RabbitMQ中的多租户VirtualHost

官网简介 Virtual Hosts

RabbitMQ is multi-tenant system: connections, exchanges, queues, bindings, user permissions, policies and some other things belong to virtual hosts, logical groups of entities.
In RabbitMQ, virtual hosts are created and deleted using rabbitmqctl or HTTP API instead.

• RabbitMQ是多租户系统,不同的virtual host是相互独立的.virtual hosts使用rabbitmqctl或者http api接口创建.

Virtual hosts provide logical grouping and separation of resources. Separation of physical resources is not a goal of virtual hosts and should be considered an implementation detail.
For example, resource permissions in RabbitMQ are scoped per virtual host. A user doesn't have global permissions, only permissions in one or more virtual hosts. User tags can be considered global permissions but they are an exception to the rule.

• virtual hosts提供资源的逻辑分组和分离.RabbitMQ中的资源权限的作用域是每个virtual host.

Virtual host creation involves a blocking cluster-wide transaction. Each node has to perform a number of setup steps which are moderately expensive. In practice it can take up to a few seconds for a virtual host to be created.
Definition export and import is the recommended way of pre-configuring many virtual hosts at deployment time.

• 创建virtual hosts会阻塞整个集群,比较耗性能.

• 其他说明,从RabbitMQ 3.7.0版本开始,可以设置vhost级别的最大客户端连接数、最大queue数...

创建并使用Virtual Hosts

有2种方式创建Virtual Hosts,CLI工具或HTTP API endpoint(在管理界面新增)

这里演示CLI工具的方式

1. 创建Virtual Host

root@CentOS7.3[/xxx/rabbitmq]#rabbitmqctl add_vhost /demo
Creating vhost "/demo" ...

2. 需要给用户赋权,用户才能访问这个virtual host.
   set_permissions [-p <vhost>] <user> <conf> <write> <read>

root@CentOS7.3[/xxx/rabbitmq]#rabbitmqctl list_permissions -p /demo
Listing permissions in vhost "/demo" ...
root@CentOS7.3[/xxx/rabbitmq]#rabbitmqctl set_permissions -p /demo demoUser '.*' '.*' '.*'
Setting permissions for user "demoUser" in vhost "/demo" ...
root@CentOS7.3[/xxx/rabbitmq]#rabbitmqctl list_permissions -p /demo
Listing permissions in vhost "/demo" ...
demoUser        .*      .*      .*

3. 当客户端使用AMQP协议连接RabbitMQ时,需要指定连接的virtual host;不指定则表示连默认的virtual host为/.

spring.rabbitmq.username=demoUser
spring.rabbitmq.password=demoUser
spring.rabbitmq.virtual-host=/demo

客户端连接成功,打印日志:

2019-03-26 13:39:14.691  INFO 14356 --- [nio-8081-exec-2] o.s.a.r.c.CachingConnectionFactory       : Created new connection: rabbitConnectionFactory#78461bc4:0/SimpleConnection@70e25c21 [delegate=amqp://demoUser@172.16.22.114:5672//demo, localPort= 51424]

Virtual Hosts的使用场景

多租户的使用场景,比如主机资源紧缺情况下开发和测试共用一个RabbitMQ,可以使用Virtual Hosts将开发和测试隔离开.

rabbitmqctl命令参考如下:

root@CentOS7.3[/xxx/rabbitmq]#   rabbitmqctl help
Usage:
rabbitmqctl [-n <node>] [-t <timeout>] [-q] <command> [<command options>] 

Options:
    -n node
    -q
    -t timeout

Default node is "rabbit@server", where server is the local host. On a host 
named "server.example.com", the node name of the RabbitMQ Erlang node will 
usually be rabbit@server (unless RABBITMQ_NODENAME has been set to some 
non-default value at broker startup time). The output of hostname -s is usually 
the correct suffix to use after the "@" sign. See rabbitmq-server(1) for 
details of configuring the RabbitMQ broker.

Quiet output mode is selected with the "-q" flag. Informational messages are 
suppressed when quiet mode is in effect.

Operation timeout in seconds. Only applicable to "list" commands. Default is 
"infinity".

