You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The permission model in use today is largely specific to one protocol but is flexible enough to support a lot of scenarios.
However, there's one scenario that it does not really cover: "read only" users. The read permission on a queue means several things:
An ability to inspect queue metrics, etc in the management UI
An ability to consume messages via messaging protocol clients
By extension of the above, if the user can consume messages and ack them, they can effective purge the queue, so a queue.purge permission is also granted
For an environment where a "read only user" means "can browse queues and their metrics but has no access to messages", the above model is too permissive.
A new action which we can call browse for now, could only grant the permission to, well, browse the queue and its metrics in the management UI, and not allow any access to the messages in that queue.
Using Prometheus side steps the problem entirely and is the recommended option, but the browse permission may still be worth investigating and not require any significant changes to the permission system as a whole.
The text was updated successfully, but these errors were encountered:
michaelklishin
changed the title
Consider introducing a browse permission
Consider introducing a browse permission for queues
Feb 9, 2024
The permission model in use today is largely specific to one protocol but is flexible enough to support a lot of scenarios.
However, there's one scenario that it does not really cover: "read only" users. The
read
permission on a queue means several things:queue.purge
permission is also grantedFor an environment where a "read only user" means "can browse queues and their metrics but has no access to messages", the above model is too permissive.
A new action which we can call
browse
for now, could only grant the permission to, well, browse the queue and its metrics in the management UI, and not allow any access to the messages in that queue.Using Prometheus side steps the problem entirely and is the recommended option, but the
browse
permission may still be worth investigating and not require any significant changes to the permission system as a whole.The text was updated successfully, but these errors were encountered: