[RabbitMQ in action] 05 RabbitMQ background management

1. Multi-tenancy and permissions

1.1 The concept of vhost

Each RabbitMQ server can create a virtual message server, which we call a virtual host, or vhost for short. Each vhost is essentially an independent small RabbitMQ server with its own independent queue, exchanger, binding relationship, etc., and it has its own independent permissions. vhost is like a virtual machine and a physical server. They provide logical separation between each instance and allow different programs to run data securely and confidentially. It can not only distinguish many clients in the same RabbitMQ, but also avoid queues and Switch etc naming conflict. There is absolute isolation between vhosts, and the switch in vhostl cannot be bound to the queue in vhost2. This ensures both security and portability. If the use of RabbitMQ reaches a certain scale, it is recommended that users classify business functions and scenarios and allocate independent vhosts to them.

vhost is the basis of the AMQP concept. The client must specify a vhost when connecting. The vhost created by RabbitMQ by default is "/". If you do not need multiple vhosts or do not understand the concept of vhost very well, then it is very reasonable to use this default vhost. You can access it using the default username guest and password guest. But for security and convenience, it is recommended to create a new user to access it.

2. rabbitmqctl management tool

Next we use the rabbitmqctl tool to perform background management work

2.1 Operating vhost

Add to

I have no name!@0d5cb60e3a06:/$ rabbitmqctl add_vhost vhost1
Adding vhost "vhost1" ...

Inquire

I have no name!@0d5cb60e3a06:/$ rabbitmqctl list_vhosts
Listing vhosts ...
name
/
virtual01
vhost1

Delete
The vhost1 just created has been deleted.

I have no name!@0d5cb60e3a06:/$ rabbitmqctl delete_vhost vhost1
Deleting vhost "vhost1" ...
I have no name!@0d5cb60e3a06:/$ rabbitmqctl list_vhosts
Listing vhosts ...
name
/
virtual01

2.2 User management

Create user

I have no name!@0d5cb60e3a06:/$ rabbitmqctl add_user user1 123456
Adding user "user1" ...
Done. Don't forget to grant the user permissions to some virtual hosts! See 'rabbitmqctl help set_permissions' to learn more.

-Query user list

I have no name!@0d5cb60e3a06:/$ rabbitmqctl list_users
Listing users ...
user	tags
admin	[administrator]
hello	[administrator]

Change user password

I have no name!@0d5cb60e3a06:/$ rabbitmqctl change_password user1 111111
Changing password for user "user1" ...

delete users

I have no name!@0d5cb60e3a06:/$ rabbitmqctl delete_user user1
Deleting user "user1" ...

2.3 Permissions

In RabbitMQ, permission control is based on vhost.
When a user is created, the user is usually assigned to at least one vhost and can only access queues, switches, bindings, etc. within the assigned vhost. Therefore, granting permissions in RabbitMQ refers to granting permissions to users at the vhost level.

The relevant permission granting command is:
rabbitmqctl set_permissions [-p vhost] {user) {conf}{write}{read}
The meaning of each parameter is as follows.

vhost: The name of the vhost that grants the user access rights, which can be set to the default value, that is, vhost is "/".
user: User name that can access the specified vhost.
conf: A regular expression used to match which resources the user has configurable permissions on.
write: A regular expression used to match which resources the user has writable permissions on.
read: A regular expression used to match which resources the user has read permissions on.

注：
可配置指的是队列和交换器的创建及删除之类的操作；
可写指的是发布消息；
可读指与消息有关的操作，包括读取消息及清空整个队列等。

Add permissions

I have no name!@0d5cb60e3a06:/$ rabbitmqctl set_permissions -p vhost1 user1 ".*" ".*" ".*"
Setting permissions for user "user1" in vhost "vhost1" ...

