We've looked at doing passive queue declares to get queue depths for alerting, reporting and auto-scaling of our consumers. Unfortunately passive queue declares appear to require configure access. I can see why queue.declare requires this but passive commands perhaps should have a different bit setting?
In addition, we are currently doing all of our monitoring via the Management Plugin's API. Unfortunately to get any data, the user calling the API to list information requires administration access. I'd love to be able to let Nagios/Your_Monitoring_Solution_Here poll the Rabbit node and get data without giving it access to change all of the configuration state and remove users.
We've looked at doing passive queue declares to get queue depths for alerting, reporting and auto-scaling of our consumers. Unfortunately passive queue declares appear to require configure access. I can see why queue.declare requires this but passive commands perhaps should have a different bit setting?We've moved to monitoring this with custom checks to the web API.
That's actually something I've been wanting to bring up on the list. Currently, we give Nagios it's own user with admin access so it can use the REST API. We also have a provisioning user that is used to create (via the REST API) the various users our apps need in the individual Chef recipes (we wrote a Chef "library" to abstract out the API). It would be nice to have a "read only" admin type that doesn't allow that type of admin to create/change permissions, because it looks like outside of being able to change permissions that standard RMQ permissions apply to the API.
On 29/06/11 23:17, Gavin M. Roy wrote:
> We've looked at doing passive queue declares to get queue depths for
> alerting, reporting and auto-scaling of our consumers. Unfortunately
> passive queue declares appear to require configure access. I can see why
> queue.declare requires this but passive commands perhaps should have a
> different bit setting?
That will change in the next release - passive declare won't require any
permissions. The code change for that is already on 'default'.
> Another one that seems a bit strange is in order to acknowledge message
> receipt (i.e. Basic.Ack) it appears that one has to have the write
> permission set for the given user+queue.
That can't be right. basic.ack requires no permissions whatsoever.
> In addition, we are currently doing all of our monitoring via the
> Management Plugin's API. Unfortunately to get any data, the user calling
> the API to list information requires administration access. I'd love to
> be able to let Nagios/Your_Monitoring_Solution_Here poll the Rabbit node
> and get data without giving it access to change all of the configuration
> state and remove users.
Again, that should change in the next release. The code for it is going
through qa atm.
Regards,
Matthias.
_______________________________________________
rabbitmq-discuss mailing list
rabbitmq...@lists.rabbitmq.com
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
On 29/06/11 23:17, Gavin M. Roy wrote:That will change in the next release - passive declare won't require any permissions. The code change for that is already on 'default'.
We've looked at doing passive queue declares to get queue depths for
alerting, reporting and auto-scaling of our consumers. Unfortunately
passive queue declares appear to require configure access. I can see why
queue.declare requires this but passive commands perhaps should have a
different bit setting?
That can't be right. basic.ack requires no permissions whatsoever.Another one that seems a bit strange is in order to acknowledge message
receipt (i.e. Basic.Ack) it appears that one has to have the write
permission set for the given user+queue.
Again, that should change in the next release. The code for it is going through qa atm.In addition, we are currently doing all of our monitoring via the
Management Plugin's API. Unfortunately to get any data, the user calling
the API to list information requires administration access. I'd love to
be able to let Nagios/Your_Monitoring_Solution_Here poll the Rabbit node
and get data without giving it access to change all of the configuration
state and remove users.
Again, that should change in the next release. The code for it is going through qa atm.In addition, we are currently doing all of our monitoring via the
Management Plugin's API. Unfortunately to get any data, the user calling
the API to list information requires administration access. I'd love to
be able to let Nagios/Your_Monitoring_Solution_Here poll the Rabbit node
and get data without giving it access to change all of the configuration
state and remove users.
API access never required the admin flag in =< 2.5.1, just that
non-admins can only see their own stuff, and can't see broker-wide info
at all.
The admin flag has been replaced by a "tags" field for users. Users can
be given arbitrary tags within rabbitmq-server. rabbitmq-management then
checks for the following tags:
"administrator" (do everything, same as admin before)
"monitoring" (look at everything, but only touch your own stuff)
"management" (limited access to mgmt, same as non-admin before)
Note also that by giving a user no tags you can lock them out of mgmt
completely. This would be useful if (for example) you use secret queue
names as capabilities.
> Also, any idea on the rev #?
Well, it's landed on default now, but you'll need default of everything.
Not sure what all the revision numbers are.
Cheers, Simon
--
Simon MacMullen
RabbitMQ, VMware
On 06/07/11 01:28, Jason J. W. Williams wrote:API access never required the admin flag in =< 2.5.1, just that non-admins can only see their own stuff, and can't see broker-wide info at all.
What form will this take? Is it going to be a new flag, or will API
access no longer required the "admin" flag?
The admin flag has been replaced by a "tags" field for users. Users can be given arbitrary tags within rabbitmq-server. rabbitmq-management then checks for the following tags:
"administrator" (do everything, same as admin before)
"monitoring" (look at everything, but only touch your own stuff)
"management" (limited access to mgmt, same as non-admin before)
Note also that by giving a user no tags you can lock them out of mgmt completely. This would be useful if (for example) you use secret queue names as capabilities.