Skip to content

Latest commit

 

History

History
98 lines (63 loc) · 6.18 KB

howto-user-management.md

File metadata and controls

98 lines (63 loc) · 6.18 KB
copyright lastupdated keywords subcollection
years
2019, 2024
2024-12-05
rabbitmq, rabbitmq users
messages-for-rabbitmq

{{site.data.keyword.attribute-definition-list}}

Managing users and permissions

{: #user-management}

{{site.data.keyword.messages-for-rabbitmq_full}} uses RabbitMQ's built-in access control.

When you provision a new deployment in {{site.data.keyword.cloud_notm}}, you are automatically given an admin user to access and manage RabbitMQ. You can also add users in the Service Credentials panel, which allows for access to RabbitMQ to be integrated with your {{site.data.keyword.cloud_notm}} account and IAM, with the {{site.data.keyword.databases-for}} CLI plug-in, or the {{site.data.keyword.databases-for}} API.

Since {{site.data.keyword.messages-for-rabbitmq}} comes with the RabbitMQ Management plug-in enabled, user access is also controlled by user tags{: external}. These tags control what information is available to users through the management UI, rabbitmqadmin, and the RabbitMQ HTTP API.

The admin user

{: #admin-user}

Every RabbitMQ deployment comes with an admin user. This admin user had full administrative privileges on your RabbitMQ deployment. The primary difference between the admin user and any other users you add to your deployment is the ability to provision new vhosts and manage all other users' permissions and access. admin is the only user that is initially granted access to all the settings and configuration that is found in the Admin tab in the management UI.

Before you log in with the admin user, set the password.

Setting the Admin password in the UI

{: #user-management-set-admin-password-ui} {: ui}

Set your Admin password through the UI by selecting your instance from the Resource List in the {{site.data.keyword.cloud_notm}} Dashboard{: external}. Then, select Settings. Next, select Change Database Admin Password.

Setting the Admin password in the CLI

{: #user-management-set-admin-password-cli} {: cli}

Use the cdb user-password command from the {{site.data.keyword.cloud_notm}} CLI {{site.data.keyword.databases-for}} plug-in to set the admin password.

For example, to set the admin password for a deployment named example-deployment, use the following command:

ibmcloud cdb user-password example-deployment admin <newpassword>

{: pre}

Setting the Admin password in the API

{: #user-management-set-admin-password-api} {: api}

The Foundation Endpoint that is shown on the Overview panel Deployment Details section of your service provides the base URL to access this deployment through the API. Use it with the Set specified user's password{: external} endpoint to set the admin password.

curl -X PATCH `https://api.{region}.databases.cloud.ibm.com/v5/ibm/deployments/{id}/users/admin` \
-H `Authorization: Bearer <>` \
-H `Content-Type: application/json` \ 
-d `{"password":"newrootpasswordsupersecure21"}` \

{: pre}

Service credential users

{: #service-cred-user}

Users that you create through the Service Credentials panel are given full permissions to configure, write, and read on the default Virtual Host.

They are also automatically tagged with the "monitoring" tag, allowing users to access the management plug-in and see all connections, channels, and node-related information. These users given a limited view of the Admin tab and the functions that are found there.

If you need users that are created from Service Credentials to have more privileges, you can log in with the admin user and grant them.

Users created through the CLI

{: #cli-user} {: cli}

Users that you create through the {{site.data.keyword.databases-for}} CLI plug-in are given the same permissions as Service credential users. They have full permissions on the default Virtual Host and are tagged with the "monitoring" tag. If you need them to have more privileges, you can grant them while logged in with the admin user.

Users that are created directly from the CLI do not appear in Service credentials, but you can add them if you choose.

Users created through the API

{: #api-user} {: api}

Users that you create through the {{site.data.keyword.databases-for}} API are given the same permissions as Service Credential users. They have full permissions on the default Virtual Host and are tagged with the "monitoring" tag. If you need them to have more privileges, you can grant them while logged in with the admin user.

Users that are created directly from the API do not appear in Service Credentials, but you can add them if you choose.

RabbitMQ users

{: #rabbitmq-user}

Bypass creating users in Service Credentials and create users directly in RabbitMQ. The RabbitMQ Management plug-in UI has a tab for user creation and management available to the admin user on your deployment.

Users who are created directly in RabbitMQ do not appear in Service Credentials, but you can add them. These users will not be integrated with IAM controls, even if added to Service Credentials.

The ibm user

{: #ibm-user}

If you log in to the management UI with your admin user, don't create a user with name ìbm, as this user is used internally. Creating an ibm account is not advised and can disrupt the availability of your deployment.