在多租户系统中，如何在RabbitMQ中将队列设置为私有/安全? [英] How can queues be made private/secure in RabbitMQ in a multitenancy system?

问题描述

我已经阅读了RabbitMQ提供的入门指南，甚至将第六个示例贡献给了 stormed-amqp ，所以我对知识有所了解关于AMQP.

I have read the Get Started guide provided by RabbitMQ and have even contributed the sixth example to stormed-amqp, so I have an inkling of knowledge about AMQP.

但是，该指南并不全面，避免了身份验证和授权之类的问题.

However, the guide is not comprehensive and avoids things like authentication and authorization.

我们正在设计一个多租户系统，该系统将在RPC类型的情况下使用RabbitMQ. RPC实现的不同之处可能在于，远程过程实际上将是系统上的其他租户程序.

We're designing a multitenancy system that will use RabbitMQ in an RPC-type of situation. What is perhaps different about this implementation of RPC is that the remote procedures will actually be other tenant programs on the system.

基本上，我想隔离数据总线，其中包括以下断言:

Basically, I want to isolate the data buses, which includes the following assertions:

1. 我们的服务器不会将数据传送到错误的租户程序(这很容易处理，并且相关但无疑问).
2. 租户程序无法从不是他们的队列中读取数据.
3. 租户程序无法写入非他们的队列.

1. Our server will not deliver data to the wrong tenant program (this is handled easily and is relevant but not questioned).
2. Tenant programs are not be able to read data from queues that aren't theirs.
3. Tenant programs are not be able to write to queues that aren't theirs.

这个问题严格是关于RabbitMQ安全性的.我知道RabbitMQ支持提供端到端加密的SSL，并且我知道RabbitMQ支持用户名/密码身份验证.我不知道这些事情是否适用于私有化队列使用(又名ACL)，即连接可以被加密，并且用户可以通过验证，但是用户可以从所有队列中读取/写入.

This question is strictly about RabbitMQ security. I know that RabbitMQ supports SSL, which provides end-to-end encryption, and I know RabbitMQ supports username/password authentication. I don't know if these things apply to privatizing queue usage (aka ACL), i.e. the connection may be encrypted, and the user may be verified, but the user can read to / write from all the queues.

有人可以启发我这个更高级的话题吗?我相信RabbitMQ可以支持这种系统，但并不完全肯定.我知道RabbitMQ中有些我不知道的事情，例如什么是虚拟主机，在这种情况下它们会有所帮助吗?我只是在目前的知识中看不到解决方案仅限于路由键，队列名称和交换.

Can anybody enlighten me on this more advanced topic? I'm confident that RabbitMQ can support this sort of system but not exactly positive. I know there are things in RabbitMQ that I just don't know about, e.g. what are vhosts and will they help in this situation? I just don't see the solution in my current knowledge limited to routing keys, queue names and exchanges.

推荐答案

在多租户系统中，您可以通过定义用户拥有的权限来确保队列的安全.在 http://www.rabbitmq.com/admin-guide.html 上阅读RabbitMQ管理指南的访问控制部分. a>

In a multitenancy system you would make queues secure by defining the permissions that users have. Read the access control section of the RabbitMQ admin guide here http://www.rabbitmq.com/admin-guide.html

首先要使所有事情都在虚拟主机中发生，并完全阻止通用虚拟主机，即，不要让任何人在虚拟主机"/"上声明队列和交换.

Start by making everything happen inside vhosts and block the generic vhost entirely, i.e. don't let anyone declare queues and exchanges on vhost "/".

这篇关于在多租户系统中，如何在RabbitMQ中将队列设置为私有/安全?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！