diff options
| author | Arnaud Cogoluègnes <acogoluegnes@gmail.com> | 2016-12-29 08:49:34 +0100 |
|---|---|---|
| committer | Arnaud Cogoluègnes <acogoluegnes@gmail.com> | 2016-12-29 08:49:34 +0100 |
| commit | cf259df33dc27b9ca99682cdccc1067eb76fd808 (patch) | |
| tree | 6d2ecf3ca87ef5bc83967ed32b1cbed08e965fb2 | |
| parent | 0876ac25d41a647b2f0af5fa186e530ea68b39ef (diff) | |
| download | rabbitmq-server-git-cf259df33dc27b9ca99682cdccc1067eb76fd808.tar.gz | |
Create topic permission table in upgrades
References #505
| -rw-r--r-- | src/rabbit_access_control.erl | 14 | ||||
| -rw-r--r-- | src/rabbit_upgrade_functions.erl | 7 | ||||
| -rw-r--r-- | test/topic_permission_SUITE.erl | 24 |
3 files changed, 34 insertions, 11 deletions
diff --git a/src/rabbit_access_control.erl b/src/rabbit_access_control.erl index 3ae7d7f690..37b4e817e1 100644 --- a/src/rabbit_access_control.erl +++ b/src/rabbit_access_control.erl @@ -19,7 +19,7 @@ -include("rabbit.hrl"). -export([check_user_pass_login/2, check_user_login/2, check_user_loopback/2, - check_vhost_access/3, check_resource_access/3]). + check_vhost_access/3, check_resource_access/3, check_topic_access/4]). %%---------------------------------------------------------------------------- @@ -161,6 +161,18 @@ check_resource_access(User = #user{username = Username, (_, Else) -> Else end, ok, Modules). +check_topic_access(User = #user{username = Username, + authz_backends = Modules}, + Resource, Permission, Context) -> + lists:foldl( + fun({Module, Impl}, ok) -> + check_access( + fun() -> Module:check_topic_access( + auth_user(User, Impl), Resource, Permission, Context) end, + Module, "access to ~s refused for user '~s'", + [rabbit_misc:rs(Resource), Username]); + (_, Else) -> Else + end, ok, Modules). check_access(Fun, Module, ErrStr, ErrArgs) -> check_access(Fun, Module, ErrStr, ErrArgs, access_refused). diff --git a/src/rabbit_upgrade_functions.erl b/src/rabbit_upgrade_functions.erl index a53ad0c8f9..c2a1e49b32 100644 --- a/src/rabbit_upgrade_functions.erl +++ b/src/rabbit_upgrade_functions.erl @@ -58,6 +58,7 @@ -rabbit_upgrade({operator_policies, mnesia, [slave_pids_pending_shutdown, internal_system_x]}). -rabbit_upgrade({vhost_limits, mnesia, []}). -rabbit_upgrade({queue_vhost_field, mnesia, [operator_policies]}). +-rabbit_upgrade({topic_permission, mnesia, []}). %% ------------------------------------------------------------------- @@ -564,6 +565,12 @@ user_password_hashing() -> end, [username, password_hash, tags, hashing_algorithm]). +topic_permission() -> + create(rabbit_topic_permission, + [{record_name, topic_permission}, + {attributes, [topic_permission_key, pattern]}, + {disc_copies, [node()]}]). + %%-------------------------------------------------------------------- transform(TableName, Fun, FieldList) -> diff --git a/test/topic_permission_SUITE.erl b/test/topic_permission_SUITE.erl index f408e854d4..2d36cc8551 100644 --- a/test/topic_permission_SUITE.erl +++ b/test/topic_permission_SUITE.erl @@ -189,32 +189,36 @@ topic_permission_checks(_Config) -> User = #auth_user{username = <<"guest">>}, Topic = #resource{name = <<"amq.topic">>, virtual_host = <<"/">>, - options = #{routing_key => <<"a.b.c">>}, kind = topic}, + Context = #{routing_key => <<"a.b.c">>}, %% user has access to exchange, routing key matches - true = rabbit_auth_backend_internal:check_resource_access( + true = rabbit_auth_backend_internal:check_topic_access( User, Topic, - write + write, + Context ), %% user has access to exchange, routing key does not match - false = rabbit_auth_backend_internal:check_resource_access( + false = rabbit_auth_backend_internal:check_topic_access( User, - Topic#resource{options = #{routing_key => <<"x.y.z">>}}, - write + Topic, + write, + #{routing_key => <<"x.y.z">>} ), %% user has access to exchange but not on this vhost %% let pass when there's no match - true = rabbit_auth_backend_internal:check_resource_access( + true = rabbit_auth_backend_internal:check_topic_access( User, Topic#resource{virtual_host = <<"fancyvhost">>}, - write + write, + Context ), %% user does not have access to exchange %% let pass when there's no match - true = rabbit_auth_backend_internal:check_resource_access( + true = rabbit_auth_backend_internal:check_topic_access( #auth_user{username = <<"dummy">>}, Topic, - write + write, + Context ), ok.
\ No newline at end of file |