RabbitMQ queue publish access refused

Question

Setting permission for a user to only grant publish to a particular queue Q1

Permission

Configure : ""

Write : ^(Q1)|(amqp.default)$

Read : ""

Protocol used : STOMP

RMQ version : 3.6.X

Access is refused when publishing to Q1 using above permissions.

If Configure is set to ^(Q1)$ it works without any issues. But setting configure permission will also allow user to queue.delete and queue.declare operations on Q1.

Case : Create a queue from the backend/RMQ management so that stomp clients can publish to it through direct amqp.default exchange and routing key as the queue name. So that client has only write permission to the queue, without configure or read permissions

What would be the best solution for the same if a user is required only to publish to a queue but not read or configure the queue?

Answer 1

First, remember that you publish to exchanges in RabbitMQ, not queues. Then, read this table to determine how configure, write and read permission applies to the operations you'd like to do.

Finally, since the STOMP plugin is used, the user must have configure permission to be able to create the reply queue. This is due to how STOMP is implemented in RabbitMQ (code).

Answer 2

STOMP protocol requires configure permission, so had to come up with a different approach.(RabbitMQ code)

Created an exchange E1 and granted user with write permission

Bind queue Q1 to E1 so every message published to E1 is routed to Q1

In this approach only write permissions are required by the STOMP client to publish to exchange E1 without read or configure permission