Access Control

When the server first starts running, and detects that its database is uninitialised or has been deleted, it initialises a fresh database with the following resources:
當(dāng)服務(wù)器啟動(dòng)運(yùn)行后，檢測(cè)到所使用的數(shù)據(jù)庫未進(jìn)行過初始化，或者被刪除了，則會(huì)使用如下資源初始化一個(gè)新的數(shù)據(jù)庫：
a virtual host named /
使用 / 作為虛擬主機(jī)名 a user named guest with a default password of guest, granted full access to the / virtual host.
使用 guest/guest作為用戶名密碼，并授予針對(duì) / 虛擬主機(jī)的全部權(quán)限
It is advisable to deletethe guest user or change the passwordto something private, particularly if your broker is accessible publicly.
建議刪除該默認(rèn) guest 用戶，或者將其密碼變更為你自定義的內(nèi)容，尤其當(dāng)你的 broker 暴露在公網(wǎng)環(huán)境下時(shí)。

"guest" user can only connect via localhost
僅能通過 localhost 進(jìn)行連接的 "guest" 用戶

By default, the guest user is prohibited from connecting to the broker remotely; it can only connect over a loopback interface (i.e. localhost). This applies both to AMQP and to any other protocols enabled via plugins. Any other users you create will not (by default) be restricted in this way.
默認(rèn)情況下，guest 用戶被禁止用于非本地的連接；其僅能在通過 loopback 接口（如 localhost）進(jìn)行連接時(shí)使用。該原則對(duì)于 AMQP 協(xié)議和其他通過插件功能使能的協(xié)議都有效。而對(duì)于你所創(chuàng)建的任何其他用戶，在默認(rèn)情況下不受該限制約束。

This is configured via the loopback_users item in the configuration file.
可以通過配置文件中的 loopback_users 條目進(jìn)行相關(guān)配置。

If you wish to allow the guest user to connect from a remote host, you should set the loopback_users configuration item to []. A complete rabbitmq.config which does this would look like:
如果你打算允許 guest 用戶用于非本地連接，你可以將 loopback_users 條目設(shè)置成 [] 。下面給出在 rabbitmq.config 中的完整配置：

[{rabbit, [{loopback_users, []}]}].

How permissions work
權(quán)限控制方式

When an AMQP client establishes a connection to an AMQP server, it specifies a virtual host within which it intends to operate. A first level of access control is enforced at this point, with the server checking whether the user has any permissions to access the virtual hosts, and rejecting the connection attempt otherwise.
當(dāng)一個(gè) AMQP 客戶端建立了一條到 AMQP 服務(wù)器的連接時(shí)，就已經(jīng)指定了其所使用的虛擬主機(jī)。而虛擬主機(jī)就是訪問權(quán)限控制的第一級(jí)，因?yàn)榉?wù)器會(huì)校驗(yàn)當(dāng)前用戶是否擁有相關(guān)權(quán)限來訪問對(duì)應(yīng)的虛擬主機(jī)，若沒有，則會(huì)拒絕連接。

Resources, i.e. exchanges and queues, are named entities inside a particular virtual host; the same name denotes a different resource in each virtual host. A second level of access control is enforced when certain operations are performed on resources.
而資源，也就是 exchange 和 queue ，實(shí)際是指位于特定虛擬主機(jī)內(nèi)容的命名實(shí)體；在不同虛擬主機(jī)上的同名實(shí)體屬于不同的資源。訪問權(quán)限控制的第二級(jí)就是針對(duì)資源進(jìn)行可操作性約束實(shí)現(xiàn)的。

RabbitMQ distinguishes between configure, write and read operations on a resource. The configure operations create or destroy resources, or alter their behaviour. The write operations inject messages into a resource. And the read operations retrieve messages from a resource.
RabbitMQ 針對(duì)資源的操作權(quán)限分為 configure 、write 和 read 。
configure 權(quán)限用于控制針對(duì)資源的創(chuàng)建和刪除，或者變更的能力；
write 權(quán)限用于限制向資源注入消息的能力；
read 權(quán)限用于限制從資源獲取消息的能力；

