一、多租户与权限
概述
每一个RabbitMQ服务器都能创建虚拟的消息服务器,我们称之为虚拟主机,简称vhost。每一个vhost本质上都是一个独立的小型RabbitMQ服务器,拥有自己独立的队列、交换器及绑定关系,它拥有自己独立的权限。vhost就像是虚拟机与物理服务器一样,各个实例见提供逻辑上的分离,为不同程序安全保密地运行数据,它既能将同一个RabbitMQ中的众多用户区分开,又可以避免队列和交换器等命名冲突。vhost之间是绝对隔离的,无法将vhost1中的交换器与vhost2中的队列进行绑定,这样既保证了安全性,又可以确保可移植性。
vhost命令使用
创建一个名为test的vhost
[root@node01 ~]# rabbitmqctl add_vhost test
Adding vhost "test" ...
列出vhost
[root@node01 ~]# rabbitmqctl list_vhosts
Listing vhosts ...
name
/
test
列出vhost相关信息,name表示名称;tracing表示是否使用了trace功能。
[root@node01 ~]# rabbitmqctl list_vhosts name tracing
Listing vhosts ...
name tracing
/ false
test false
[root@node01 ~]#
删除vhost
[root@node01 ~]# rabbitmqctl delete_vhost test
Deleting vhost "test" ...
[root@node01 ~]# rabbitmqctl list_vhosts
Listing vhosts ...
name
/
[root@node01 ~]#
RabbitMQ授权
AMQP协议中没有指定权限vhost级别还是爱服务器级别实现,由具体的应用自定义,在RabbitMQ中,权限控制是以vhost为单位的。当创建一个用户时,用户通常会被指派给至少一个vhost,并且智能访问被指派的vhost内的队列。交换器和绑定关系。RabbitMQ中的授予权限是指在vhost级别对用户而言的权限赋予。
授权命令:
rabbitmqctl set_permissions [ -p vhost ] { user } { conf } { write } { read }
e.g.
授予root用户可以访问主机test,所有资源上可配置、可写、可读的权限
[root@node01 ~]# rabbitmqctl add_user root 123321
Adding user "root" ...
Done. Don't forget to grant the user permissions to some virtual hosts! See 'rabbitmqctl help set_permissions' to learn more.
[root@node01 ~]# rabbitmqctl set_permissions -p test root ".*" ".*" ".*"
Setting permissions for user "root" in vhost "test" ...
[root@node01 ~]#
授予root用户可访问虚拟主机test2,在以“queue”开头的资源上可配置权限并在资源上拥有可写、可读的权限,
[root@node01 ~]# rabbitmqctl add_vhost test2
Adding vhost "test2" ...
[root@node01 ~]# rabbitmqctl set_permissions -p test2 root "^queue.*" ".*" ".*"
Setting permissions for user "root" in vhost "test2" ...
[root@node01 ~]#
消除权限
[root@node01 ~]# rabbitmqctl clear_permissions -p test root
Clearing permissions for user "root" in vhost "test" ...
[root@node01 ~]#
显示虚拟主机上的权限
[root@node01 ~]# rabbitmqctl list_permissions -p test2
Listing permissions for vhost "test2" ...
user configure write read
root ^queue.* .* .*
显示用户的权限
在这里插入代码片[root@node01 ~]# rabbitmqctl list_user_permissions root
Listing permissions for user "root" ...
vhost configure write read
test2 ^queue.* .* .*
[root@node01 ~]#
二、用户管理
创建用户
创建一个用户名为root 密码为000000的用户
[root@node01 ~]# rabbitmqctl add_user test2 000000
Adding user "test2" ...
Done. Don't forget to grant the user permissions to some virtual hosts! See 'rabbitmqctl help set_permissions' to learn more.
[root@node01 ~]#
为用户更改密码
[root@node01 ~]# rabbitmqctl change_password root 111111
Changing password for user "root" ...
[root@node01 ~]#
清除密码
[root@node01 ~]# rabbitmqctl clear_password test2
Clearing password for user "test2" ...
[root@node01 ~]#
通过密码验证用户
[root@node01 ~]# rabbitmqctl authenticate_user root 111111
Authenticating user "root" ...
Success
[root@node01 ~]# rabbitmqctl authenticate_user root 000000
Authenticating user "root" ...
Error:
Error: failed to authenticate user "root"
user 'root' - invalid credentials
[root@node01 ~]#
删除用户
[root@node01 ~]# rabbitmqctl list_users
Listing users ...
user tags
test2 []
admin [administrator]
guest [administrator]
root []
[root@node01 ~]# rabbitmqctl delete_user root
Deleting user "root" ...
