【原创】RabbitMQ 之 Access Control（翻译）

Access Control

When the server first starts running, and detects that its database is uninitialised or has been deleted, it initialises a fresh database with the following resources:
当服务器启动运行后，检测到所使用的数据库未进行过初始化，或者被删除了，则会使用如下资源初始化一个新的数据库：
a virtual host named /
使用 / 作为虚拟主机名 a user named guest with a default password of guest, granted full access to the / virtual host.
使用 guest/guest 作为用户名密码，并授予针对 / 虚拟主机的全部权限
It is advisable to deletethe guest user or change the passwordto something private, particularly if your broker is accessible publicly.
建议删除该默认 guest 用户，或者将其密码变更为你自定义的内容，尤其当你的 broker 暴露在公网环境下时。


"guest" user can only connect via localhost
仅能通过 localhost 进行连接的 "guest" 用户

By default, the guest user is prohibited from connecting to the broker remotely; it can only connect over a loopback interface (i.e. localhost). This applies both to AMQP and to any other protocols enabled via plugins. Any other users you create will not (by default) be restricted in this way.
默认情况下，guest 用户被禁止用于非本地的连接；其仅能在通过 loopback 接口（如 localhost）进行连接时使用。该原则对于 AMQP 协议和其他通过插件功能使能的协议都有效。而对于你所创建的任何其他用户，在默认情况下不受该限制约束。

This is configured via the loopback_users item in the configuration file.
可以通过配置文件中的 loopback_users 条目进行相关配置。

If you wish to allow the guest user to connect from a remote host, you should set the loopback_users configuration item to []. A complete rabbitmq.config which does this would look like:
如果你打算允许 guest 用户用于非本地连接，你可以将 loopback_users 条目设置成 [] 。下面给出在 rabbitmq.config 中的完整配置：

[{rabbit, [{loopback_users, []}]}].

How permissions work
权限控制方式

When an AMQP client establishes a connection to an AMQP server, it specifies a virtual host within which it intends to operate. A first level of access control is enforced at this point, with the server checking whether the user has any permissions to access the virtual hosts, and rejecting the connection attempt otherwise.
当一个 AMQP 客户端建立了一条到 AMQP 服务器的连接时，就已经指定了其所使用的虚拟主机。而虚拟主机就是访问权限控制的第一级，因为服务器会校验当前用户是否拥有相关权限来访问对应的虚拟主机，若没有，则会拒绝连接。

Resources, i.e. exchanges and queues, are named entities inside a particular virtual host; the same name denotes a different resource in each virtual host. A second level of access control is enforced when certain operations are performed on resources.
而资源，也就是 exchange 和 queue ，实际是指位于特定虚拟主机内容的命名实体；在不同虚拟主机上的同名实体属于不同的资源。访问权限控制的第二级就是针对资源进行可操作性约束实现的。

RabbitMQ distinguishes between configure, write and read operations on a resource. The configure operations create or destroy resources, or alter their behaviour. The write operations inject messages into a resource. And the read operations retrieve messages from a resource.
RabbitMQ 针对资源的操作权限分为 configure 、write 和 read 。
configure 权限用于控制针对资源的创建和删除，或者变更的能力；
write 权限用于限制向资源注入消息的能力；
read 权限用于限制从资源获取消息的能力；

In order to perform an operation on a resource the user must have been granted the appropriate permissions for it. The following table shows what permissions on what type of resource are required for all the AMQP commands which perform permission checks.
为了能够对某种资源进行操作，用户必须被授予相应的权限。下面的表格显示了针对不同类型资源进行 AMQP 命令操作所需的各种权限。

AMQP command

configure
write
read
exchange.declare
(passive=false)
exchange


exchange.declare
(passive=true)



exchange.declare
(with AE)
exchange
exchange (AE)
exchange
exchange.delete

exchange


queue.declare
(passive=false)
queue


queue.declare
(passive=true)



queue.declare
(with DLX)
queue
exchange (DLX)
queue
queue.delete

queue


exchange.bind


exchange (destination)
exchange (source)
exchange.unbind


exchange (destination)
exchange (source)
queue.bind


queue
exchange
queue.unbind


queue
exchange
basic.publish


exchange

basic.get



queue
basic.consume



queue
queue.purge



queue


Permissions are expressed as a triple of regular expressions - one each for configure, write and read - on per-vhost basis. The user is granted the respective permission for operations on all resources with names matching the regular expressions. (Note: For convenience RabbitMQ maps AMQP\'s default exchange\'s blank name to \'amq.default\' when performing permission checks.)
权限通过三元的正则表达式进行描述 - 分别对应 configure 、write 和 read - 以虚拟主机为单位进行配置。用户通过正则匹配决定被授予针对各种资源相应何种权限（注意，为了方便起见，RabbitMQ 会在进行权限检查时，将 AMQP 中的默认 exchange 名，即空字符串，映射为 \'amq.default\'）。


The regular expression \'^$\', i.e. matching nothing but the empty string, covers all resources and effectively stops the user from performing any operation. Standard AMQP resource names are prefixed with amq. and server generated names are prefixed with amq.gen. For example, \'^(amq.gen.*|amq.default)$\' gives a user access to server-generated names and the default exchange. The empty string, \'\' is a synonym for \'^$\' and restricts permissions in the exact same way.
正则表达式 \'^$\' ，即仅对空字符串匹配，将对所有资源产生效果，可以阻止用户执行任何操作。
标准 AMQP 资源名以 amq. 作为前缀；服务器自动生成的名字以 amq.gen 作为前缀。例如，\'^(amq.gen.*|amq.default)$\' 将允许用户访问服务器生成名字的资源，以及默认 exchange 。空字符串 \'\' 与 \'^$\' 是同义的。

RabbitMQ may cache the results of access control checks on a per-connection or per-channel basis. Hence changes to user permissions may only take effect when the user reconnects.
RabbitMQ 可以按照 Connection 或 channel 层次进行权限控制检查结果的缓存。如此的话，针对用户权限的变更将在用户重连后生效。

For details of how to set up access control, please see the Access Control section of the rabbitmqctl(1) man page.