RABBITMQ user Roles and permissions control

#######################
#用户角色
#######################

RABBITMQ User Role Categories:
None, management, policymaker, monitoring, Administrator

RABBITMQ Description of various roles:
None
Cannot access Management plugin

Management
Anything a user can do with AMQP plus:
List the virtual hosts that you can log into via AMQP
View queues, exchanges and bindings in your virtual hosts
View and close your own channels and connections
View statistics about the "global" of your own virtual hosts, including the activities of other users in these virtual hosts.

PolicyMaker
Anything that management can do plus:
View, create, and delete your own virtual hosts policies and parameters

Monitoring
Anything that management can do plus:
List all virtual hosts, including virtual hosts that they cannot log in to
View connections and channels for other users
View node-level data such as clustering and memory usage
View real global statistics about all virtual hosts

Administrator
Anything that policymaker and monitoring can do plus:
Create and delete virtual hosts
View, create, and delete users
View Create and Delete permissions
Close other users ' connections

To create a user and set up a role:
You can create an administrator user who is responsible for the operation of the entire MQ, for example:

$sudo rabbitmqctl add_user  user_admin  passwd_admin

Give its administrator role:

$sudo rabbitmqctl set_user_tags user_admin Administrator

You can create a RABBITMQ monitoring user that is responsible for monitoring the entire MQ, for example:

$sudo rabbitmqctl add_user user_monitoring passwd_monitor

Give its monitoring role:

$sudo Rabbitmqctl set_user_tags user_monitoring Monitoring

You can create a dedicated user for a project and access only the project's own virtual hosts

$sudo rabbitmqctl add_user user_proj passwd_proj

Give its monitoring role:

$sudo rabbitmqctl set_user_tags user_proj Management

after creating and assigning a role, review and confirm:

$sudo Rabbitmqctl List_users

########################
#RabbitMQ Permissions Control:
########################
Default virtual Host: "/"
Default User: Guest
Guest has full privileges on "/" and only localhost access rabbitmq including plugin, it is recommended to remove or change the password. Restrictions on local access can be canceled by Loopback_users hole in the configuration file:
[{rabbit, [{loopback_users, []}]}]

Users can only manipulate resources in the virtual hosts that they can access. The resources here refer to the exchanges, queues, etc. in virtual hosts, and the operations include configuring, writing, and reading the resources. Configure permissions to create, delete, resource, and modify the behavior of a resource, write permission to send a message to a resource, read permission to get a message from a resource. Like what:
Declare and delete for Exchange and queue require configuration permissions on Exchange and queue, respectively
Exchange Read and Write permissions are required for bind and unbind
Queue bind with Unbind requires queue Write permission for Exchange Read permissions
Send message (publish) requires write permission for Exchange
Get or clear (get, consume, purge) messages require the Read permission of the queue

The permissions for which resources have configuration, write, and read are matched by regular expressions, with the following specific commands:
set_permissions [-P <vhostpath>] <user> <conf> <write> <read>
Where,<conf> <write> <read> locations are matched with regular expressions to match specific resources, such as ' ^ (amq\.gen.*|amq\.default) $ ' Can match server-generated and default Exchange, ' ^$ ' does not match any resources

It is important to note that RABBITMQ caches the permission validation results for each connection or channel, and therefore requires a re-connection to take effect after the permissions have changed.

empowering the User:

$sudo rabbitmqctl set_permissions-p/vhost1 user_admin '. * '. * '. * '

This command enables the user to user_admin the configuration, write, and read permissions of all resources in this virtual host to manage the resources in the/vhost1

To view permissions:

$sudo rabbitmqctl list_user_permissions user_adminlisting permissions for user "User_admin" .../vhost1<span style= " White-space:pre "></span>.*<span style=" White-space:pre "></span>.*<span style=" White-space:pre "></span>.* $sudo rabbitmqctl list_permissions-p/vhost1listing permissions in Vhost"/vhost1 " ... user_admin<span style= "White-space:pre" ></span>.*<span style= "White-space:pre" ></span >.*<span style= "White-space:pre" ></span>.*

RABBITMQ user Roles and permissions control