In order to perform an operation on a resource the user must have been granted the appropriate permissions for it. The following table shows what permissions on what type of resource are required for all the AMQP commands which perform permission checks.
為了能夠?qū)δ撤N資源進(jìn)行操作，用戶必須被授予相應(yīng)的權(quán)限。下面的表格顯示了針對(duì)不同類型資源進(jìn)行 AMQP 命令操作所需的各種權(quán)限。

AMQP command

configure
write
read
exchange.declare
(passive=false)
exchange

exchange.declare
(passive=true)

exchange.declare
(with AE)
exchange
exchange (AE)
exchange
exchange.delete

exchange

queue.declare
(passive=false)
queue

queue.declare
(passive=true)

queue.declare
(with DLX)
queue
exchange (DLX)
queue
queue.delete

queue

exchange.bind

exchange (destination)
exchange (source)
exchange.unbind

exchange (destination)
exchange (source)
queue.bind

queue
exchange
queue.unbind

queue
exchange
basic.publish

exchange

basic.get

queue
basic.consume

queue
queue.purge

queue

Permissions are expressed as a triple of regular expressions - one each for configure, write and read - on per-vhost basis. The user is granted the respective permission for operations on all resources with names matching the regular expressions. (Note: For convenience RabbitMQ maps AMQP\'s default exchange\'s blank name to \'amq.default\' when performing permission checks.)
權(quán)限通過三元的正則表達(dá)式進(jìn)行描述 - 分別對(duì)應(yīng) configure 、write 和 read - 以虛擬主機(jī)為單位進(jìn)行配置。用戶通過正則匹配決定被授予針對(duì)各種資源相應(yīng)何種權(quán)限（注意，為了方便起見，RabbitMQ 會(huì)在進(jìn)行權(quán)限檢查時(shí)，將 AMQP 中的默認(rèn) exchange 名，即空字符串，映射為 \'amq.default\'）。

The regular expression \'^$\', i.e. matching nothing but the empty string, covers all resources and effectively stops the user from performing any operation. Standard AMQP resource names are prefixed with amq. and server generated names are prefixed with amq.gen. For example, \'^(amq.gen.*|amq.default)$\' gives a user access to server-generated names and the default exchange. The empty string, \'\' is a synonym for \'^$\' and restricts permissions in the exact same way.
正則表達(dá)式 \'^$\'，即僅對(duì)空字符串匹配，將對(duì)所有資源產(chǎn)生效果，可以阻止用戶執(zhí)行任何操作。
標(biāo)準(zhǔn) AMQP 資源名以 amq. 作為前綴；服務(wù)器自動(dòng)生成的名字以 amq.gen 作為前綴。例如，\'^(amq.gen.*|amq.default)$\'將允許用戶訪問服務(wù)器生成名字的資源，以及默認(rèn) exchange 。空字符串 \'\' 與 \'^$\' 是同義的。

RabbitMQ may cache the results of access control checks on a per-connection or per-channel basis. Hence changes to user permissions may only take effect when the user reconnects.
RabbitMQ 可以按照 Connection 或 channel 層次進(jìn)行權(quán)限控制檢查結(jié)果的緩存。如此的話，針對(duì)用戶權(quán)限的變更將在用戶重連后生效。

For details of how to set up access control, please see the Access Control section of the rabbitmqctl(1) man page.

沙縣網(wǎng)站建設(shè)公司創(chuàng)新互聯(lián),沙縣網(wǎng)站設(shè)計(jì)制作，有大型網(wǎng)站制作公司豐富經(jīng)驗(yàn)。已為沙縣上千家提供企業(yè)網(wǎng)站建設(shè)服務(wù)。企業(yè)網(wǎng)站搭建\成都外貿(mào)網(wǎng)站建設(shè)要多少錢，請(qǐng)找那個(gè)售后服務(wù)好的沙縣做網(wǎng)站的公司定做！