RabbitMQ users are global to the broker instance, but each user can have his/her own set of permissions for each individual vhost.
Different applications can be totally decoupled using independent users and vhosts.
However, the same application can benefit from the usage of user permissions within the same vhost.
We are going to see how to manage users and their permissions and how to use them in the Java example in Chapter03/Recipe02.
In order to run this recipe, we need to issue some rabbitmqctl configuration commands and exercise the configurations using the usual Java setup.
Perform the following steps to see how to manage users and their permissions as well as how to use them:
- Create some users with their passwords:
rabbitmqctl add_user stat_sender password1 rabbitmqctl add_user stat_receiver password2
- Grant some permissions to them:
rabbitmqctl set_permissions stat_sender "stat_exchange.*""stat_.*" "^$" rabbitmqctl set_permissions stat_receiver "stat_.*""stat_queue_.*" "(stat_exchange_.*)|(stat_queue_.*)"
- Let
Producer.javaconnect to RabbitMQ using thestat_senderuser:factory.setUsername("stat_sender"); factory.setPassword("password1"); - And then perform the following operations:
channel.exchangeDeclare(...); channel.basicPublish(...);
- Let
Consumer.javaconnect using the user,stat_receiver:factory.setUsername("stat_receiver"); factory.setPassword("password2"); - Then perform the following operations:
channel.exchangeDeclare(...); channel.queueDeclare(...); channel.queueBind(...); channel.basicConsume(...);
In this exercise we have created a couple of users (step 1). In order to use them, it is needed to assign permission to them with the command:
rabbitmqctl set_permissions <username> <conf> <write> <read>
Here, <conf>, <write>, and <read> are three regular expressions. The specified <username> will have the permission to configure, write, and read queues and the exchanges matching them.
In our example, Producer.java accesses RabbitMQ with the stat_sender user. As shown in step 4, it has called queueDeclare(); so, it needs to have configuration permission for the exchange named stat_exchange_03/02.
It then publishes messages to the same exchange, so the user needs to have write permissions to it. But then messages will be routed to the stat_queue_03/02 queue; the user also needs write permissions to it or the messages won't be routed to this queue. By setting the write permission to the regular expression "stat_.*", the user is authorized to publish messages to both the exchange and the queue.
Producer.java does not need any read permission. It is possible to deny any read permission by specifying the empty regular expression "^$", as shown in the example, or just an empty string.
On the other side, the user of Consumer.java needs the configure permission on both the exchange and the queue as well as the read permission in our recipe: "stat_.*" is synonymous to "(stat_exchange_.*)|(stat_queue_.*)" in the given example.
Consumer.java also needs write permissions on the stat_queue_03/02 queue to be able to bind the given queue to the exchange.
With users, we can restrict the access and capabilities of different RabbitMQ clients, tuning the set of permissions available to different components of a distributed application and conforming to their roles.
We can set a different set of permissions to each user, which applies to queues and exchanges specifying a pattern following regular expression matching rules.
Permission roles refer to the authorization to access specific AMQP resources:
configure: The authorized user can declare and delete queues and exchanges that match the given patternwrite: The authorized user can bind to queues and exchanges and publish messages to them if they match the given patternread: The authorized user can bind to matching queues and exchanges and consume, get, and purge messages out of them
For the full table of the authorizations needed by the various AMQP operations, you can use the table at http://www.rabbitmq.com/access-control.html.
User permissions refer just to AMQP operations. The RabbitMQ management plugin (more details later in this chapter) extends this permission model using user tags; it's possible to associate one or more arbitrary tag strings to any user.
To let a user access the management plugin, it must have one of the following tags associated to it:
management: The user has access to his/her vhosts only and can view all the queues and the exchanges within themmonitoring: The user has access to all the vhosts and can view all the queues and exchangesadministration: The user can do any administrative task
For example, to assign the administrator tag to a user, use the command:
rabbitmqctl set_user_tags username administrator
The default user, guest, has the administrator tag set by default.