[root@node01 ~]# rabbitmqctl list_users
Listing users ...
user tags
test2 []
admin [administrator]
guest [administrator]
[root@node01 ~]#
用户的角色分类
- none:新创建用户的默认
- managerment:可访问web
- policymaker:包含management的所有权限
- monitoring:包含management的所有权限,可看到所有连接信道等
- administrator:代表最高权限
用户角色设置
[root@node01 ~]# rabbitmqctl set_user_tags test2 management
Setting tags for user "test2" to [management] ...
[root@node01 ~]# rabbitmqctl list_users -q
user tags
test2 [management]
admin [administrator]
guest [administrator]
[root@node01 ~]#
三、web端管理
概述
rabbitmqctl 管理不友好, RabbitMQ management插件可以提供web管理vhost、用户等,也可以用来管理队列、交换器、绑定器、策略、参数等。
开启RabbitMQ management
[root@node01 ~]# rabbitmq-plugins enable rabbitmq_management
Enabling plugins on node rabbit@node01:
rabbitmq_management
The following plugins have been configured:
rabbitmq_management
rabbitmq_management_agent
rabbitmq_web_dispatch
Applying plugin configuration to rabbit@node01...
Plugin configuration unchanged.
[root@node01 ~]#
查看插件使用状况
[root@node01 ~]# rabbitmq-plugins list
Listing plugins with pattern ".*" ...
Configured: E = explicitly enabled; e = implicitly enabled
| Status: * = running on rabbit@node01
|/
[ ] rabbitmq_amqp1_0 3.8.14
[ ] rabbitmq_auth_backend_cache 3.8.14
[ ] rabbitmq_auth_backend_http 3.8.14
[ ] rabbitmq_auth_backend_ldap 3.8.14
[ ] rabbitmq_auth_backend_oauth2 3.8.14
[ ] rabbitmq_auth_mechanism_ssl 3.8.14
[ ] rabbitmq_consistent_hash_exchange 3.8.14
[ ] rabbitmq_event_exchange 3.8.14
[ ] rabbitmq_federation 3.8.14
[ ] rabbitmq_federation_management 3.8.14
[ ] rabbitmq_jms_topic_exchange 3.8.14
[E*] rabbitmq_management 3.8.14
[e*] rabbitmq_management_agent 3.8.14
[ ] rabbitmq_mqtt 3.8.14
[ ] rabbitmq_peer_discovery_aws 3.8.14
[ ] rabbitmq_peer_discovery_common 3.8.14
[ ] rabbitmq_peer_discovery_consul 3.8.14
[ ] rabbitmq_peer_discovery_etcd 3.8.14
[ ] rabbitmq_peer_discovery_k8s 3.8.14
[ ] rabbitmq_prometheus 3.8.14
[ ] rabbitmq_random_exchange 3.8.14
[ ] rabbitmq_recent_history_exchange 3.8.14
[ ] rabbitmq_sharding 3.8.14
[ ] rabbitmq_shovel 3.8.14
[ ] rabbitmq_shovel_management 3.8.14
[ ] rabbitmq_stomp 3.8.14
[ ] rabbitmq_top 3.8.14
[ ] rabbitmq_tracing 3.8.14
[ ] rabbitmq_trust_store 3.8.14
[e*] rabbitmq_web_dispatch 3.8.14
[ ] rabbitmq_web_mqtt 3.8.14
[ ] rabbitmq_web_mqtt_examples 3.8.14
[ ] rabbitmq_web_stomp 3.8.14
[ ] rabbitmq_web_stomp_examples 3.8.14
[root@node01 ~]#
其中标记为[E*]为显示启动
其中标记为[e*]为隐式启动
开启此功能后需要重启服务才可以正式生效
关闭RabbitMQ management
[root@node01 ~]# rabbitmq-plugins disable rabbitmq_management
登入web界面
四、应用管理
停止运行RabbitMQ的Erlang虚拟机和RabbitMQ服务应用。
如果指定pid_file,还需要等待指定进程的结束。
[root@node01 ~]# rabbitmqctl stop
停止运行RabbitMQ的Erlang虚拟机和RabbitMQ服务应用。
执行这个命令会阻塞直到Erlang虚拟机进程退出
[root@node01 ~]# rabbitmqctl shutdown
rabbitmqctl stop_app
停止RabbitMQ服务应用,但是Erlang虚拟机还是处于运行状态
rabbitmqctl start_app
启动RabbitMQ应用。用途是在执行了其他的管理操作之后,重新启动之前停止的RabbitMQ应用
rabbitmqctl wait [pid_file]
等待RabbitMQ应用的启动
rabbitmqctl reset
将RabbitMQ节点重置还原到最初状态
rabbitmqctl force_reset
强制将RabbitMQ节点重置还原到最初状态
rabbitmqctl rotate_logs [suffix]
指示RabbitMQ节点轮换日志文件。
rabbitmqctl hipe_compile {directory}
将RabbitMQ代码中用HIPE编译,并且编译后的.bean文件保存到指定的文件目录中。
HiPE:High Performance Erlang
.bean:Erlang编译器生成的文件格式,可以直接加载到Erlang虚拟机中运行的文件格式
五、集群管理
将节点加入指定集群
[root@node01 ~]# rabbitmqctl join_cluster {cluster_node} [--ram]
显示集群状态
[root@node01 ~]# rabbitmqctl cluster_status
Cluster status of node rabbit@node01 ...
