Skip to content

Present the 'admin' user as 'default user with admin permissions' #350

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
coro opened this issue Sep 18, 2020 · 0 comments · Fixed by #388
Closed

Present the 'admin' user as 'default user with admin permissions' #350

coro opened this issue Sep 18, 2020 · 0 comments · Fixed by #388

Comments

@coro
Copy link
Contributor

coro commented Sep 18, 2020
edited
Loading

Is your feature request related to a problem? Please describe.
The operator creates a default user for a RabbitMQ Cluster, with a random username/password. This is done through the configuration in /etc/rabbitmq/conf.d/default_user.conf as of #346.

The Secret containing the credentials of this user is presented in the Status field of the RabbitmqCluster CR:

$ k describe rabbitmqclusters.rabbitmq.com bunny

...
Status:
  Admin:
    Secret Reference:
      Keys:
        Password:  password
        Username:  username
      Name:        config-rabbit-rabbitmq-admin
      Namespace:   rabbitmq-system
   Service Reference:
     Name:       config-rabbit-rabbitmq-client
     Namespace:  rabbitmq-system

The issue is, this user doesn't have to be an admin. A user can specify that the default user, for whatever reason, is not admin, by setting default_user_tags.administrator = false in their additionalConfig. Usually, the administrator tag is present:

$ k exec bunny-rabbitmq-server-0 rabbitmqctl list_users
Listing users ...
user    tags
kYbsLQFdSA-Z4ZY6BBitcFdazPeLPowo        [administrator]

However, creating a cluster with the following spec:

apiVersion: rabbitmq.com/v1beta1
kind: RabbitmqCluster       
metadata:
  name: foo-cluster   
spec:
  replicas: 1    
  rabbitmq:
    additionalConfig: "default_user_tags.administrator = false"

creates an 'admin' user that isn't actually an admin!

$ k exec foo-cluster-rabbitmq-server-0 rabbitmqctl list_users
Listing users ...
user    tags
7PD4ho7fjS8EPAoHmn8aLL8pfb8HVK9h        []

The status for this CR still reports the creds under 'Admin', however.

Describe the solution you'd like
Any default user configuration should still be displayed in the Status of the CR, but representing the user (and optionally its permissions / tags) as a default, rather than an admin. For a rough example:

$ k describe rabbitmqclusters.rabbitmq.com bunny

...
Status:
  Default User:
    Permissions:
      Configure: .*
      Read: .*
      Write: .*
    Tags:
    - administrator
    - management
    - policymaker
    Secret Reference:
      Keys:
        Password:  password
        Username:  username
      Name:        config-rabbit-rabbitmq-default-user
      Namespace:   rabbitmq-system
   Service Reference:
     Name:       config-rabbit-rabbitmq-client
     Namespace:  rabbitmq-system

Note the secret name has been changed to have a -default-user suffix rather than -admin.
ansd added a commit that referenced this issue Oct 9, 2020
@ansd
Rename admin to default user
a3ab4b0 
Closes #350
@ansd ansd mentioned this issue Oct 9, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Rename admin to default user rabbitmq/cluster-operator
1 participant
@coro