tag_queries overwrite #4122
Description
Hi
when I use $vhost in tag_queries, the behavior is strange.
[
{rabbitmq_auth_backend_ldap, [
{resource_access_query, {in_group, "CN=${vhost},OU=groups,DC=bakken,DC=io"}},
{vhost_access_query, {in_group, "CN=${vhost},OU=groups,DC=bakken,DC=io"}},
{tag_queries, [
{administrator, {in_group, "CN=${vhost},OU=groups,DC=bakken,DC=io"}},
{management, {constant, true}}
]}
]}
].
2022-02-09 12:43:50.787309+00:00 [info] <0.392.0> LDAP evaluated in_group ... true
that mean all seems ok, but curl return
{"name":"...","tags":["management"]}
in this case, ui management, give access to some vhost but as management role, only :-(
it's like foreach administrator, give management role
"administrator: true, management: true}" then management
in other case
[
{rabbitmq_auth_backend_ldap, [
{resource_access_query, {in_group, "CN=${vhost},OU=groups,DC=bakken,DC=io"}},
{vhost_access_query, {in_group, "CN=${vhost},OU=groups,DC=bakken,DC=io"}},
{tag_queries, [
{administrator, {constant, true}},
{management, {constant, true}}
]}
]}
].
curl return
{"name":"...","tags":["administrator","management"]}
in this case, ui management, have differend behavior
user can full access to all vhost as administrator, but not limit by vhost
- Rabbitmq 4.9.13
- Erlang 23.3.4
- Centos 7
- OpenJDK 11