summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/rabbit_access_control.erl14
-rw-r--r--src/rabbit_table.erl10
-rw-r--r--src/rabbit_upgrade_functions.erl7
-rw-r--r--src/rabbit_vhost.erl3
4 files changed, 33 insertions, 1 deletions
diff --git a/src/rabbit_access_control.erl b/src/rabbit_access_control.erl
index 3ae7d7f690..4dff2dbede 100644
--- a/src/rabbit_access_control.erl
+++ b/src/rabbit_access_control.erl
@@ -19,7 +19,7 @@
-include("rabbit.hrl").
-export([check_user_pass_login/2, check_user_login/2, check_user_loopback/2,
- check_vhost_access/3, check_resource_access/3]).
+ check_vhost_access/3, check_resource_access/3, check_topic_access/4]).
%%----------------------------------------------------------------------------
@@ -161,6 +161,18 @@ check_resource_access(User = #user{username = Username,
(_, Else) -> Else
end, ok, Modules).
+check_topic_access(User = #user{username = Username,
+ authz_backends = Modules},
+ Resource, Permission, Context) ->
+ lists:foldl(
+ fun({Module, Impl}, ok) ->
+ check_access(
+ fun() -> Module:check_topic_access(
+ auth_user(User, Impl), Resource, Permission, Context) end,
+ Module, "access to topic '~s' in exchange ~s refused for user '~s'",
+ [maps:get(routing_key, Context), rabbit_misc:rs(Resource), Username]);
+ (_, Else) -> Else
+ end, ok, Modules).
check_access(Fun, Module, ErrStr, ErrArgs) ->
check_access(Fun, Module, ErrStr, ErrArgs, access_refused).
diff --git a/src/rabbit_table.erl b/src/rabbit_table.erl
index cae47c08a9..040075ea87 100644
--- a/src/rabbit_table.erl
+++ b/src/rabbit_table.erl
@@ -21,6 +21,9 @@
check_schema_integrity/1, clear_ram_only_tables/0, retry_timeout/0,
wait_for_replicated/0]).
+%% for testing purposes
+-export([definitions/0]).
+
-include("rabbit.hrl").
%%----------------------------------------------------------------------------
@@ -272,6 +275,13 @@ definitions() ->
{match, #user_permission{user_vhost = #user_vhost{_='_'},
permission = #permission{_='_'},
_='_'}}]},
+ {rabbit_topic_permission,
+ [{record_name, topic_permission},
+ {attributes, record_info(fields, topic_permission)},
+ {disc_copies, [node()]},
+ {match, #topic_permission{topic_permission_key = #topic_permission_key{_='_'},
+ pattern = '_',
+ _='_'}}]},
{rabbit_vhost,
[{record_name, vhost},
{attributes, record_info(fields, vhost)},
diff --git a/src/rabbit_upgrade_functions.erl b/src/rabbit_upgrade_functions.erl
index a53ad0c8f9..c2a1e49b32 100644
--- a/src/rabbit_upgrade_functions.erl
+++ b/src/rabbit_upgrade_functions.erl
@@ -58,6 +58,7 @@
-rabbit_upgrade({operator_policies, mnesia, [slave_pids_pending_shutdown, internal_system_x]}).
-rabbit_upgrade({vhost_limits, mnesia, []}).
-rabbit_upgrade({queue_vhost_field, mnesia, [operator_policies]}).
+-rabbit_upgrade({topic_permission, mnesia, []}).
%% -------------------------------------------------------------------
@@ -564,6 +565,12 @@ user_password_hashing() ->
end,
[username, password_hash, tags, hashing_algorithm]).
+topic_permission() ->
+ create(rabbit_topic_permission,
+ [{record_name, topic_permission},
+ {attributes, [topic_permission_key, pattern]},
+ {disc_copies, [node()]}]).
+
%%--------------------------------------------------------------------
transform(TableName, Fun, FieldList) ->
diff --git a/src/rabbit_vhost.erl b/src/rabbit_vhost.erl
index 26b8143fec..6edb62425b 100644
--- a/src/rabbit_vhost.erl
+++ b/src/rabbit_vhost.erl
@@ -121,6 +121,9 @@ internal_delete(VHostPath) ->
[ok = rabbit_auth_backend_internal:clear_permissions(
proplists:get_value(user, Info), VHostPath)
|| Info <- rabbit_auth_backend_internal:list_vhost_permissions(VHostPath)],
+ TopicPermissions = rabbit_auth_backend_internal:list_vhost_topic_permissions(VHostPath),
+ [ok = rabbit_auth_backend_internal:clear_topic_permissions(
+ proplists:get_value(user, TopicPermission), VHostPath) || TopicPermission <- TopicPermissions],
Fs1 = [rabbit_runtime_parameters:clear(VHostPath,
proplists:get_value(component, Info),
proplists:get_value(name, Info))