KubeMQ Docs
KubeMQ.ioLogin / Register
  • Introduction
  • What's New
  • Getting Started
    • Quick Start
    • Build & Deploy
    • Create Cluster
      • Build & Deploy
      • Helm
      • Openshift
    • Create Connector
      • Build & Deploy
      • Helm
      • Openshift
    • Message Patterns
      • Queues
      • Pub/Sub
      • RPC
  • Learn
    • The Basics
      • Channels
      • Smart Routing
      • Grouping
    • Message Patterns
      • Queues
      • Pub/Sub
      • RPC
    • Access Control
      • Authentication
      • Authorization
      • Notifications
    • Clustering and HA
    • Connectors
      • KubeMQ Targets
      • KubeMQ Sources
      • KubeMQ Bridges
  • Configuration
    • Cluster
      • Set Cluster Name
      • Set Cluster Namespace
      • Set Persistent Volume
      • Set Cluster Replicas
      • Set Cluster Image
      • Set Cluster Security
      • Set Authentication
      • Set Authorization
      • Set Notification
      • Set License
      • Set gRPC Interface
      • Set Rest Interface
      • Set Api Interface
      • Set Store Settings
      • Set Queues Settings
      • Set Routing
      • Set Health Probe
      • Set Resources Limits
      • Set Logs
      • Set Node Selectors
    • Connectors
      • KubeMQ Targets
        • Standalone
          • Redis
          • Memcached
          • Postgres
          • Mysql
          • MSSql
          • Percona
          • Aerospike
          • ReThinkDB
          • MongoDB
          • Elastic Search
          • Cassandra
          • Couchbase
          • CockroachDB
          • Kafka
          • Nats
          • MQTT
          • ActiveMQ
          • IBM-MQ
          • Minio/S3
          • OpenFaas
          • HTTP
        • AWS
          • Athena
          • DynamoDB
          • Elastic Search
          • KeySpaces
          • MariaDB
          • MSSql
          • MySQL
          • Postgres
          • RedShift
          • RedShift Service
          • AmazonMQ
          • MSK
          • Kinesis
          • SQS
          • SNS
          • S3
          • Lambda
          • CloudWatch Logs
          • CloudWatch Events
          • CloudWatch Metrics
        • GCP
          • Redis
          • Memcached
          • Postgres
          • Mysql
          • BigQuery
          • BigTable
          • Firestore
          • Spanner
          • Firebase
          • Pub/Sub
          • Storage
          • Functions
        • Azure
          • Azure SQL
          • Mysql
          • Postgres
          • Blob
          • Files
          • Queue
          • Events Hub
          • Service Bus
        • Sources
          • Queue
          • Events
          • Events Store
          • Command
          • Query
      • KubeMQ Sources
        • HTTP
        • Messaging
          • Kafka
          • RabbitMQ
          • MQTT
          • ActiveMQ
          • IBM-MQ
          • Nats
        • AWS
          • AmazonMQ
          • MSK
          • SQS
        • GCP
          • Pub/Sub
        • Azure
          • EventHubs
          • ServiceBus
        • Targets
          • Queue
          • Events
          • Events Store
          • Command
          • Query
      • KubeMQ Bridges
        • Targets
          • Queue
          • Events
          • Events Store
          • Command
          • Query
        • Sources
          • Queue
          • Events
          • Events Store
          • Command
          • Query
    • Docker
  • HOW TO
    • Connect Your Cluster
    • Show Dashboard
    • Get Cluster Status
    • Get Cluster Logs
  • SDK
    • Java
    • Java (Springboot)
    • C# (.NET)
    • Go
    • Python
    • Node
    • Rest
  • Troubleshooting
    • Start Here
  • License
    • Open Source Software Notices
Powered by GitBook
On this page
  • General
  • How Permissions Works
  • Authorization Configuration
  • Access Control Permission Record
  • Access Control Permission Rules Set
  • Examples
  • Loading Configuration

Was this helpful?

  1. Learn
  2. Access Control

Authorization

General

KubeMQ's Authorization feature allows controlling the access of clients to KubeMQ resources.

How Permissions Works

When a client wants to perform an operation such as send data to a channel, subscribe to a channel, pull messages from a queue, KubeMQ server checks whether the client has the permission to access the relevant resources and the action. The client must have been granted the appropriate permission rule to complete the operation.

Access control permission rule consists of 4 objects:

  1. Source - the client_id of each message or request

  2. Resource Type - Events, EventsStore, Queues, Commands, Queries

  3. Resource Name - Channel

  4. Action - Read, Write

Authorization Configuration

Access Control Permission Record

An access control permission record consists of 8 fields:

Field

Type

Description

ClientID

string

Client ID - regular expression

Events

bool

Allow access to events, true/false

EventsStore

bool

Allow access to events_store, true/false

Queues

bool

Allow access to queues, true/false

Commands

bool

Allow access to commands, true/false

Queries

bool

Allow access to queries, true/false

Channel

string

Channel name - regular expression

Read

bool

Allow reading from a resource (i.e., subscribe to a channel), true/false

Write

bool

Allow writing to a resource (i.e., send message to a channel), true/false

The regular expressions for ClientID and Channel allow great flexibility for access control permissions. Let's see some examples.

For ClientID :

ClientID Regular Expression

Will Grant Access To

client-redis

clients with client_id = 'client-redis'

client*

any client_id start with 'client'

.*

any client_id

For Channel:

Channel Regular Expression

Will Grant Access To

foo.bar

Channel = 'foo.bar'

foo.bar*

Any channel starts with foo.bar

.*

Any channel

Access Control Permission Rules Set

An array of access control permission records form an access control permission rules set. Every operation will check against all the records in the rules set. To grant access to a resource, at least one rule must meet the permission requirements.

Examples

Grant access only to client-a to Events resource, both read and write to any channel

[
   {
      "ClientID":"client-a",
      "Events":true,
      "EventsStore": false,
      "Queues": false,
      "Commands": false,
      "Queries": flase,
      "Channel":".*",
      "Read":true,
      "Write":true
   }
]

Grant access to all client ids starts with sub. to all resources only for reading from foo.bar channel

[
   {
      "ClientID":"sub.*",
      "Events":true,
      "EventsStore": true,
      "Queues": true,
      "Commands": true,
      "Queries": true,
      "Channel":"foo.bar",
      "Read":true,
      "Write": false
   }
]

Grant access for client-1 to send events only to foo.bar.1 and client-2 to send only to foo.bar.2

[
   {
      "ClientID":"client-1",
      "Events":true,
      "EventsStore": false,
      "Queues": false,
      "Commands": false,
      "Queries": false,
      "Channel":"foo.bar.1",
      "Read":false,
      "Write": true
   },
   {
      "ClientID":"client-2",
      "Events":true,
      "EventsStore": false,
      "Queues": false,
      "Commands": false,
      "Queries": false,
      "Channel":"foo.bar.2",
      "Read":false,
      "Write": true
   }

]

Loading Configuration

KubeMQ supports two configuration loading options:

  1. Set json array on cluster creation

  2. Set Url of a web service to call and get Authorization configuration json array with automatic reloading options every predefined second

The Authorization feature is available only on KubeMQ Enterprise Edition.

PreviousAuthenticationNextNotifications

Last updated 4 years ago

Was this helpful?

Register for free 30 days license .

Set Authorization
here