Basics
Cluster name: rabbit@node01
Disk Nodes
rabbit@node01
RAM Nodes
rabbit@node02
rabbit@node03
Running Nodes
rabbit@node01
rabbit@node02
rabbit@node03
Versions
rabbit@node01: RabbitMQ 3.8.14 on Erlang 23.3.1
rabbit@node02: RabbitMQ 3.8.14 on Erlang 23.3.1
rabbit@node03: RabbitMQ 3.8.14 on Erlang 23.3.1
Maintenance status
Node: rabbit@node01, status: not under maintenance
Node: rabbit@node02, status: not under maintenance
Node: rabbit@node03, status: not under maintenance
Alarms
(none)
Network Partitions
(none)
Listeners
Node: rabbit@node01, interface: [::], port: 15672, protocol: http, purpose: HTTP API
Node: rabbit@node01, interface: [::], port: 25672, protocol: clustering, purpose: inter-node and CLI tool communication
Node: rabbit@node01, interface: [::], port: 5672, protocol: amqp, purpose: AMQP 0-9-1 and AMQP 1.0
Node: rabbit@node02, interface: [::], port: 15672, protocol: http, purpose: HTTP API
Node: rabbit@node02, interface: [::], port: 25672, protocol: clustering, purpose: inter-node and CLI tool communication
Node: rabbit@node02, interface: [::], port: 5672, protocol: amqp, purpose: AMQP 0-9-1 and AMQP 1.0
Node: rabbit@node03, interface: [::], port: 15672, protocol: http, purpose: HTTP API
Node: rabbit@node03, interface: [::], port: 25672, protocol: clustering, purpose: inter-node and CLI tool communication
Node: rabbit@node03, interface: [::], port: 5672, protocol: amqp, purpose: AMQP 0-9-1 and AMQP 1.0
Feature flags
Flag: drop_unroutable_metric, state: enabled
Flag: empty_basic_get_metric, state: enabled
Flag: implicit_default_bindings, state: enabled
Flag: maintenance_mode_status, state: enabled
Flag: quorum_queue, state: enabled
Flag: user_limits, state: enabled
Flag: virtual_host_metadata, state: enabled
[root@node01 ~]#
修改集群节点的类型
rabbitmqctl change_cluster_node_type { disc|ram }
将节点从集群中删除
rabbitmqctl forget_cluster_node [offline]
在集群中的节点应用启动前咨询clusternode节点最新信息,并更新相应的集群信息
rabbitmqctl update_cluster_nodes {clusternode}
确保节点可以启动,即使他不是最后一个关闭的节点
rabbitmqctl force_boot
指定未同步队列queue的slave镜像同步master镜像的内容
rabbitmqctl sync_queue [-p vhost] { queue }
取消队列queue同步镜像的操作
rabbitmqctl cancel_sync_queue queue
六、服务端状态
返回队列的详细信息
rabbitmqctl list_queues [ -p vhost] [ queueinfoitem … ]
queueinfoitem的值可以有很多 后续补充
[root@node01 ~]# rabbitmqctl list_queues
Timeout: 60.0 seconds ...
