search

mosquito / aio-pika

AMQP 0.9 client designed for asyncio and humans.
https://aio-pika.readthedocs.org/
Apache License 2.0
1.23k stars 187 forks source link

declare_queue raises ChannelAccessRefused exception on connection with custom permissions #525

Closed Dementiy closed 1 year ago

Dementiy commented 1 year ago

I'm trying to separate permissions, but there are connection problems. This is my simplified definitions.json:

"exchanges": [
    {
        "name": "jobs",
        "vhost": "/",
        "type": "direct",
        "durable": true,
        "auto_delete": false,
        "internal": false,
        "arguments": {}
    }
],
"users": [
    {
        "name": "admin",
        "password": "admin_pass",
        "tags": "administrator"
    },
    {
        "name": "reader",
        "password": "reader_password",
        "tags": "reader_user"
    }
],
"vhosts": [
    {
        "name": "/"
    }
],
"permissions": [
    {
        "user": "admin",
        "vhost": "/",
        "configure": ".*",
        "write": ".*",
        "read": ".*"
    },
    {
        "user": "reader",
        "vhost": "/",
        "configure": "",
        "write": "",
        "read": ".*"
    }
]

And a listing with a connection example:

# ...
connection = await aio_pika.connect_robust(host=host, port=port, login="reader", password="reader_password")
channel = await connection.channel()
await channel.set_qos(prefetch_count=1)
exchange = await channel.declare_exchange(
    name="jobs",
    type=aio_pika.ExchangeType.DIRECT,
    durable=True,
    auto_delete=False,
    internal=False
)
# ...

As a result I get an following exception:

aiorqm.exceptions.ChannelAccessRefused: ACCESS_REFUSED - access to exchange 'jobs' in vhost '/' refused for user 'reader'

If you connect as "admin" then there is no problem. Could you suggest what could be the problem?

mosquito commented 1 year ago

Declaring an exchange without passive=True, is a write operation.