[Suggestion] Tag to indicate user can be controlled only via rabbitmqctl

[sunfinite]

RabbitMQ series

4.1.x

Operating system (distribution) used

Linux

How is RabbitMQ deployed?

RabbitMQ-as-a-Service from a public cloud provider

What would you like to suggest for a future version of RabbitMQ?

In managed environments, there's no way to mark that certain users are critical for the system (for eg. monitoring) and prevent these users from accidental modification or deletion via the management API.

Can we add a new tag such as api_updates_disabled or system (more generic) that implements this functionality?

% ./sbin/rabbitmqctl -n rmq1@localhost add_user monitoring_user pass
Adding user "monitoring_user" ...
Done. Don't forget to grant the user permissions to some virtual hosts! See 'rabbitmqctl help set_permissions' to learn more.
% ./sbin/rabbitmqctl -n rmq1@localhost set_user_tags monitoring_user monitoring api_updates_disabled
Setting tags for user "monitoring_user" to [monitoring, api_updates_disabled] ...

% # GET user works 
% curl http://localhost:15672/api/users/monitoring_user -u ${RABBIT_ADMIN_USER}:${RABBIT_ADMIN_PASSWORD}
{"name":"monitoring_user","password_hash":"+pTAYSjI2yNpkS/ZMbW49PvZStsJDpgqSIv+Jkp4KQw6DMnm","hashing_algorithm":"rabbit_password_hashing_sha256","tags":["monitoring","api_updates_disabled"],"limits":{}}%                                                                                            

% # PUT is blocked
% curl http://localhost:15672/api/users/monitoring_user -u ${RABBIT_ADMIN_USER}:${RABBIT_ADMIN_PASSWORD} -X PUT -d '{"tags": "administrator,monitoring"}'
{"error":"bad_request","reason":"User updates via API are disabled for this user"}%          

% # DELETE is blocked
% curl http://localhost:15672/api/users/monitoring_user -u ${RABBIT_ADMIN_USER}:${RABBIT_ADMIN_PASSWORD} -X DELETE
{"error":"bad_request","reason":"User deletion via API is disabled for this user"}%     

% ./sbin/rabbitmqctl -n rmq1@localhost delete_user monitoring_user
Deleting user "monitoring_user" ...

I can work on this change if there is agreement.

[michaelklishin]

The best I can offer is an alternative to deletion protection that virtual hosts have.

[sunfinite]

Deletion protection for vhosts seems to use the metadata field in the schema whereas there is no equivalent for the user record. We were trying to avoid a schema change since that involves migration. Are you suggesting using tags to implement the equivalent of deletion protection for users?

[michaelklishin]

For the HTTP API specifically, this sounds acceptable because tags are already used for authorization in the HTTP API specifically.

I'd use protected for tag name.