access control
when the server first starts running, and detects that its database is uninitialised or has been deleted, it initialises a fresh database with the following resources:
當伺服器啟動運作後,檢測到所使用的資料庫未進行過初始化,或者被删除了,則會使用如下資源初始化一個新的資料庫:
a virtual host named /
使用 / 作為虛拟主機名
a user named guest with a default password of guest, granted full access to the / virtual host.
使用 guest/guest 作為使用者名密碼,并授予針對 / 虛拟主機的全部權限
建議删除該預設 guest 使用者,或者将其密碼變更為你自定義的内容,尤其當你的 broker 暴露在公網環境下時。
"guest" user can only connect via localhost
僅能通過 localhost 進行連接配接的 "guest" 使用者
by default, the guest user is prohibited from connecting to the broker remotely; it can only connect over a loopback interface (i.e. localhost). this applies both to amqp and to any other protocols enabled via plugins. any other users you create will not (by default) be restricted in this way.
預設情況下,guest 使用者被禁止用于非本地的連接配接;其僅能在通過 loopback 接口(如 localhost)進行連接配接時使用。該原則對于 amqp 協定和其他通過插件功能使能的協定都有效。而對于你所建立的任何其他使用者,在預設情況下不受該限制限制。
可以通過配置檔案中的 loopback_users 條目進行相關配置。
if you wish to allow the guest user to connect from a remote host, you should set the loopback_users configuration item to []. a complete rabbitmq.config which does this would look like:
如果你打算允許 guest 使用者用于非本地連接配接,你可以将 loopback_users 條目設定成 [] 。下面給出在 rabbitmq.config 中的完整配置:
<a href="http://my.oschina.net/moooofly/blog/406966#">?</a>
1
<code>[{rabbit, [{loopback_users, []}]}].</code>
how permissions work
權限控制方式
when an amqp client establishes a connection to an amqp server, it specifies a virtual host within which it intends to operate. a first level of access control is enforced at this point, with the server checking whether the user has any permissions to access the virtual hosts, and rejecting the connection attempt otherwise.
當一個 amqp 用戶端建立了一條到 amqp 伺服器的連接配接時,就已經指定了其所使用的虛拟主機。而虛拟主機就是通路權限控制的第一級,因為伺服器會校驗目前使用者是否擁有相關權限來通路對應的虛拟主機,若沒有,則會拒絕連接配接。
resources, i.e. exchanges and queues, are named entities inside a particular virtual host; the same name denotes a different resource in each virtual host. a second level of access control is enforced when certain operations are performed on resources.
而資源,也就是 exchange 和 queue ,實際是指位于特定虛拟主機内容的命名實體;在不同虛拟主機上的同名實體屬于不同的資源。通路權限控制的第二級就是針對資源進行可操作性限制實作的。
rabbitmq distinguishes between configure, write and read operations on a resource. the configure operations create or destroy resources, or alter their behaviour. the write operations inject messages into a resource. and the read operations retrieve messages from a resource.
rabbitmq 針對資源的操作權限分為 configure 、write 和 read 。
configure 權限用于控制針對資源的建立和删除,或者變更的能力;
write 權限用于限制向資源注入消息的能力;
read 權限用于限制從資源擷取消息的能力;
in order to perform an operation on a resource the user must have been granted the appropriate permissions for it. the following table shows what permissions on what type of resource are required for all the amqp commands which perform permission checks.
為了能夠對某種資源進行操作,使用者必須被授予相應的權限。下面的表格顯示了針對不同類型資源進行 amqp 指令操作所需的各種權限。
amqp command
configure
write
read
exchange.declare
(passive=false)
exchange
(passive=true)
exchange (ae)
exchange.delete
queue.declare
queue
(passive=true)
exchange (dlx)
queue.delete
exchange.bind
exchange (destination)
exchange (source)
exchange.unbind
exchange (destination)
queue.bind
queue.unbind
basic.publish
basic.get
basic.consume
queue.purge
permissions are expressed as a triple of regular expressions - one each for configure, write and read - on per-vhost basis. the user is granted the respective permission for operations on all resources with names matching the regular expressions. (note: for convenience rabbitmq maps amqp's default exchange's blank name to 'amq.default' when performing permission checks.)
權限通過三元的正規表達式進行描述 - 分别對應 configure 、write 和 read - 以虛拟主機為機關進行配置。使用者通過正則比對決定被授予針對各種資源相應何種權限(注意,為了友善起見,rabbitmq 會在進行權限檢查時,将 amqp 中的預設 exchange 名,即空字元串,映射為 'amq.default')。
the regular expression '^$', i.e. matching nothing but the empty string, covers all resources and effectively stops the user from performing any operation. standard amqp resource names are prefixed with amq. and server generated names are prefixed with amq.gen. for example, '^(amq\.gen.*|amq\.default)$' gives a user access to server-generated names and the default exchange. the empty string, '' is a synonym for '^$' and restricts permissions in the exact same way.
正規表達式 '^$' ,即僅對空字元串比對,将對所有資源産生效果,可以阻止使用者執行任何操作。
标準 amqp 資源名以 amq. 作為字首;伺服器自動生成的名字以 amq.gen 作為字首。例如,'^(amq\.gen.*|amq\.default)$' 将允許使用者通路伺服器生成名字的資源,以及預設 exchange 。空字元串 '' 與 '^$' 是同義的。
rabbitmq may cache the results of access control checks on a per-connection or per-channel basis. hence changes to user permissions may only take effect when the user reconnects.
rabbitmq 可以按照 connection 或 channel 層次進行權限控制檢查結果的緩存。如此的話,針對使用者權限的變更将在使用者重連後生效。
for details of how to set up access control, please see the access control section of the rabbitmqctl(1) man page.
![【MySQL資料庫】資料庫索引事務1.索引2.事務[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)