RabbitMQ permissions with wildcards in topic

[andreagilardoni]

I am writing a web app that integrates with rabbitmq-auth-backend-http and provides authentication given some permission rules. In my specific case I would like to restrict the access of a topic containing a wildcard only to the topics the user is allowed to access to.

Example: Topics are structured as follow:

'application..feature'

The user A is able to access applications with id 1, but not application with id 2, thus the user when subscribing to 'application.*.feature' should be allowed and listen only to messages in the topic 'application.1.feature'. This has to be extended to a situation were the user could potentially listen for messages coming from more than one topic.

The issue is that I am not able to provide a response to the plugin rabbitmq-auth-backend-http stating that the user is allowed but restricted to only certain topics. Is my request beyond rabbitmq protocol permission or is this plugin that has not implemented this yet?

[michaelklishin]

Thank you for your time.

Team RabbitMQ uses GitHub issues for specific actionable items engineers can work on. This assumes that we have a certain amount of information to work with.

Getting all the details necessary to reproduce an issue, make a conclusion or even form a hypothesis about what's happening can take a fair amount of time. Our team is multiple orders of magnitude smaller than the RabbitMQ community. Please help others help you by providing a way to reproduce the behavior you're observing and sharing as much relevant information as possible on the list:

• Server, client library and plugin (if applicable) versions used
• Server logs
• A code example or terminal transcript that can be used to reproduce
• Full exception stack traces (not a single line message)
• rabbitmqctl status (and, if possible, rabbitmqctl environment output)
• Other relevant things about the environment and workload, e.g. OS/systemd logs, a traffic capture, deployment tool logs, etc

Feel free to edit out hostnames and other potentially sensitive information.

When/if we have a complete enough understanding of what's going on, a recommendation will be provided or a new issues with more context will be filed.

Thank you.

[michaelklishin]

I'm afraid I do not understand what is being asked here. This plugin does not control how topic permissions are enforced. This sounds like something that belongs to the mailing list at this point.

It's fairly unlikely that we will be changing how topic permissions work, there are too many other streams of work at play at the moment.

[michaelklishin]

Topic permissions use regular expressions and a small subset of expandable variables (such as user name). The docs admittedly need more examples but I don't see what is missing. Wildcards are trivially simulated with regular expressions.