“.*” What does this .* sign stand for?
In fact, code wildcards, see the example below

I have no name!@0d5cb60e3a06:/$ rabbitmqctl set_permissions -p vhost1 user1 "^queue01.*" ".*" ".*"
Setting permissions for user "user1" in vhost "vhost1" ...
I have no name!@0d5cb60e3a06:/$ rabbitmqctl list_user_permissions user1
Listing permissions for user "user1" ...
vhost	configure	write	read
vhost1	^queue01.*	.*	.*

Authorize user1 to have configurable permissions on resources starting with "queue01", and to have writable and readable permissions on all resources.

Query user permissions

I have no name!@0d5cb60e3a06:/$ rabbitmqctl list_permissions -p vhost1
Listing permissions for vhost "vhost1" ...
user	configure	write	read
user1	.*	.*	.*

I have no name!@0d5cb60e3a06:/$ rabbitmqctl list_user_permissions user1
Listing permissions for user "user1" ...
vhost	configure	write	read
vhost1	.*	.*	.*

clear permissions

I have no name!@0d5cb60e3a06:/$ rabbitmqctl clear_permissions -p vhost1 user1
Clearing permissions for user "user1" in vhost "vhost1" ...

2.4 User roles

User roles are used under the web management plug-in and should not be confused with permissions.

User role tags can be divided into five categories:

The super administrator can log in to the management console (when the management plugin is enabled), view all information, and operate users and policies.
The monitor (monitoring) can log in to the management console (when the management plugin is enabled) and can view relevant information of the rabbitmq node (number of processes, memory usage, disk usage, etc.)
The policymaker can log in to the management console (when the management plugin is enabled) and manage the policy at the same time. But the related information of the node cannot be viewed. Compared with administrator, administrator can see these contents
Ordinary managers (management) can only log in to the management console (when the management plugin is enabled), and cannot see node information or manage policies.
Others who cannot log in to the management console are usually ordinary producers and consumers. After understanding these, you can set different roles for different users as needed for on-demand management.
The command to set user roles is:

rabbitmqctl set_user_tags {User} {Tag}
User is the user name,
Tag is the role name (corresponding to the above administrator, monitoring, policymaker, management, or other custom names).

You can also set multiple roles for the same user, for example

rabbitmqctl set_user_tags user001 monitoring policymaker management

3. Web management

The rabbitmqctl management tool performs management work through the command line. Is there a more friendly graphical interface? some.
The RabbitMQ management plug-in can provide a web management interface to manage virtual hosts, users, etc. as mentioned above. It can also be used to manage queues, switches, binding relationships, policies, parameters, etc., and can also be used to monitor the status of RabbitMQ services. And some data and statistical information, it can be said to be powerful and can basically cover all RabbitMQ management functions.

You need to enable the RabbitMQ management plug-in before using the web management interface. RabbitMQ provides many plug-ins, which are stored in the $RABBITMQ_HOME/plugins directory by default, as shown below.

