Closed romerod closed 5 years ago
michaelklishin
commented
5 years ago That's not how tags are used at the moment: they are only used to designate management UI/HTTP API roles.
I'm afraid the change would have to go deeper than this plugin and be a breaking plugin API change, so every implementation of the above interface would have to be updated.
Currently we don't see enough interest in propagating tags.
romerod
commented
5 years ago Ah, thanks for responding so fast. A pity.
Sorry I thought changing https://github.com/rabbitmq/rabbitmq-auth-backend-http/blob/98d8d4bddd00f22d8ef14463ce5b010cf6e74678/src/rabbit_auth_backend_http.erl#L66 to
check_resource_access(#auth_user{username = Username,tags = Tags},
Permission) ->
bool_req(resource_path, [{username, Username},
{vhost, VHost},
{resource, Type},
{name, Name},
{permission, Permission},
{tags, Tags}]).would implement that, but I never wrote a single line of erlang
romerod
commented
5 years ago @michaelklishin sorry for bothering you again, I forked the project to try and make the changes.
I tested it manually it and it works, see my changes:
Please tell me if you are interested in a PR.
michaelklishin
commented
5 years ago @romerod ah, so we pass around an entire auth_user record from the core. That's definitely convenient for this case.
Please submit a PR, we'd be happy to QA it and refactor as needed. It looks good, even though tag joining would be more straightforward with string:join/2. Good job!
michaelklishin
commented
5 years ago Contributed by @romerod in #80, thank you 👍👍
I started the following discussion in the google groups:
https://groups.google.com/forum/#!topic/rabbitmq-users/O7ORCQXvVT8
as its easier to find I decided to add it here also, sorry for the duplication.
My idea is to pass the tags which are retrieved in the user_path to the other paths:
vhost_path resource_path topic_path
This would make it possible to use the tags which are retrieved in the user_path to be used as roles for authorization.
I might be able to create a PR.