What permissions do I need to assign to a software, which will monitor my RabbitMQ server? The software agent should monitor most of the metrics explained and recommended in this document.
I think I have to create a user, e.g. monitoring and then give this user access to all virtual hosts which contain ressources that should be monitored.
I think when creating the user I have to assign it the tag monitoring which is a predefined tag.
What I do not understand is, what RegEx I need to assign to configure, write and read. The documentation contains a table with the permissions on ressources.
I think a monitoring software should not be able to create or delete ressources (configure permission) nor should it be able to ADD messages to a queue or READ and ACK messages from a queue. But for example it should be able to read the number of messages waiting in a queue to alert if a queue has a number of growing messages which are not retrieved.
Could anybody explain, what permissions and settings are required for such a monitoring user?
Here is a quick guide from the beginning to the end while you are setting up RabbitMQ queues monitoring.
1) Create an account:
rabbitmqctl add_user monitoring password
2) Add monitoring tag (you can read more about RabbitMQ tags here https://www.rabbitmq.com/management.html)
rabbitmqctl set_user_tags monitoring monitoring
3) Now get the names of your virtual hosts:
rabbitmqctl list_vhosts
4) Add permission for monitoring user to virtual host:
rabbitmqctl set_permissions -p Some_Virtual_Host monitoring "" "" ""
5) Check if access is granted successfully:
curl -s -u monitoring:password http://localhost:15672/api/queues | jq
Look at the "messages" parameter
Optional) You can publish a fake message from the command line:
rabbitmqadmin publish --vhost=Some_Virtual_Host exchange=some_exchange routing_key=outgoing_routing_key payload="hello world"
Look at the "messages" again!
Tip: make sure to enable rabbitmq_management plugin in your RabbitMQ build to be able to execute these queries.
Figured that out myself with some testing. If someone is interested:
Create an account with monitoring tag
Add that account to EVERY vhost that should be monitored and add empty strings ("") to configure, write and read permissions.
With a nice bash script you can then for example get the numbers of messages in every queue:
curl -u username:password \
--silent \
http://<ServerOrIP>:15672/api/queues/<vhostname> | jq '.[] | .name, .messages'
What is jq? An explanation is missing from the answers provided above.
The jq command is in the EPEL repository.
https://www.cyberithub.com/how-to-install-jq-json-processor-on-rhel-centos-7-8/
# yum --enablerepo=epel install jq
Related
I use https://www.rabbitmq.com/direct-reply-to.html for communicating between my two components. Concerning user permissions, I want one of the components to only be able to write into such a reply-to pseudo-queue, so I wanted to setup a separate user and configure its permissions accordingly, but I didn't succeed so far.
How to use rabbitmqctl set_permissions or rabbitmqctl set_topic_permissions for a given user to only allow writing into reply-to pseudo-queues created by https://www.rabbitmq.com/direct-reply-to.html ?
I've installed RabbitMQ on my local machine with no issues and created some queue and exchange policies.
Now I'm trying to set up RabbitMQ on a server on our network. The IT dept has drives mapped. Specifically, they have %HOMEDRIVE% set to U: and %HOMEPATH% set to "". I've read numerous places about that potentially causing issues with the Erlang cookie.
However, everything I've read states that you simply need to copy the cookie over. I've copied the .erlang.cookie file to both C:\Users[myprofile], to U:\ but neither seems to help. When I try the following (without changing %HOMEDRIVE%)
rabbitmqctl set_policy DLX ".*" "{""dead-letter-exchange"":""CM-Dead-Letter""}" --apply-to queues
I get [error] Failed to create cookie file 'u:/.erlang.cookie': enoent -- which is weird because the file is already there.
If I SET HOMEDRIVE=C: and run the same set_policy command, then I get this error:
What do I need to do to get this working on my server?
