在多租户系统中,如何在RabbitMQ中将队列设置为私有/安全? [英] How can queues be made private/secure in RabbitMQ in a multitenancy system?
问题描述
我已经阅读了RabbitMQ提供的入门指南,甚至将第六个示例贡献给了 stormed-amqp ,所以我对知识有所了解关于AMQP.
I have read the Get Started guide provided by RabbitMQ and have even contributed the sixth example to stormed-amqp, so I have an inkling of knowledge about AMQP.
但是,该指南并不全面,避免了身份验证和授权之类的问题.
However, the guide is not comprehensive and avoids things like authentication and authorization.
我们正在设计一个多租户系统,该系统将在RPC类型的情况下使用RabbitMQ. RPC实现的不同之处可能在于,远程过程实际上将是系统上的其他租户程序.
We're designing a multitenancy system that will use RabbitMQ in an RPC-type of situation. What is perhaps different about this implementation of RPC is that the remote procedures will actually be other tenant programs on the system.
基本上,我想隔离数据总线,其中包括以下断言:
Basically, I want to isolate the data buses, which includes the following assertions:
- 我们的服务器不会将数据传送到错误的租户程序(这很容易处理,并且相关但无疑问).
- 租户程序无法从不是他们的队列中读取数据.
- 租户程序无法写入非他们的队列.
- Our server will not deliver data to the wrong tenant program (this is handled easily and is relevant but not questioned).
- Tenant programs are not be able to read data from queues that aren't theirs.
- Tenant programs are not be able to write to queues that aren't theirs.
这个问题严格是关于RabbitMQ安全性的.我知道RabbitMQ支持提供端到端加密的SSL,并且我知道RabbitMQ支持用户名/密码身份验证.我不知道这些事情是否适用于私有化队列使用(又名ACL),即连接可以被加密,并且用户可以通过验证,但是用户可以从所有队列中读取/写入.
This question is strictly about RabbitMQ security. I know that RabbitMQ supports SSL, which provides end-to-end encryption, and I know RabbitMQ supports username/password authentication. I don't know if these things apply to privatizing queue usage (aka ACL), i.e. the connection may be encrypted, and the user may be verified, but the user can read to / write from all the queues.
有人可以启发我这个更高级的话题吗?我相信RabbitMQ可以支持这种系统,但并不完全肯定.我知道RabbitMQ中有些我不知道的事情,例如什么是虚拟主机,在这种情况下它们会有所帮助吗?我只是在目前的知识中看不到解决方案仅限于路由键,队列名称和交换.
Can anybody enlighten me on this more advanced topic? I'm confident that RabbitMQ can support this sort of system but not exactly positive. I know there are things in RabbitMQ that I just don't know about, e.g. what are vhosts and will they help in this situation? I just don't see the solution in my current knowledge limited to routing keys, queue names and exchanges.
推荐答案
在多租户系统中,您可以通过定义用户拥有的权限来确保队列的安全.在 http://www.rabbitmq.com/admin-guide.html 上阅读RabbitMQ管理指南的访问控制部分. a>
In a multitenancy system you would make queues secure by defining the permissions that users have. Read the access control section of the RabbitMQ admin guide here http://www.rabbitmq.com/admin-guide.html
首先要使所有事情都在虚拟主机中发生,并完全阻止通用虚拟主机,即,不要让任何人在虚拟主机"/"上声明队列和交换.
Start by making everything happen inside vhosts and block the generic vhost entirely, i.e. don't let anyone declare queues and exchanges on vhost "/".
这篇关于在多租户系统中,如何在RabbitMQ中将队列设置为私有/安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!