3.1 Management of plug-ins

List currently enabled plugins

I have no name!@0d5cb60e3a06:/opt/bitnami/rabbitmq/plugins$ rabbitmq-plugins list
Listing plugins with pattern ".*" ...
 Configured: E = explicitly enabled; e = implicitly enabled
 | Status: * = running on rabbit@localhost
 |/
[  ] rabbitmq_amqp1_0                  3.9.11
[  ] rabbitmq_auth_backend_cache       3.9.11
[  ] rabbitmq_auth_backend_http        3.9.11
[  ] rabbitmq_auth_backend_ldap        3.9.11
[  ] rabbitmq_auth_backend_oauth2      3.9.11
[  ] rabbitmq_auth_mechanism_ssl       3.9.11
[  ] rabbitmq_consistent_hash_exchange 3.9.11
[  ] rabbitmq_event_exchange           3.9.11
[  ] rabbitmq_federation               3.9.11
[  ] rabbitmq_federation_management    3.9.11
[  ] rabbitmq_jms_topic_exchange       3.9.11
[E*] rabbitmq_management               3.9.11
[e*] rabbitmq_management_agent         3.9.11
[  ] rabbitmq_mqtt                     3.9.11
[  ] rabbitmq_peer_discovery_aws       3.9.11
[  ] rabbitmq_peer_discovery_common    3.9.11
[  ] rabbitmq_peer_discovery_consul    3.9.11
[  ] rabbitmq_peer_discovery_etcd      3.9.11
[  ] rabbitmq_peer_discovery_k8s       3.9.11
[  ] rabbitmq_prometheus               3.9.11
[  ] rabbitmq_random_exchange          3.9.11
[  ] rabbitmq_recent_history_exchange  3.9.11
[  ] rabbitmq_sharding                 3.9.11
[  ] rabbitmq_shovel                   3.9.11
[  ] rabbitmq_shovel_management        3.9.11
[  ] rabbitmq_stomp                    3.9.11
[  ] rabbitmq_stream                   3.9.11
[  ] rabbitmq_stream_management        3.9.11
[  ] rabbitmq_top                      3.9.11
[  ] rabbitmq_tracing                  3.9.11
[  ] rabbitmq_trust_store              3.9.11
[e*] rabbitmq_web_dispatch             3.9.11
[  ] rabbitmq_web_mqtt                 3.9.11
[  ] rabbitmq_web_mqtt_examples        3.9.11
[  ] rabbitmq_web_stomp                3.9.11
[  ] rabbitmq_web_stomp_examples       3.9.11

Among them [E*] means display startup, [e*] means implicit startup

How to enable a plug-in.
Take the above code as an example to enable the rabbitmq_web_mqtt plug-in.

I have no name!@0d5cb60e3a06:/opt/bitnami/rabbitmq/plugins$ rabbitmq-plugins enable rabbitmq_web_mqtt
Enabling plugins on node rabbit@localhost:
rabbitmq_web_mqtt
The following plugins have been configured:
  rabbitmq_management
  rabbitmq_management_agent
  rabbitmq_mqtt
  rabbitmq_web_dispatch
  rabbitmq_web_mqtt
Applying plugin configuration to rabbit@localhost...
The following plugins have been enabled:
  rabbitmq_mqtt
  rabbitmq_web_mqtt

started 2 plugins.

Then check the plug-in rabbitmq_web_mqtt line and there is [E*], which means it is enabled.

I have no name!@0d5cb60e3a06:/opt/bitnami/rabbitmq/plugins$ rabbitmq-plugins list
Listing plugins with pattern ".*" ...
 Configured: E = explicitly enabled; e = implicitly enabled
 | Status: * = running on rabbit@localhost
 |/
....
[E*] rabbitmq_web_mqtt                 3.9.11
....

3.2 web management page

The prerequisite for entering the web management page is that the background management plug-in is enabled: rabbitmq_management.
Access address: http://192.168.56.201:15672/
, where 192.168.56.201 is the IP address of my machine with rabbitmq installed.

First, according to the knowledge learned above, add a user with permissions to configure, read, and write all resources, and set administrator permissions. Then we use this user to log in to the management background.

I have no name!@0d5cb60e3a06:~$ rabbitmqctl add_user user1 123456
Adding user "user1" ...
Done. Don't forget to grant the user permissions to some virtual hosts! See 'rabbitmqctl help set_permissions' to learn more.
I have no name!@0d5cb60e3a06:~$ rabbitmqctl set_permissions user1 ".*" ".*" ".*"
Setting permissions for user "user1" in vhost "/" ...
I have no name!@0d5cb60e3a06:~$ rabbitmqctl set_user_tags user1 administrator
Setting tags for user "user1" to [administrator] ...
I have no name!@0d5cb60e3a06:~$ rabbitmqctl list_permissions
Listing permissions for vhost "/" ...
user	configure	write	read
user1	.*	.*	.*
admin	.*	.*	.*

I have no name!@0d5cb60e3a06:~$ rabbitmqctl list_users
Listing users ...
user	tags
admin	[administrator]
user1	[administrator]
hello	[administrator]