search

rabbitmq / rabbitmq-stomp

RabbitMQ STOMP plugin
https://www.rabbitmq.com/stomp.html
Other
49 stars 28 forks source link

Write-only permissions on STOMP queues #147

Closed jmico closed 4 years ago

jmico commented 4 years ago

When a STOMP plugin (or WebStomp) is open to the internet you can't completely trust on login credentials:

Currently /topic can be properly made read-only with set_topic_permissions. Temporary queues /temp-queue are secure, as only the connection that creates them can read from it.

The problem is that currently there is no mechanism to forbid certain STOMP users from consuming from /queue, as set_permissions is not fine grained enough.

A broad restriction forbidding SUBSCRIBE to any queue will be enough. It could even be hardcoded to guest user.

michaelklishin commented 4 years ago

The scenario where you open up a broker for public writes is hardly a common one. /amq/queue gives you the most flexibility. We don't have plans to change the permission system. Unfortunately no system would work equally well for all four protocols we support.

michaelklishin commented 4 years ago

Yeah and we most certainly don't want to introduce any changes that would be hardcoded to a specific user or cover a very specific use case such as "an overlay that prevents all consumption". The permission system actually is flexible enough but STOMP has so many ways of doing things using different destinations that there always will be a blind spot of some kind.

/queue/{name} destinations use the same naming scheme which is user-independent, and it makes it harder to separate permissions for STOMP users but it is not the case for other protocols and even STOMP destinations.

jmico commented 4 years ago

Thanks for your reply :)