rabbitmqctl-users

List all users

$ rabbitmqctl list_users

$ rabbitmqctl add_user [username] [password]

$ rabbitmqctl delete_user [username]

$ rabbitmqctl change_password [username] [new_password]

$ rabbitmqctl set_permissions [[-p|--vhost]] [vhost] [username] [read] [write] [configure]

$ rabbitmqctl clear_permissions [[-p|--vhost]] [vhost] [username]

$ rabbitmqctl set_user_tags [username] [tag1] [[tag2]]

rabbitmqctl <subcommand> [<options>]

Examples of user-related subcommands:
rabbitmqctl list_users [--formatter <format>] [-n <node>]
rabbitmqctl add_user <username> <password>
rabbitmqctl delete_user <username>
rabbitmqctl change_password <username> <new_password>
rabbitmqctl set_user_tags <username> <tag1> [<tag2> ...]
rabbitmqctl clear_user_tags <username>

<username>
    The name of the user account for the operation.

<password>
    The password for a new user account.

<new_password>
    The new password to set for an existing user.

<tag>
    A specific tag to assign to or clear from a user (e.g., administrator, monitoring, management, policymaker).

-n <node>
--node <node>
    Specifies the target RabbitMQ node (e.g., rabbit@localhost) if not the default.

--formatter <format>
    Used with list_users to specify the output format (e.g., text, json, json_pretty, raw).

-q
--quiet
    Suppresses informational messages, showing only errors.

-s
--silent
    Even quieter than --quiet, prints only errors.

The rabbitmqctl-users analysis refers to the suite of commands within the rabbitmqctl utility dedicated to managing user accounts in a RabbitMQ broker. This includes operations like creating new users with add_user, deleting existing ones with delete_user, changing user passwords using change_password, assigning or clearing user tags with set_user_tags and clear_user_tags, and importantly, listing all configured users and their associated tags using list_users. User tags (such as administrator, monitoring, management, or policymaker) control access to the RabbitMQ management plugin and dictate specific permissions within the broker. These commands are fundamental for security administration, ensuring proper access control, auditing user permissions, and maintaining the integrity of the RabbitMQ environment. Execution typically requires administrative privileges on the server where the RabbitMQ node is running. The rabbitmqctl utility interacts directly with the running Erlang VM to perform these user management operations.

Using add_user or change_password directly on the command line means the password might be visible in process lists (e.g., via ps aux) on the system. For enhanced security, consider using methods that allow reading passwords from standard input where available, or leveraging configuration management tools for sensitive operations. All user management operations require appropriate administrative privileges on the host system where rabbitmqctl is executed.

User tags are special attributes assigned to RabbitMQ users that define their capabilities and roles within the broker and its management interface. The most common tags include:
administrator: Grants full access to all virtual hosts and the management UI.
monitoring: Allows read-only access to monitoring data in the management UI.
management: Provides full access to the management UI for resources within assigned virtual hosts.
policymaker: Enables creation and management of policies and runtime parameters.
Users without any tags cannot access the RabbitMQ management UI.

RabbitMQ does not store user passwords in plain text. When a password is provided via add_user or change_password, it is automatically hashed using a strong, salted hashing algorithm before being stored. This enhances security by preventing direct exposure of passwords even if the database is compromised.

The rabbitmqctl command-line utility has been the cornerstone of RabbitMQ administration since its inception. User management capabilities, including adding, deleting, listing, and modifying users, have been integral features from early versions. The introduction of user tags provided more granular control over access to the management UI and API, reflecting the evolving needs for security and role-based access control within the RabbitMQ ecosystem. The commands for user management have largely maintained consistent syntax, highlighting the stability and maturity of this administrative interface.

rabbitmqctl(8), rabbitmqctl set_permissions(8), rabbitmqctl add_vhost(8)