Operate RabbitMQ by non-Administrator user on Windows

1,949 views
Skip to first unread message

Yusuke Masuda

unread,
Aug 16, 2018, 6:21:29 PM8/16/18
to rabbitmq-users
Hello all,
I am thinking we will operate RabbitMQ on Windows by non-Administrator user.

I tried installing RabbitMQ on Windows with Windows installer of RabbitMQ.
It is configured to run RabbitMQ service by "Local System" then.
"Local System" (NT AUTHORITY\System) is a builtin user who has Administrator privilleges.

I would like to change the service user "Local System" to "Local Service" (NT AUTHORITY\LocalService).
"Local Service" does not have Administrator privileges, just has privileges same as a general users. (belonging Users group)
Is it possible to operate RabbitMQ by non-Administrator user?
Then what privileges should I give the service user?
Also, do you have anything to be careful when operate it by non-Administrator user?

Regards.
Yusuke


Yusuke Masuda

unread,
Aug 28, 2018, 7:25:15 AM8/28/18
to rabbitmq-users
Hi.
Nobody replyed for the mail I sent 2 week ago.
Is it impossible to operate RabbitMQ with non-administrator user?

I found a part below out from NSIS Windows installer source on github.


; Request application privileges for Windows Vista
RequestExecutionLevel admin
It seems to requires to execute to run with admin privileges to Windows.

Is it a limit of RabbitMQ on Windows?
Or, is it possible to operate RabbitMQ with non-administrator user when you give it proper privileges to a user who runs RabbitMQ service.

If it's possible, what privileges should I give the service user?

I hope someones to reply anything.

Thanks,
Yusuke.


2018年8月17日(金) 午前7:21 Yusuke Masuda <yusuke...@gmail.com>:
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Luke Bakken

unread,
Aug 28, 2018, 10:04:04 AM8/28/18
to rabbitmq-users
Hi Yusuke,

Sometimes messages are missed on this list if RabbitMQ team members are busy with other work. We appreciate your patience.

You can certainly operate RabbitMQ using any user account you'd like, but you will have to set it up yourself and not use the installer.

There are instructions at this link: https://www.rabbitmq.com/install-windows-manual.html

You will have to adjust the steps for a non-admin user. For instance, you can't install to C:\Program Files

You will have to run rabbitmq-service.bat install as an administrator. It will use the SYSTEM account, but you can go into the service manager and change the service to run under a different account.

If you have issues, feel free to follow up here.

Thanks,
Luke
Yusuke.


To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.

Yusuke Masuda

unread,
Aug 30, 2018, 7:58:36 PM8/30/18
to rabbitm...@googlegroups.com
Hi Luke,

Thank you for answering to my question.
I'm glad to know that we are able to operate rabbitmq without administrator privileges.

I have a few questions for your answer.

1. Procedure steps to set up

 You guided to install manually and configure service user on windows service manager.
 Is it OK to install with the windows installer and change service user SYSTEM to non-administrator user (e.g.: Local Service)?
 If no, please let me know their difference.

2. Write privileges

 Which folders does rabbitmq need write privileges?
 In my understanding, it is enough that we give the privileges to data folder and log folder.
 These location are defined by environment variables.


Thanks,
Yusuke.



2018年8月28日(火) 午後11:04 Luke Bakken <lba...@pivotal.io>:
Yusuke.


To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.

Luke Bakken

unread,
Aug 31, 2018, 10:07:15 AM8/31/18
to rabbitmq-users
Hi Yusuke -

 You guided to install manually and configure service user on windows service manager.
 Is it OK to install with the windows installer and change service user SYSTEM to non-administrator user (e.g.: Local Service)?

Sure, you can do this, as long as the user account can write to the necessary directories.

The installer requires that you use an administrative user to run it. After installation, RabbitMQ will use that user's %AppData%\RabbitMQ directory as the location to save data. So, if you install using the administrative user admin but want to run using the account non_admin,  you would switch the service account to non_admin, then change the permissions on C:\Users\admin\AppData\Roaming\RabbitMQ so that non_admin has the necessary permissions to work.

 Which folders does rabbitmq need write privileges?
 In my understanding, it is enough that we give the privileges to data folder and log folder.

 I suggest using the following installation process, which I just tested on Windows 8.1 using Erlang 20.3 and RabbitMQ 3.7.7

* Install Erlang
* Set the system-wide environment variable RABBITMQ_BASE to C:\ProgramData\RabbitMQ
* Create the C:\ProgramData\RabbitMQ directory and give your non-admin user "Full Control" access to it and its sub-objects (inheritance enabled)
* Open an administrative command prompt and ensure that RABBITMQ_BASE is set correctly by running echo %RABBITMQ_BASE%
* Use that command prompt to install RabbitMQ from the .exe installer
* The installer creates a "RabbitMQ Command Prompt (sbin dir)" start menu item, open that
* You will probably have to copy the Erlang cookie to your admin user's home directory. Most likely these are the commands to do it - change the destination paths as necessary:

del /F C:\Users\admin\.erlang.cookie
del /F C:\Users\non_admin\.erlang.cookie
copy /Y C:\Windows\system32\config\systemprofile\.erlang.cookie C:\Users\admin
copy /Y C:\Windows\system32\config\systemprofile\.erlang.cookie C:\Users\non_admin

* Run .\rabbitmq-service.bat stop
* Change the RabbitMQ service to use the non-admin user via services.msc. I used a new local account that is a regular user account.
* Re-start the RabbitMQ service
* Verify that you are running as the non-admin user. In the "RabbitMQ Command Prompt", run this:

.\rabbitmqctl.bat eval "os:cmd(""whoami"")."

In my environment, the above outputs the following, which is my non-admin user:

"win81\\y-lbakken\r\n"

Thanks,
Luke

Yusuke Masuda

unread,
Aug 31, 2018, 5:14:26 PM8/31/18
to rabbitm...@googlegroups.com
Hi Luke,

Thank you for your quick response , and clearing the procedures.
I will try doing it. Please give me time a little.


Thanks,
Yusuke


2018年8月31日(金) 23:07 Luke Bakken <lba...@pivotal.io>:
--
Reply all
Reply to author
Forward
0 new messages