Authorization

General

KubeMQ's Authorization feature allows controlling the access of clients to KubeMQ resources.

How Permissions Works

When a client wants to perform an operation such as send data to a channel, subscribe to a channel, pull messages from a queue, KubeMQ server checks whether the client has the permission to access the relevant resources and the action. The client must have been granted the appropriate permission rule to complete the operation.
Access control permission rule consists of 4 objects:
  1. 1.
    Source - the client_id of each message or request
  2. 2.
    Resource Type - Events, EventsStore, Queues, Commands, Queries
  3. 3.
    Resource Name - Channel
  4. 4.
    Action - Read, Write

Authorization Configuration

Access Control Permission Record

An access control permission record consists of 8 fields:
Field
Type
Description
ClientID
string
Client ID - regular expression
Events
bool
Allow access to events, true/false
EventsStore
bool
Allow access to events_store, true/false
Queues
bool
Allow access to queues, true/false
Commands
bool
Allow access to commands, true/false
Queries
bool
Allow access to queries, true/false
Channel
string
Channel name - regular expression
Read
bool
Allow reading from a resource (i.e., subscribe to a channel), true/false
Write
bool
Allow writing to a resource (i.e., send message to a channel), true/false
The regular expressions for ClientID and Channel allow great flexibility for access control permissions. Let's see some examples.
For ClientID :
ClientID Regular Expression
Will Grant Access To
client-redis
clients with client_id = 'client-redis'
client*
any client_id start with 'client'
.*
any client_id
For Channel:
Channel Regular Expression
Will Grant Access To
foo.bar
Channel = 'foo.bar'
foo.bar*
Any channel starts with foo.bar
.*
Any channel

Access Control Permission Rules Set

An array of access control permission records form an access control permission rules set. Every operation will check against all the records in the rules set. To grant access to a resource, at least one rule must meet the permission requirements.

Examples

Grant access only to client-a to Events resource, both read and write to any channel

1
[
2
{
3
"ClientID":"client-a",
4
"Events":true,
5
"EventsStore": false,
6
"Queues": false,
7
"Commands": false,
8
"Queries": flase,
9
"Channel":".*",
10
"Read":true,
11
"Write":true
12
}
13
]
Copied!

Grant access to all client ids starts with sub. to all resources only for reading from foo.bar channel

1
[
2
{
3
"ClientID":"sub.*",
4
"Events":true,
5
"EventsStore": true,
6
"Queues": true,
7
"Commands": true,
8
"Queries": true,
9
"Channel":"foo.bar",
10
"Read":true,
11
"Write": false
12
}
13
]
Copied!
Grant access for client-1 to send events only to foo.bar.1 and client-2 to send only to foo.bar.2
1
[
2
{
3
"ClientID":"client-1",
4
"Events":true,
5
"EventsStore": false,
6
"Queues": false,
7
"Commands": false,
8
"Queries": false,
9
"Channel":"foo.bar.1",
10
"Read":false,
11
"Write": true
12
},
13
{
14
"ClientID":"client-2",
15
"Events":true,
16
"EventsStore": false,
17
"Queues": false,
18
"Commands": false,
19
"Queries": false,
20
"Channel":"foo.bar.2",
21
"Read":false,
22
"Write": true
23
}
24
25
]
Copied!

Loading Configuration

KubeMQ supports two configuration loading options:
  1. 1.
    Set json array on cluster creation
  2. 2.
    Set Url of a web service to call and get Authorization configuration json array with automatic reloading options every predefined second
The Authorization feature is available only on KubeMQ Enterprise Edition.
Register for free 30 days license here.