Configuring RabbitMQ to deny LDAP users from publishing messages

Question

We are running RabbitMQ 3.6.5 in a Windows environment and are using the LDAP plugin. This allows our developers to view the queues and inspect the messages. By default, the RabbitMQ LDAP plugin allows "all users to access all objects in all vhosts" (as documented here). This includes the ability to publish messages directly from the LDAP plugin. What we would like to do is deny this permission to LDAP users, while still allowing them to see the queues.

According to the LDAP plugin page, this is accomplished by inserting Erlang queries into the RabbitMQ configuration. Using the examples on that page, we first tried simply granting read permission with this query (LDAP specifics changed):

{resource_access_query,
      {for, [{permission, configure, {in_group, "OU=someGroup,OU=Departments,OU=ABC,DC=ABC,DC=ORG"}},
             {permission, read, {constant, true}}
            ]
      }}

When that had no effect, we tried explicitly denying write permissions:

{resource_access_query,
    {for, [{resource, queue, {for, [{permission, configure,
           {in_group, "OU=someGroup,OU=Departments,OU=ABC,DC=ABC,DC=ORG"}
           },
           {permission, write, {constant, false}},
           {permission, read,  {constant, true}}
    ]}},
]}}

Unfortunately that had no effect either. In both cases, LDAP users were still able to publish messages in the LDAP plugin.

Does anybody know what we are missing?

Answer 1

The RabbitMQ team monitors this mailing list and only sometimes answers questions on StackOverflow.

---

You need to read the RabbitMQ Access Control guide as well, specifically this section. Messages are published to Exchanges in RabbitMQ, not Queues, via the basic.publish AMQP 0.9.1 method. In your case deny write permission to the exchange resource and grant read permission to the queue resource.

Once you have configured the LDAP plugin correctly, I strongly recommend enabling the auth cache plugin. Otherwise, LDAP queries will be made when every message is published or read, as well as all other operations requiring authorization.