Commands:
    stop [<pid_file>]
    stop_app
    start_app
    wait <pid_file>
    reset
    force_reset
    rotate_logs <suffix>

    join_cluster <clusternode> [--ram]
    cluster_status
    change_cluster_node_type disc | ram
    forget_cluster_node [--offline]
    rename_cluster_node oldnode1 newnode1 [oldnode2] [newnode2 ...]
    update_cluster_nodes clusternode
    force_boot
    sync_queue [-p <vhost>] queue
    cancel_sync_queue [-p <vhost>] queue
    purge_queue [-p <vhost>] queue
    set_cluster_name name

    add_user <username> <password>
    delete_user <username>
    change_password <username> <newpassword>
    clear_password <username>
    
            authenticate_user <username> <password>
          
    set_user_tags <username> <tag> ...
    list_users

    add_vhost <vhost>
    delete_vhost <vhost>
    list_vhosts [<vhostinfoitem> ...]
    set_permissions [-p <vhost>] <user> <conf> <write> <read>
    clear_permissions [-p <vhost>] <username>
    list_permissions [-p <vhost>]
    list_user_permissions <username>

    set_parameter [-p <vhost>] <component_name> <name> <value>
    clear_parameter [-p <vhost>] <component_name> <key>
    list_parameters [-p <vhost>]

    set_policy [-p <vhost>] [--priority <priority>] [--apply-to <apply-to>] 
<name> <pattern>  <definition>
    clear_policy [-p <vhost>] <name>
    list_policies [-p <vhost>]

    list_queues [-p <vhost>] [<queueinfoitem> ...]
    list_exchanges [-p <vhost>] [<exchangeinfoitem> ...]
    list_bindings [-p <vhost>] [<bindinginfoitem> ...]
    list_connections [<connectioninfoitem> ...]
    list_channels [<channelinfoitem> ...]
    list_consumers [-p <vhost>]
    status
    environment
    report
    eval <expr>

    close_connection <connectionpid> <explanation>
    trace_on [-p <vhost>]
    trace_off [-p <vhost>]
    set_vm_memory_high_watermark <fraction>
    set_vm_memory_high_watermark absolute <memory_limit>
    set_disk_free_limit <disk_limit>
    set_disk_free_limit mem_relative <fraction>

<vhostinfoitem> must be a member of the list [name, tracing].

The list_queues, list_exchanges and list_bindings commands accept an optional 
virtual host parameter for which to display results. The default value is "/".

<queueinfoitem> must be a member of the list [name, durable, auto_delete, 
arguments, policy, pid, owner_pid, exclusive, exclusive_consumer_pid, 
exclusive_consumer_tag, messages_ready, messages_unacknowledged, messages, 
messages_ready_ram, messages_unacknowledged_ram, messages_ram, 
messages_persistent, message_bytes, message_bytes_ready, 
message_bytes_unacknowledged, message_bytes_ram, message_bytes_persistent, 
head_message_timestamp, disk_reads, disk_writes, consumers, 
consumer_utilisation, memory, slave_pids, synchronised_slave_pids, state].

<exchangeinfoitem> must be a member of the list [name, type, durable, 
auto_delete, internal, arguments, policy].

<bindinginfoitem> must be a member of the list [source_name, source_kind, 
destination_name, destination_kind, routing_key, arguments].

<connectioninfoitem> must be a member of the list [pid, name, port, host, 
peer_port, peer_host, ssl, ssl_protocol, ssl_key_exchange, ssl_cipher, 
ssl_hash, peer_cert_subject, peer_cert_issuer, peer_cert_validity, state, 
channels, protocol, auth_mechanism, user, vhost, timeout, frame_max, 
channel_max, client_properties, recv_oct, recv_cnt, send_oct, send_cnt, 
send_pend, connected_at].

<channelinfoitem> must be a member of the list [pid, connection, name, number, 
user, vhost, transactional, confirm, consumer_count, messages_unacknowledged, 
messages_uncommitted, acks_uncommitted, messages_unconfirmed, prefetch_count, 
global_prefetch_count].