Listing queues for vhost / ...
name messages
x-max-priority 0
[root@node01 ~]#
返回交换器的详细信息
rabbitmqctl list_exchanges [ -p vhost] [ exchangeinfoitem … ]
exchangeinfoitem的值可以有很多 后续补充
[root@node01 ~]# rabbitmqctl list_exchanges
Listing exchanges for vhost / ...
name type
amq.rabbitmq.trace topic
amq.match headers
direct
amq.direct direct
amq.headers headers
amq.topic topic
amq.fanout fanout
[root@node01 ~]#
返回绑定关系细节
rabbitmqctl list_bindings [ -p vhost] [ bingdinginfoitem … ]
bingdinginfoitem的值可以有很多 后续补充
[root@node01 ~]# rabbitmqctl list_bindings
Listing bindings for vhost /...
source_name source_kind destination_name destination_kind routing_key arguments
exchange x-max-priority queue x-max-priority []
[root@node01 ~]#
返回TCP/IP连接的统计信息
rabbitmqctl list_connections [ connectioninfoitem … ]
connectioninfoitem 的值可以有很多 后续补充
[root@node01 ~]# rabbitmqctl list_connections
Listing connections ...
[root@node01 ~]#
返回当前所有信道的信息
rabbitmqctl list_channels [ channelinfoitem … ]
[root@node01 ~]# rabbitmqctl list_channels
Listing channels ...
[root@node01 ~]#
列举消费者信息
rabbitmqctl list_consumers [ -p vhost]
[root@node01 ~]# rabbitmqctl list_consumers
Listing consumers in vhost / ...
[root@node01 ~]#
显示Broker的状态
[root@node01 ~]# rabbitmqctl status
Status of node rabbit@node01 ...
Runtime
OS PID: 61329
OS: Linux
Uptime (seconds): 20692
Is under maintenance?: false
RabbitMQ version: 3.8.14
Node name: rabbit@node01
Erlang configuration: Erlang/OTP 23 [erts-11.2] [source] [64-bit] [smp:2:2] [ds:2:2:10] [async-threads:1] [hipe]
Erlang processes: 473 used, 1048576 limit
Scheduler run queue: 1
Cluster heartbeat timeout (net_ticktime): 60
Plugins
Enabled plugin file: /etc/rabbitmq/enabled_plugins
Enabled plugins:
* rabbitmq_management
* amqp_client
* rabbitmq_web_dispatch
* cowboy
* cowlib
* rabbitmq_management_agent
Data directory
Node data directory: /var/lib/rabbitmq/mnesia/rabbit@node01
Raft data directory: /var/lib/rabbitmq/mnesia/rabbit@node01/quorum/rabbit@node01
Config files
Log file(s)
* /var/log/rabbitmq/rabbit@node01.log
* /var/log/rabbitmq/rabbit@node01_upgrade.log
Alarms
(none)
Memory
Total memory used: 0.0959 gb
Calculation strategy: rss
Memory high watermark setting: 0.4 of available memory, computed to: 0.4095 gb
other_proc: 0.0324 gb (31.0 %)
code: 0.0283 gb (27.07 %)
allocated_unused: 0.0192 gb (18.36 %)
other_system: 0.0134 gb (12.82 %)
plugins: 0.004 gb (3.78 %)
other_ets: 0.0034 gb (3.28 %)
mgmt_db: 0.0015 gb (1.43 %)
atom: 0.0015 gb (1.39 %)
metrics: 0.0002 gb (0.22 %)
binary: 0.0002 gb (0.18 %)
queue_procs: 0.0001 gb (0.12 %)
mnesia: 0.0001 gb (0.11 %)
connection_other: 0.0001 gb (0.1 %)
msg_index: 0.0001 gb (0.09 %)
quorum_ets: 0.0 gb (0.05 %)
connection_channels: 0.0 gb (0.0 %)
connection_readers: 0.0 gb (0.0 %)
connection_writers: 0.0 gb (0.0 %)
queue_slave_procs: 0.0 gb (0.0 %)
quorum_queue_procs: 0.0 gb (0.0 %)
reserved_unallocated: 0.0 gb (0.0 %)
File Descriptors
Total: 6, limit: 927
Sockets: 0, limit: 832
Free Disk Space
Low free disk space watermark: 0.05 gb
Free disk space: 26.5672 gb
Totals
Connection count: 0
Queue count: 1
Virtual host count: 3
Listeners
Interface: [::], port: 15672, protocol: http, purpose: HTTP API
Interface: [::], port: 25672, protocol: clustering, purpose: inter-node and CLI tool communication
Interface: [::], port: 5672, protocol: amqp, purpose: AMQP 0-9-1 and AMQP 1.0
[root@node01 ~]#
对RabbitMQ节点进行健康检查
[root@node01 ~]# rabbitmqctl node_health_check
This command is DEPRECATED and will be removed in a future version.
