[{rabbit, [{loopback_users, []}]}].
How permissions work
权限控制方式
When an AMQP client establishes a connection to an AMQP server, it specifies a virtual host within which it intends to operate. A first level of access control is enforced at this point, with the server checking whether the user has any permissions to access the virtual hosts, and rejecting the connection attempt otherwise.
当一个 AMQP 客户端建立了一条到 AMQP 服务器的连接时,就已经指定了其所使用的虚拟主机。而虚拟主机就是访问权限控制的第一级,因为服务器会校验当前用户是否拥有相关权限来访问对应的虚拟主机,若没有,则会拒绝连接。
Resources, i.e. exchanges and queues, are named entities inside a particular virtual host; the same name denotes a different resource in each virtual host. A second level of access control is enforced when certain operations are performed on resources.
而资源,也就是 exchange 和 queue ,实际是指位于特定虚拟主机内容的命名实体;在不同虚拟主机上的同名实体属于不同的资源。访问权限控制的第二级就是针对资源进行可操作性约束实现的。
RabbitMQ distinguishes between configure, write and read operations on a resource. The configure operations create or destroy resources, or alter their behaviour. The write operations inject messages into a resource. And the read operations retrieve messages from a resource.
RabbitMQ 针对资源的操作权限分为 configure 、write 和 read 。
configure 权限用于控制针对资源的创建和删除,或者变更的能力;
write 权限用于限制向资源注入消息的能力;
read 权限用于限制从资源获取消息的能力;
In order to perform an operation on a resource the user must have been granted the appropriate permissions for it. The following table shows what permissions on what type of resource are required for all the AMQP commands which perform permission checks.
为了能够对某种资源进行操作,用户必须被授予相应的权限。下面的表格显示了针对不同类型资源进行 AMQP 命令操作所需的各种权限。
AMQP command
configure
write
read
exchange.declare
(passive=false)
exchange
exchange.declare
(passive=true)
exchange.declare
(with AE)
exchange
exchange (AE)
exchange
exchange.delete
exchange
queue.declare
(passive=false)
queue
queue.declare
(passive=true)
queue.declare
(with DLX)
queue
exchange (DLX)
queue
queue.delete
queue
exchange.bind
exchange (destination)
exchange (source)
exchange.unbind
exchange (destination)
exchange (source)
queue.bind
queue
exchange
queue.unbind
queue
exchange
basic.publish
exchange
basic.get
queue
basic.consume
queue
queue.purge
queue
Permissions are expressed as a triple of regular expressions - one each for configure, write and read - on per-vhost basis. The user is granted the respective permission for operations on all resources with names matching the regular expressions. (Note: For convenience RabbitMQ maps AMQP\'s default exchange\'s blank name to \'amq.default\' when performing permission checks.)
权限通过三元的正则表达式进行描述 - 分别对应 configure 、write 和 read - 以虚拟主机为单位进行配置。用户通过正则匹配决定被授予针对各种资源相应何种权限(注意,为了方便起见,RabbitMQ 会在进行权限检查时,将 AMQP 中的默认 exchange 名,即空字符串,映射为 \'amq.default\')。
The regular expression \'^$\', i.e. matching nothing but the empty string, covers all resources and effectively stops the user from performing any operation. Standard AMQP resource names are prefixed with amq. and server generated names are prefixed with amq.gen. For example, \'^(amq.gen.*|amq.default)$\' gives a user access to server-generated names and the default exchange. The empty string, \'\' is a synonym for \'^$\' and restricts permissions in the exact same way.
正则表达式 \'^$\',即仅对空字符串匹配,将对所有资源产生效果,可以阻止用户执行任何操作。
标准 AMQP 资源名以 amq. 作为前缀;服务器自动生成的名字以 amq.gen 作为前缀。例如,\'^(amq.gen.*|amq.default)$\'将允许用户访问服务器生成名字的资源,以及默认 exchange 。空字符串 \'\' 与 \'^$\' 是同义的。
RabbitMQ may cache the results of access control checks on a per-connection or per-channel basis. Hence changes to user permissions may only take effect when the user reconnects.
RabbitMQ 可以按照 Connection 或 channel 层次进行权限控制检查结果的缓存。如此的话,针对用户权限的变更将在用户重连后生效。
For details of how to set up access control, please see the Access Control section of the rabbitmqctl(1) man page.