Default database contents

When the server first starts running, and detects that its database is uninitialised or has been deleted, it initialises a fresh database with the following resources:

• a virtual host named /
• a user named guest with a default password of guest, granted full access to the / virtual host.

Management and monitoring

Access control

When an AMQP client establishes a connection to an AMQP server, it specifies a virtual host within which it intends to operate. A first level of access control is enforced at this point, with the server checking whether the user has any permissions to access the virtual hosts, and rejecting the connection attempt otherwise.

Resources, i.e. exchanges and queues, are named entities inside a particular virtual host; the same name denotes a different resource in each virtual host. A second level of access control is enforced when certain operations are performed on resources.

RabbitMQ distinguishes between configure, write and read operations on a resource. The configure operations create or destroy resources, or alter their behaviour. The write operations inject messages into a resource. And the read operations retrieve messages from a resource.

In order to perform an operation on a resource the user must have been granted the appropriate permissions for it. The following table shows what permissions on what type of resource are required for all the AMQP commands which perform permission checks.

Permissions are expressed as a triple of regular expressions - one each for configure, write and read - on per-vhost basis. The user is granted the respective permission for operations on all resources with names matching the regular expressions. (Note: For convenience RabbitMQ maps AMQP's default exchange's blank name to 'amq.default' when performing permission checks.)

The regular expression '^$', i.e. matching nothing but the empty string, covers all resources and effectively stops the user from performing any operation. Standard AMQP resource names are prefixed with amq. and server generated names are prefixed with amq.gen. For example, '^amq\.gen.*|amq\.default$' gives a user access to server-generated names and the default exchange. The empty string, '' is a synonym for '^$' and restricts permissions in the exact same way.

RabbitMQ may cache the results of access control checks on a per-connection or per-channel basis. Hence changes to user permissions may only take effect when the user reconnects.

Plugins

RabbitMQ provides a plugin mechanism allowing for additional OTP applications to be run within the broker node. Plugins should not be seen as a general purpose mechanism for writing applications, but instead as a specialised tool when additional functionality is required at the broker level.

The RabbitMQ plugin mechanism makes use of a custom OTP .boot file, to start additional OTP applications within the broker node, and thus comes with a number of caveats:

• Since the plugin runs in the same node as the broker, it should not be assumed that any access controls configured on the broker will be observed by the plugin. Whilst plugins can interact with the ACL mechanism to ensure enforcement of security mechanisms, it is also possible for plugins to completely ignore security configuration.
• Again, since the plugin runs in the same node as the broker, an action that results in the node halting will shut down the RabbitMQ broker as well. Well-written plugins can be built to avoid this occuring, however Administrators should be aware of the risks of installing plugins - especially those that are not known to have undergone a rigorous QA procedure.