The target is a custom IBM MQ v9.2 Docker image with basic development setup:
a Queue Manager with a single Queue named 'MY_DEV_QUEUE'
user A with permission to read from the queue
user B with permission to write to the queue
ability to connect to the MQ as admin (from MQExplorer)
(preferred user authentication is username+password)
I'm trying to create a MQSC script custom.mqsc that runs on startup of MQ.
Dockerfile:
FROM ibmcom/mq:9.2.2.0-r1
ENV LICENSE=accept
ENV MQ_DEV=false
ENV MQ_APP_PASSWORD=user-pwd
ENV MQ_ADMIN_PASSWORD=admin-pwd
ENV MQ_QMGR_NAME=MY_DEV_MQ
COPY init/custom.mqsc /etc/mqm/
Setting MQ_DEV=true creates some queues with default names, but I would like to customize them as well as user permissions; and it is still not clear how to connect from MQExplorer in this case.
What is the minimal set of commands in the MQSC script that fulfills these simple requirements?
How to get the password of an existing user in Rabbitmq from CLI?
I got the name of the user by CLI command "sudo rabbitmqctl list_users" and the outupt is as follows:
Listing users ... guest [administrator] openstack []
I want to know the 'openstack' user password.
The user passwords are stored using a one-way hash so there is no way to retrieve their value. You should use the rabbitmqctl change_password command to change that user's password to a known value.
NOTE: the RabbitMQ team monitors the rabbitmq-users mailing list and only sometimes answers questions on StackOverflow.
If you used a deployment solution you might find the password in it's configuration. For example, when you deploy Openstack using kolla-ansible you find the password in /etc/kolla/passwords.yml.
user#deployhost:~$ grep -E ^rabbitmq_password: /etc/kolla/passwords.yml
rabbitmq_password: haH2ZPjVVKmiqoXdRPCYJcdQyzP2cqeU
It might be stored in some secure way, for example an vault if ansible is used for deployment, in this case you need to check the deployment framework on how to retrieve it.
First of all, sorry for my poor english. I would try to explain my problem.
I am using psexec within a script to restart a cluster as follows:
script1 in node1: perform a lot of tasks (shutdown services, check status, etc..) in the node1 and after completing all task launch with psexec the script2 in node2 (psexec-d \ \ node2 script2)
script2 in node2: perform a lot of tasks and launches script3 in node1. Here is, when i recived an "access denied" in psexec when I try to run the script3 in node1. (psexec-d \ \ nodo1 script3)
I launch the script with an user that belongs to the group administrators
For security reasons I can not pass username and password, because it is not safe to leave the credentials in a .bat file.
Additional info:
I´m running the script in W2k3 server
I tried a net use and its all ok
I tried a psexec with -u username and -p username and its all ok
I tried to exec psexec with this syntax: psexec .exe -d \node1 cmd.exe "script3.bat" and returns the same error.
Thks a lot
Best Regards
Finally I have decided to use a watchdog process in the second script, so the script will be launched by this process instead of being launched by psexec.
Thanks a lot for your help and your time devoted to help me.
Best regards
It may be related with an issue that one gets from too many linked server hops using integrated authentication - a double-hop Kerberos problem.
Since Integrated Windows Authentication covers two separate authentication mechanisms:
NTLM v2 -and-
Kerberos,
if you are using Kerberos, since the user's password is never passed to the IIS server, the only way the token on the IIS server is going to hop to another machine on the network is via Kerberos Delegation. If that isn't available or allowed, then the hop won't happen (which is what it sounds like is happening).
Given that you are using default credentials, and if the current security context is an impersonation token that can not delegate, then the credentials you supply will not hop to
the other machine.
Since Windows integrated authentication creates an impersonation token, this is very likely to be the case.
Sources:
psexec problem
Windows authentification thread (forum)
Can you make the call to script2 wait for completion, rather than have script2 call back to node1:
script1 in node1: perform a lot of
tasks (shutdown services, check
status, etc..) in the node1 and after
completing all task launch with psexec
the script2 in node2 (psexec \ \ node2
script2)
script2 in node2: perform a lot of
tasks.
script1 in node1: launches script3.