diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/rabbit_access_control.erl | 14 | ||||
| -rw-r--r-- | src/rabbit_table.erl | 10 | ||||
| -rw-r--r-- | src/rabbit_upgrade_functions.erl | 7 | ||||
| -rw-r--r-- | src/rabbit_vhost.erl | 3 |
4 files changed, 33 insertions, 1 deletions
diff --git a/src/rabbit_access_control.erl b/src/rabbit_access_control.erl index 3ae7d7f690..4dff2dbede 100644 --- a/src/rabbit_access_control.erl +++ b/src/rabbit_access_control.erl @@ -19,7 +19,7 @@ -include("rabbit.hrl"). -export([check_user_pass_login/2, check_user_login/2, check_user_loopback/2, - check_vhost_access/3, check_resource_access/3]). + check_vhost_access/3, check_resource_access/3, check_topic_access/4]). %%---------------------------------------------------------------------------- @@ -161,6 +161,18 @@ check_resource_access(User = #user{username = Username, (_, Else) -> Else end, ok, Modules). +check_topic_access(User = #user{username = Username, + authz_backends = Modules}, + Resource, Permission, Context) -> + lists:foldl( + fun({Module, Impl}, ok) -> + check_access( + fun() -> Module:check_topic_access( + auth_user(User, Impl), Resource, Permission, Context) end, + Module, "access to topic '~s' in exchange ~s refused for user '~s'", + [maps:get(routing_key, Context), rabbit_misc:rs(Resource), Username]); + (_, Else) -> Else + end, ok, Modules). check_access(Fun, Module, ErrStr, ErrArgs) -> check_access(Fun, Module, ErrStr, ErrArgs, access_refused). diff --git a/src/rabbit_table.erl b/src/rabbit_table.erl index cae47c08a9..040075ea87 100644 --- a/src/rabbit_table.erl +++ b/src/rabbit_table.erl @@ -21,6 +21,9 @@ check_schema_integrity/1, clear_ram_only_tables/0, retry_timeout/0, wait_for_replicated/0]). +%% for testing purposes +-export([definitions/0]). + -include("rabbit.hrl"). %%---------------------------------------------------------------------------- @@ -272,6 +275,13 @@ definitions() -> {match, #user_permission{user_vhost = #user_vhost{_='_'}, permission = #permission{_='_'}, _='_'}}]}, + {rabbit_topic_permission, + [{record_name, topic_permission}, + {attributes, record_info(fields, topic_permission)}, + {disc_copies, [node()]}, + {match, #topic_permission{topic_permission_key = #topic_permission_key{_='_'}, + pattern = '_', + _='_'}}]}, {rabbit_vhost, [{record_name, vhost}, {attributes, record_info(fields, vhost)}, diff --git a/src/rabbit_upgrade_functions.erl b/src/rabbit_upgrade_functions.erl index a53ad0c8f9..c2a1e49b32 100644 --- a/src/rabbit_upgrade_functions.erl +++ b/src/rabbit_upgrade_functions.erl @@ -58,6 +58,7 @@ -rabbit_upgrade({operator_policies, mnesia, [slave_pids_pending_shutdown, internal_system_x]}). -rabbit_upgrade({vhost_limits, mnesia, []}). -rabbit_upgrade({queue_vhost_field, mnesia, [operator_policies]}). +-rabbit_upgrade({topic_permission, mnesia, []}). %% ------------------------------------------------------------------- @@ -564,6 +565,12 @@ user_password_hashing() -> end, [username, password_hash, tags, hashing_algorithm]). +topic_permission() -> + create(rabbit_topic_permission, + [{record_name, topic_permission}, + {attributes, [topic_permission_key, pattern]}, + {disc_copies, [node()]}]). + %%-------------------------------------------------------------------- transform(TableName, Fun, FieldList) -> diff --git a/src/rabbit_vhost.erl b/src/rabbit_vhost.erl index 26b8143fec..6edb62425b 100644 --- a/src/rabbit_vhost.erl +++ b/src/rabbit_vhost.erl @@ -121,6 +121,9 @@ internal_delete(VHostPath) -> [ok = rabbit_auth_backend_internal:clear_permissions( proplists:get_value(user, Info), VHostPath) || Info <- rabbit_auth_backend_internal:list_vhost_permissions(VHostPath)], + TopicPermissions = rabbit_auth_backend_internal:list_vhost_topic_permissions(VHostPath), + [ok = rabbit_auth_backend_internal:clear_topic_permissions( + proplists:get_value(user, TopicPermission), VHostPath) || TopicPermission <- TopicPermissions], Fs1 = [rabbit_runtime_parameters:clear(VHostPath, proplists:get_value(component, Info), proplists:get_value(name, Info)) |
