a look at the permission system in RabbitMQ and see what it looks like.

1. RabbitMQ permission system Introduction

RabbitMQ implements acL-style permissions from version 1.6. For those who do not know what acL-style permissions are, check out the following article:

  • How to refine the granularity of permissions in Spring Security?
  • A case study of super-granular permission control in Spring Security!

The ACL-style permission management system allows very fine-grained permission control. Read, write, and configuration permissions can be set for different users.

There are three different permissions involved:

  • Read: All operations related to message consumption, including clearing the entire queue of messages.
  • Write: Post a message.
  • Configuration: creation and deletion of message queues, switches, and so on.

This is a brief introduction to the RabbitMQ permission system.

2. Mapping between operations and permissions

Next, the following figure shows the mapping between operations and permissions:

Rabbitmq_permission You can obtain an Excel spreadsheet of this image.

This diagram clearly describes what commands to execute and what permissions to require.

3. Permission operation commands

Permission operation commands in RabbitMQ are in the following formats:

rabbitmqctl set_permissions [-p vhosts] {user} {conf} {write} {read}
Copy the code

Here are a few parameters:

  • [-p vhost] : indicates the vhost name granted the user access permission. The default value is if the user does not write/.
  • User: indicates the user name.
  • Conf: Specifies the resources on which the user has configurable permissions (regular expressions are supported).
  • Write: Indicates the resources on which the user has the write permission (regular expression support).
  • Read: Indicates the resources on which the user has read permission (regular expression support).

For details on what configurable permissions can do, what write permissions can do, and what read permissions can do, please refer to section 2.

Songo gives a simple example.

Assuming that we have a user named Zhangsan, we want this user to have all permissions under myvh virtual host, so our operation command is as follows:

rabbitmqctl set_permissions -p myvh zhangsan ".*" ".*" ".*"
Copy the code

The result is as follows:

To verify the authorization, run the following command:

rabbitmqctl -p myvh list_permissions
Copy the code

As you can see, the permission of Joe has been assigned in place.

In the authorization command above, we use “.*”, Songo added this wildcard:

  • ". *": Matches all switches and queues.
  • "javaboy-.*": This means to match the namejavaboy-Switch and queue at the beginning.
  • "": This does not match any queues and switches (you can use this if you want to revoke user permissions).

We can use the following command to remove a user’s permission on a vhost, for example, remove zhangsan’s permission on myvh, as follows:

rabbitmqctl clear_permissions -p myvh zhangsan
Copy the code

After the command is executed, run the rabbitmqctl -p myvh list_permissions command to check whether the execution result has taken effect. The result is as follows:

The rabbitmqctl -p myvh list_permissions command can only be used to query the permissions on one vhost. Lisi permissions on all vhosts: lisi permissions on all vhosts

rabbitmqctl list_user_permissions lisi
Copy the code

4. Perform operations on the Web management page

Of course, if you don’t want to type commands, you can also use the Web administrator to operate permissions.

In the Admin TAB, click on the user name to set permissions for the user as follows:

Permissions can be set or cleared.

Of course, there is also Topic Permissions, a new feature starting with RabbitMQ3.7 that allows you to set Permissions for a Topic exchange, mainly STOMP or MQTT, This configuration is rarely used in our daily Java development. The corresponding Topic Exchange will always have permissions if the user does not set them.

5. Summary

So that’s a little bit of RabbitMQ permission management for those interested