It performs intrusive, opinionated health checks and requires a fully booted node.
Use one of the options covered in https://www.rabbitmq.com/monitoring.html#health-checks instead.
Timeout: 70 seconds ...
Checking health of node rabbit@node01 ...
Health check passed
[root@node01 ~]#
显示每个运行程序环境中每个变量的名称和值
[root@node01 ~]# rabbitmqctl environment
Application environment of node rabbit@node01 ...
[{amqp_client,
[{prefer_ipv6,false},{ssl_options,[]},{writer_gc_threshold,1000000000}]},
{asn1,[]},
{aten,
[{detection_threshold,0.99},
{heartbeat_interval,100},
{poll_interval,5000},
{scaling_factor,1.5}]},
{compiler,[]},
{cowboy,[]},
{cowlib,[]},
{credentials_obfuscation,[{enabled,true}]},
{crypto,[{fips_mode,false},{rand_cache_size,896}]},
{cuttlefish,[]},
{gen_batch_server,[]},
{goldrush,[]},
{inets,[]},
{jsx,[]},
{kernel,
[{inet_default_connect_options,[{nodelay,true}]},
{inet_dist_listen_max,25672},
{inet_dist_listen_min,25672},
{logger,
[{handler,default,logger_std_h,
#{config => #{type => standard_io},
formatter =>
{logger_formatter,
#{legacy_header => true,single_line => false}}}}]},
{logger_level,notice},
{logger_sasl_compatible,false},
{shell_docs_ansi,auto},
{shutdown_func,{rabbit_prelaunch,shutdown_func}}]},
......
{rabbitmq_prelaunch,[]},
{rabbitmq_web_dispatch,[]},
{ranch,[]},
{recon,[]},
{sasl,[{errlog_type,error},{sasl_error_logger,false}]},
{ssl,[]},
{stdlib,[]},
{stdout_formatter,[]},
{syntax_tools,[]},
{sysmon_handler,
[{busy_dist_port,true},
{busy_port,false},
{gc_ms_limit,0},
{heap_word_limit,0},
{port_limit,100},
{process_limit,100},
{schedule_ms_limit,0}]},
{tools,[{file_util_search_methods,[{[],[]},{"ebin","esrc"},{"ebin","src"}]}]},
{xmerl,[]}]
[root@node01 ~]#
为所有服务器状态生成一个服务器状态报告,并输出重定向到一个文件。
[root@node01 ~]# rabbitmqctl report > report.txt
[root@node01 ~]# cat report.txt |less
Reporting server status of node rabbit@node01 ...
Status of node rabbit@node01 ...
ESC[1mRuntimeESC[0m
OS PID: 61329
OS: Linux
Uptime (seconds): 21087
Is under maintenance?: false
RabbitMQ version: 3.8.14
Node name: rabbit@node01
Erlang configuration: Erlang/OTP 23 [erts-11.2] [source] [64-bit] [smp:2:2] [ds:2:2:10] [async-threads:1] [hipe]
Erlang processes: 473 used, 1048576 limit
Scheduler run queue: 1
Cluster heartbeat timeout (net_ticktime): 60
ESC[1mPluginsESC[0m
Enabled plugin file: /etc/rabbitmq/enabled_plugins
Enabled plugins:
* rabbitmq_management
* amqp_client
* rabbitmq_web_dispatch
* cowboy
* cowlib
* rabbitmq_management_agent
ESC[1mData directoryESC[0m
Node data directory: /var/lib/rabbitmq/mnesia/rabbit@node01
Raft data directory: /var/lib/rabbitmq/mnesia/rabbit@node01/quorum/rabbit@node01
ESC[1mConfig filesESC[0m
ESC[1mLog file(s)ESC[0m
* /var/log/rabbitmq/rabbit@node01.log
* /var/log/rabbitmq/rabbit@node01_upgrade.log
ESC[1mAlarmsESC[0m
(none)
七、HTTP API管理
RabbitMQ Management插件不仅提供了 web管理界面还提供了HTTP API接口来方便调用。
后续深入补充。
八、总结
根据管理展开,保罗对多租户、权限、用户、应用和集群管理、服务端状态等。这些都可以使用rabbitmqctl这一系列的工具来管理控制,rabbitmqctl也是RabbitMQ中最复杂的CLI管理工具。也学到了rabbitmq_management插件进行管理,后续还要深入理解rabbitmq_management提供的HTTP API接口的调用。