RabbitMQ学习(八)Access Control访问控制

Access Control

When the server first starts running, and detects that its database is uninitialised or has been deleted, it initialises a fresh database with the following resources:

  • a virtual host named /
  • a user named guest with a default password of guest, granted full access to the / virtual host.

It is advisable to delete the guest user or change the password to something private, particularly if your broker is accessible publicly.

当服务器启动的并检测到它的数据库没有被初始化,或者已经被删除了的时候,就会使用下列资源来初始化一个新的数据库:

1、一个名叫/的虚拟主机

2、一个密码为guest的用户guest,具有虚拟主机/的完全访问权限

我们建议将guest用户删掉,或者将其密码修改了,特别是在你的RabbitMQ broker会在公共场合下被访问的时候。

"guest" user can only connect via localhost

By default, the guest user is prohibited from connecting to the broker remotely; it can only connect over a loopback interface (i.e. localhost). This applies both to AMQP and to any other protocols enabled via plugins. Any other users you create will not (by default) be restricted in this way.

This is configured via the loopback_users item in the configuration file.

If you wish to allow the guest user to connect from a remote host, you should set the loopback_users configuration item to []. A complete rabbitmq.config which does this would look like:

[{rabbit, [{loopback_users, []}]}].
默认情况下guest用户被禁止远程连接到RabbitMQ broker,只能通过一个网络回环接口,比如localhost进行访问。
假如你想要允许guest用户远程连接到你的RabbitMQ broker,那么只需要修改配置文件中的lookback_users配置项,将其改为[]即可,一个完成的配置列子如下所示。
[{rabbit, [{loopback_users, []}]}].

How permissions work

When an AMQP client establishes a connection to an AMQP server, it specifies a virtual host within which it intends to operate. A first level of access control is enforced at this point, with the server checking whether the user has any permissions to access the virtual hosts, and rejecting the connection attempt otherwise.

当一个AMQP客户端连接到AMQP服务器的时候,必须要确定要一个要操作的虚拟主机(virtual host)。第一级访问控制将会在这一点上进行,服务器会检测时候当前用户具备访问这个虚拟主机的权限,如果没有权限则拒绝被连接。

Resources, i.e. exchanges and queues, are named entities inside a particular virtual host; the same name denotes a different resource in each virtual host. A second level of access control is enforced when certain operations are performed on resources.

特定虚拟主机中的队列,交换机,以及命名实体等都称之为资源,不同的虚拟主机中即使同名也是不同的资源。二级访问控制就是在资源上面进行,将会对在特定资源上进行的操作进行权限控制,判断是否可以进行。

RabbitMQ distinguishes between configurewrite and read operations on a resource. The configure operations create or destroy resources, or alter their behaviour. The write operations inject messages into a resource. And the read operations retrieve messages from a resource.

RabbitMQ针对一个资源有“配置,写,以及读”三种操作,其中配置操作创建和销毁资源,或者更改其行为,写操作将消息注入到特定资源,读操作从特定资源检索消息。

In order to perform an operation on a resource the user must have been granted the appropriate permissions for it. The following table shows what permissions on what type of resource are required for all the AMQP commands which perform permission checks.

为了在特定资源上进行操作,用户必须被授予正确的针对该资源的权限,下表将会展示在执行AMQP命令的时候,将会针对什么资源进行什么样的权限检测。比如可以看到第五个AMQP命令,在创建队列的时候将会对当前用户进行是否针对队列资源有configure权限的判断。

AMQP command   configure write read
exchange.declare (passive=false) exchange    
exchange.declare (passive=true)      
exchange.declare (with AE) exchange exchange (AE) exchange
exchange.delete   exchange    
queue.declare (passive=false) queue    
queue.declare (passive=true)      
queue.declare (with DLX) queue exchange (DLX) queue
queue.delete   queue    
exchange.bind     exchange (destination) exchange (source)
exchange.unbind     exchange (destination) exchange (source)
queue.bind     queue exchange
queue.unbind     queue exchange
basic.publish     exchange  
basic.get       queue
basic.consume       queue
queue.purge       queue

Permissions are expressed as a triple of regular expressions - one each for configure, write and read - on per-vhost basis. The user is granted the respective permission for operations on all resources with names matching the regular expressions. (Note: For convenience RabbitMQ maps AMQP's default exchange's blank name to 'amq.default' when performing permission checks.)

The regular expression '^$', i.e. matching nothing but the empty string, covers all resources and effectively stops the user from performing any operation. Standard AMQP resource names are prefixed with amq. and server generated names are prefixed with amq.gen. For example, '^(amq\.gen.*|amq\.default)$' gives a user access to server-generated names and the default exchange. The empty string, '' is a synonym for'^$' and restricts permissions in the exact same way.

RabbitMQ may cache the results of access control checks on a per-connection or per-channel basis. Hence changes to user permissions may only take effect when the user reconnects.

For details of how to set up access control, please see the Access Control section of the rabbitmqctl(1) man page.

[{rabbit, [{loopback_users, []}]}].

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值