[rabbitmq-discuss] Multiple local-usernames for federation

Roman Gaufman hackeron at gmail.com
Tue May 14 17:56:18 BST 2013 

Oh you're right! - it broke because I removed the guest user, not because I
had a second username. I got confused as to what the username does, when I
changed it to anything other than what was used to connect (which was a
user on the system), it showed the user not found error.

Everything is working like I wanted with the commands bellow.

One question however, if I have a topic exchange and I bind a queue with a
routing key. Is the federation plugin able to determine and only federate
relevant messages? -- What I mean by that is if an exchange has no queues
that match a routing key, will the message still be federated?

---

On Cloud:
  # Sanity
  rabbitmqctl delete_user guest
  rabbitmqctl add_user portal password
  rabbitmqctl set_user_tags portal administrator

  # New Vhost
  rabbitmqctl add_vhost oracle

  # Federation details
  rabbitmqctl -p oracle set_permissions portal xanview.* xanview.* xanview.*
  rabbitmqctl -p oracle set_parameter federation local-username '"portal"'
  rabbitmqctl -p oracle set_parameter federation local-nodename '"portal"'
  rabbitmqctl -p oracle set_policy federate-me "^xanview"
'{"federation-upstream-set": "all"}'

  # Local server 1
  rabbitmqctl add_user welbeck-dvr1 password
  rabbitmqctl -p oracle set_permissions welbeck-dvr1 xanview.* xanview.*
xanview.*
  rabbitmqctl -p oracle set_parameter federation-upstream welbeck-dvr1 \
    '{"uri":"amqp://welbeck-dvr1:password@10.9.0.2/oracle"}'

  # Local server 2
  rabbitmqctl add_user test-dvr2 password
  rabbitmqctl -p oracle set_permissions test-dvr2 xanview.* xanview.*
xanview.*
  rabbitmqctl -p oracle set_parameter federation-upstream test-dvr2 \
    '{"uri":"amqp://test-dvr2:password@10.9.0.3/oracle"}'


On XanBox 1:
  # New Vhost
  rabbitmqctl delete_user guest # sanity
  rabbitmqctl add_vhost oracle

  # Federation details
  rabbitmqctl -p oracle set_parameter federation local-username
'"welbeck-dvr1"'
  rabbitmqctl -p oracle set_parameter federation local-nodename
'"welbeck-dvr1"'
  rabbitmqctl -p oracle set_policy federate-me "^xanview"
'{"federation-upstream-set": "all"}'

  # User & upstream
  rabbitmqctl add_user welbeck-dvr1 password
  rabbitmqctl -p oracle set_permissions welbeck-dvr1 xanview.* xanview.*
xanview.*
  rabbitmqctl -p oracle set_parameter federation-upstream Portal \
        '{"uri":"amqp://welbeck-dvr1:password@10.9.0.1/oracle"}'


On XanBox 2:
  # New Vhost
  rabbitmqctl delete_user guest # Sanity
  rabbitmqctl add_vhost oracle

  # Federation details
  rabbitmqctl -p oracle set_parameter federation local-username
'"test-dvr2"'
  rabbitmqctl -p oracle set_parameter federation local-nodename
'"test-dvr2"'
  rabbitmqctl -p oracle set_policy federate-me "^xanview"
'{"federation-upstream-set": "all"}'

  # User & upstream
  rabbitmqctl add_user test-dvr2 password
  rabbitmqctl -p oracle set_permissions test-dvr2 xanview.* xanview.*
xanview.*
  rabbitmqctl -p oracle set_parameter federation-upstream Portal \
        '{"uri":"amqp://test-dvr2:password@10.9.0.1/oracle"}'


On 14 May 2013 14:46, Simon MacMullen <simon at rabbitmq.com> wrote:

> On 14/05/13 14:24, Roman Gaufman wrote:
>
>> Yes but I want it biodirectional, I tried to simplify the example, but I
>> guess that wasn't helpful.
>>
>
> Ah, got it.
>
> <snip>
>
>  They each have a RabbitMQ instance, on each one I do:
>>
>>  1. Create vhost: oracle
>>  2. Create new users: moscow:password, london:password, cloud:password
>>  3. Set permissions for all users for the oracle vhost: .* .* .*
>>  4. Set local username and nodename
>>      1. Cloud: rabbitmqctl -p oracle set_parameter federation
>>         local-username '"Cloud"'
>>      2. London: rabbitmqctl -p oracle set_parameter federation
>>         local-nodename '"London"'
>>      3. Moscow: rabbitmqctl -p oracle set_parameter federation
>>         local-nodename '"Moscow"'
>>
>
> So here you are setting the local-username to "Cloud", but local-nodename
> to "London" / "Moscow". Is that another simplification? Is that happening
> on the same machine?
>
> <snip> the rest of the configuration looks reasonable.
>
>
>  Now the problem comes when I set a federation upstream on the "Local"
>> servers (London and Moscow), I want to have a different
>> username/password on each. But it seems the "Cloud" upstream must always
>> have the same username/password? - Unless I am misunderstanding something?
>>
>
> I'm afraid it's still not tremendously clear what you are asking here. If
> you want "London" to connect to "Cloud" using one username and "Moscow" to
> connect to "Cloud" with another, then you can do that - just set the
> usernames / passwords in the URLs differently.
>
>  Yes, I did all that, but I want to federate in both directions. If I do
>> the above, all messages I write to the Local servers (London, Moscow) I
>> can consume on the Cloud server, however if I write from the Cloud
>> server, I cannot consume the messages on the Local servers.
>>
>> To do that, I need to add federation upstreams on the local servers:
>>
>> rabbitmqctl set_parameter federation-upstream Cloud
>> '{"uri":"amqp://london:**password@10.9.0.1/oracle<http://london:password@10.9.0.1/oracle>
>> <http://london:password@10.9.**0.1/oracle<http://london:password@10.9.0.1/oracle>
>> >"}'
>>
>> rabbitmqctl set_parameter federation-upstream Cloud
>> '{"uri":"amqp://moscow:**password@10.9.0.1/oracle<http://moscow:password@10.9.0.1/oracle>
>> <http://moscow:password@10.9.**0.1/oracle<http://moscow:password@10.9.0.1/oracle>
>> >"}'
>>
>>
>> But I cannot do that because RabbitMQ only accepts a single
>> local-username :( - Am I missing something?
>>
>
> Ah - I think I understand what you are missing. Do you think
> local-username must correspond to the username set in another server's
> upstream URL? That's not the case.
>
> The remote username(s) (i.e. the ones in the upstream URLs) need to be
> valid users in the upstream host. I think you have that right.
>
> The local-username just needs to exist locally and be able to publish
> messages; it's used to republish messages that have been received from a
> remote host. *It does not need to correspond to anything else*.
>
> The fact that you are seeing {error,user_does_not_exist} on a certain host
> means that you have set the local-username to the name of a user that does
> not exist on that host. Or that you have not set it, it;s defaulting to
> "guest", and "guest" does not exist.
>
> Does this make sense?
>
>
> Cheers, Simon
> --
> Simon MacMullen
> RabbitMQ, Pivotal
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20130514/21bc6d41/attachment.htm>

More information about the rabbitmq-discuss mailing list