boulder/docs/rabbitmq_acl_configure.sh

#!/bin/bash
# Copyright 2015 ISRG.  All rights reserved
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# This file creates individual AMQP accounts for each Boulder component,
# and sets restrictive access controls on those accounts.
#
# You can use this tool without any configuration to produce users named
# [am, ca, sa, ra, va, wfe, ocsp-updater] which all have the password "guest".
# You can also customize this tool by creating a config file that will be
# sourced. By default this file is obtained from $HOME/.rabbitmq_config, but
# you can override the config file path using the environment variable
# RABBITMQ_ACL_CONFIG, such as:
#
# $ RABBITMQ_ACL_CONFIG=myconfig ./rabbitmq_acl_configure.sh

# VARIABLES
PORT=15672
HOST=localhost
VHOST="/"
EXTRA=""
RABBIT_ADMIN=$(which rabbitmqadmin)

# USER NAMES
USER_BOULDER_AM="am"
USER_BOULDER_CA="ca"
USER_BOULDER_SA="sa"
USER_BOULDER_RA="ra"
USER_BOULDER_VA="va"
USER_BOULDER_WFE="wfe"
USER_BOULDER_OCSP="ocsp-updater"
USER_BOULDER_PUBLISHER="publisher"

# PASSWORDS
PASS_BOULDER_AM="guest"
PASS_BOULDER_CA="guest"
PASS_BOULDER_SA="guest"
PASS_BOULDER_RA="guest"
PASS_BOULDER_VA="guest"
PASS_BOULDER_WFE="guest"
PASS_BOULDER_OCSP="guest"
PASS_BOULDER_PUBLISHER="guest"

# To use different options, you should create an override
# file with whatever changes you want for the above variables
RABBITMQ_ACL_CONFIG=${RABBITMQ_ACL_CONFIG:-$HOME/.rabbitmq_config}

if [ -r "${RABBITMQ_ACL_CONFIG}" ] ; then
  echo "Loading overrides from ${RABBITMQ_ACL_CONFIG}..."
  source "${RABBITMQ_ACL_CONFIG}"
fi

if ! [ -x "${RABBIT_ADMIN}" ] ; then
  echo "Could not locate rabbitmqadmin; please set RABBIT_ADMIN in your ${RABBITMQ_ACL_CONFIG} file."
  exit 1
fi

run() {
  echo $*
  $*
}

admin() {
  run ${RABBIT_ADMIN} -H ${HOST} -P ${PORT} -V ${VHOST} ${EXTRA} $*
}

admin declare queue name="Monitor" durable=false
admin declare queue name="CA.server" durable=false
admin declare queue name="SA.server" durable=false
admin declare queue name="RA.server" durable=false
admin declare queue name="VA.server" durable=false
admin declare queue name="Publisher.server" durable=false

admin declare exchange name="boulder" type=topic durable=false

# Bind the wildcard topic (#) to Monitor, asking the server to copy all messages
# and place them in the Montior queue.
admin declare binding source="boulder" destination="Monitor" routing_key="#"

admin declare user name=${USER_BOULDER_AM} password=${PASS_BOULDER_AM} tags=""
admin declare user name=${USER_BOULDER_CA} password=${PASS_BOULDER_CA} tags=""
admin declare user name=${USER_BOULDER_SA} password=${PASS_BOULDER_SA} tags=""
admin declare user name=${USER_BOULDER_RA} password=${PASS_BOULDER_RA} tags=""
admin declare user name=${USER_BOULDER_VA} password=${PASS_BOULDER_VA} tags=""
admin declare user name=${USER_BOULDER_WFE} password=${PASS_BOULDER_WFE} tags=""
admin declare user name=${USER_BOULDER_OCSP} password=${PASS_BOULDER_OCSP} tags=""
admin declare user name=${USER_BOULDER_PUBLISHER} password=${PASS_BOULDER_PUBLISHER} tags=""

##################################################
## Permissions RegExes                          ##
##################################################
## Mystified? These are applied by the server   ##
## to various operations on queue names per     ##
## the decoder matrix here:                     ##
## https://www.rabbitmq.com/access-control.html ##
##################################################

# AM is read-only, and uses a predeclared Queue.
admin declare permission vhost=${VHOST} user=${USER_BOULDER_AM} \
  configure="^$" \
  write="^$" \
  read="^Monitor$"

# VA uses VA.server, as well as dynamic queues named VA->RA.{hostname}.
admin declare permission vhost=${VHOST} user=${USER_BOULDER_VA} \
  configure="^(VA\.server|VA->RA.*)$" \
  write="^(boulder|VA\.server|VA->RA.*)$" \
  read="^(boulder|VA\.server|VA->RA.*)$"

# RA uses RA.server, and RA->CA, RA->SA, RA->VA
admin declare permission vhost=${VHOST} user=${USER_BOULDER_RA} \
  configure="^(RA\.server|RA->(CA|SA|VA).*)$" \
  write="^(boulder|RA\.server|RA->(CA|SA|VA).*)$" \
  read="^(boulder|RA\.server|RA->(CA|SA|VA).*)$"

# CA uses CA.server, and CA->SA
admin declare permission vhost=${VHOST} user=${USER_BOULDER_CA} \
  configure="^(CA\.server|CA->SA.*)$" \
  write="^(boulder|CA\.server|CA->SA.*)$" \
  read="^(boulder|CA\.server|CA->(SA|Publisher).*)$"

# SA uses only SA.server
admin declare permission vhost=${VHOST} user=${USER_BOULDER_SA} \
  configure="^SA\.server$" \
  write="^(boulder|SA\.server)$" \
  read="^(boulder|SA\.server)$"

# WFE uses WFE->RA and WFE->SA
admin declare permission vhost=${VHOST} user=${USER_BOULDER_WFE} \
  configure="^(WFE->(RA|SA).*)$" \
  write="^(boulder|WFE->(RA|SA).*)$" \
  read="^(boulder|WFE->(RA|SA).*)$"

# OCSP uses only OCSP->CA
admin declare permission vhost=${VHOST} user=${USER_BOULDER_OCSP} \
  configure="^(OCSP->CA.*)$" \
  write="^(boulder|OCSP->CA.*)$" \
  read="^(boulder|OCSP->CA.*)$"

# Publisher uses Publisher.server and Publisher->SA
admin declare permission vhost=${VHOST} user=${USER_BOULDER_PUBLISHER} \
  configure="^Publisher\.server$" \
  write="^(boulder|Publisher\.server)$" \
  read="^(boulder|Publisher\.server|Publisher->SA.*)$"