【原创】RabbitMQ 之 Access Control(翻译)
生活随笔
收集整理的這篇文章主要介紹了
【原创】RabbitMQ 之 Access Control(翻译)
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
2019獨角獸企業重金招聘Python工程師標準>>>
Access Control
When the server first starts running, and detects that its database is uninitialised or has been deleted, it initialises a fresh database with the following resources:
當服務器啟動運行后,檢測到所使用的數據庫未進行過初始化,或者被刪除了,則會使用如下資源初始化一個新的數據庫:
- a virtual host named /
使用 / 作為虛擬主機名 - a user named guest with a default password of guest, granted full access to the / virtual host.
使用 guest/guest 作為用戶名密碼,并授予針對 / 虛擬主機的全部權限
It is advisable to delete?the guest user or change the password?to something private, particularly if your broker is accessible publicly.
建議刪除該默認 guest 用戶,或者將其密碼變更為你自定義的內容,尤其當你的 broker 暴露在公網環境下時。
"guest" user can only connect via localhost
僅能通過 localhost 進行連接的 "guest" 用戶
By default, the guest user is prohibited from connecting to the broker remotely; it can only connect over a loopback interface (i.e. localhost). This applies both to AMQP and to any other protocols enabled via plugins. Any other users you create will not (by default) be restricted in this way.
默認情況下,guest 用戶被禁止用于非本地的連接;其僅能在通過 loopback 接口(如 localhost)進行連接時使用。該原則對于 AMQP 協議和其他通過插件功能使能的協議都有效。而對于你所創建的任何其他用戶,在默認情況下不受該限制約束。
This is configured via the loopback_users item in the configuration file.
可以通過配置文件中的 loopback_users 條目進行相關配置。
If you wish to allow the guest user to connect from a remote host, you should set the loopback_users configuration item to []. A complete rabbitmq.config which does this would look like:
如果你打算允許 guest 用戶用于非本地連接,你可以將 loopback_users 條目設置成 [] 。下面給出在 rabbitmq.config 中的完整配置:
[{rabbit, [{loopback_users, []}]}].
How permissions work
權限控制方式
When an AMQP client establishes a connection to an AMQP server, it specifies a virtual host within which it intends to operate. A first level of access control is enforced at this point, with the server checking whether the user has any permissions to access the virtual hosts, and rejecting the connection attempt otherwise.
當一個 AMQP 客戶端建立了一條到 AMQP 服務器的連接時,就已經指定了其所使用的虛擬主機。而虛擬主機就是訪問權限控制的第一級,因為服務器會校驗當前用戶是否擁有相關權限來訪問對應的虛擬主機,若沒有,則會拒絕連接。
Resources, i.e. exchanges and queues, are named entities inside a particular virtual host; the same name denotes a different resource in each virtual host. A second level of access control is enforced when certain operations are performed on resources.
而資源,也就是 exchange 和 queue ,實際是指位于特定虛擬主機內容的命名實體;在不同虛擬主機上的同名實體屬于不同的資源。訪問權限控制的第二級就是針對資源進行可操作性約束實現的。
RabbitMQ distinguishes between configure, write and read operations on a resource. The configure operations create or destroy resources, or alter their behaviour. The write operations inject messages into a resource. And the read operations retrieve messages from a resource.
RabbitMQ 針對資源的操作權限分為 configure 、write 和 read 。
configure 權限用于控制針對資源的創建和刪除,或者變更的能力;
write 權限用于限制向資源注入消息的能力;
read 權限用于限制從資源獲取消息的能力;
In order to perform an operation on a resource the user must have been granted the appropriate permissions for it. The following table shows what permissions on what type of resource are required for all the AMQP commands which perform permission checks.
為了能夠對某種資源進行操作,用戶必須被授予相應的權限。下面的表格顯示了針對不同類型資源進行 AMQP 命令操作所需的各種權限。
| AMQP command | | configure | write | read |
| exchange.declare | (passive=false) | exchange | | |
| exchange.declare | (passive=true) | | | |
| exchange.declare | (with AE) | exchange | ?exchange (AE) | exchange |
| exchange.delete | | exchange | | |
| queue.declare | (passive=false) | queue | | |
| queue.declare | (passive=true)? | | | |
| queue.declare | (with DLX) | queue | exchange (DLX) | queue |
| queue.delete | | queue | | |
| exchange.bind | | | exchange (destination) | exchange (source) |
| exchange.unbind | | | exchange (destination)? | exchange (source) |
| queue.bind | | | queue | exchange |
| queue.unbind | | | queue | exchange |
| basic.publish | | | exchange | |
| basic.get | | | | queue |
| basic.consume | | | | queue |
| queue.purge | | | | queue |
Permissions are expressed as a triple of regular expressions - one each for configure, write and read - on per-vhost basis. The user is granted the respective permission for operations on all resources with names matching the regular expressions. (Note: For convenience RabbitMQ maps AMQP's default exchange's blank name to 'amq.default' when performing permission checks.)
權限通過三元的正則表達式進行描述 - 分別對應 configure 、write 和 read - 以虛擬主機為單位進行配置。用戶通過正則匹配決定被授予針對各種資源相應何種權限(注意,為了方便起見,RabbitMQ 會在進行權限檢查時,將 AMQP 中的默認 exchange 名,即空字符串,映射為 'amq.default')。
The regular expression '^$', i.e. matching nothing but the empty string, covers all resources and effectively stops the user from performing any operation. Standard AMQP resource names are prefixed with amq. and server generated names are prefixed with amq.gen. For example, '^(amq\.gen.*|amq\.default)$' gives a user access to server-generated names and the default exchange. The empty string, '' is a synonym for '^$' and restricts permissions in the exact same way.
正則表達式 '^$' ,即僅對空字符串匹配,將對所有資源產生效果,可以阻止用戶執行任何操作。
標準 AMQP 資源名以 amq. 作為前綴;服務器自動生成的名字以 amq.gen 作為前綴。例如,'^(amq\.gen.*|amq\.default)$' 將允許用戶訪問服務器生成名字的資源,以及默認 exchange 。空字符串 '' 與 '^$' 是同義的。
RabbitMQ may cache the results of access control checks on a per-connection or per-channel basis. Hence changes to user permissions may only take effect when the user reconnects.
RabbitMQ 可以按照 Connection 或 channel 層次進行權限控制檢查結果的緩存。如此的話,針對用戶權限的變更將在用戶重連后生效。
For details of how to set up access control, please see the Access Control section of the rabbitmqctl(1) man page.
如何建立訪問權限控制的細節,請參考 rabbitmqctl(1) man 手冊中的 Access Control 節內容。
轉載于:https://my.oschina.net/moooofly/blog/406966
《新程序員》:云原生和全面數字化實踐50位技術專家共同創作,文字、視頻、音頻交互閱讀總結
以上是生活随笔為你收集整理的【原创】RabbitMQ 之 Access Control(翻译)的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: rocksdb和leveldb性能比较—
- 下一篇: 关于wcf三大工具的使用(wsdl.ex