Review/fix RabbitMQ user permissions for source and subscriber users

[reidsunderland]

The RabbitMQ permissions set by sr3:

sarracenia/sarracenia/rabbitmq_admin.py

Lines 106 to 127 in 6839407

	# source
	if role in ['source']:
	c = "configure=^q_%s.*|^xs_%s.*" % (user, user)
	w = "write=^q_%s.*|^xs_%s.*" % (user, user)
	r = "read=^q_%s.*|^x[lrs]_%s.*|^x.*public$" % (user, user)
	logger.info("permission user '%s' role %s %s %s %s " %
	(user + '@' + url.hostname, 'source', c, w, r))
	declare = "declare permission vhost=/ user=%s %s %s %s" % (user, c, w, r)
	dummy = run_rabbitmqadmin(url, declare, simulate)
	return
	# subscribe
	if role in ['subscribe', 'subscriber']:
	c = "configure=^q_%s.*" % user
	w = "write=^q_%s.*|^xs_%s$" % (user, user)
	r = "read=^q_%s.*|^x[lrs]_%s.*|^x.*public$" % (user, user)
	logger.info("permission user '%s' role %s %s %s %s " %
	(user + '@' + url.hostname, 'source', c, w, r))
	declare = "declare permission vhost=/ user=%s %s %s %s" % (user, c, w, r)
	dummy = run_rabbitmqadmin(url, declare, simulate)

seem a little bit wrong, after discussing with @petersilva, @andreleblanc11 and @junhu3.

User	Configure	Write	Read
source	^q_USERNAME.*|^xs_USERNAME.*	^q_USERNAME.*|^xs_USERNAME.*	^q_USERNAME.*|^x[lrs]_USERNAME.*|^x.*public$
subscriber	^q_USERNAME.*	^q_USERNAME.*|^xs_USERNAME$	^q_USERNAME.*|^x[lrs]_USERNAME.*|^x.*public$

History: the l in x[lrs] was for log, which was renamed to report. We keep it for backwards compatibility.

I think the correct permissions should probably be:

User	Configure	Write	Read
source	^q_USERNAME.*|^x[lrs]_USERNAME.*	^q_USERNAME.*|^x[lrs]_USERNAME.*	^q_USERNAME.*|^x[lrs]_USERNAME.*|^x.*public$
subscriber	^q_USERNAME.*|^x[lr]_USERNAME$	^q_USERNAME.*|^x[lr]_USERNAME$	^q_USERNAME.*|^x[lrs]_USERNAME.*|^x.*public$

[petersilva]

• The 'l' in all the patterns are a long gone transition thing... if we are changing them the patterns should just be [rs]. ( in about 2017 we decided to rename the telemetry messages from "log" messages to "report" messages, and the xl_ and xr_ messages were meant to be publication channels for telemetry messages returned by consumers.

• If we are looking at this. I notice a weakness in all the patterns based on usernames that are substrings of other user names. If we have user A and user AB, then user A will be able to use any of user AB eschanges. I think the patterns should likely be changed to add a trailing underscore.... q_USERNAME_.* ... x[rs]USERNAME.* ... etc... This may involve some incompatibility with existing deplorements.

[petersilva]

I just re-read the relevant documentation with @mshak2 and this intent here looks correct... the corresponding documentaiton is wrong and needs to be updated also.

Role can be one of:

subscriber
A subscriber is a user that can only subscribe to data and report messages. Not permitted to inject data. Each subscriber gets an xs_ named exchange on the pump. If a user is named Acme, the corresponding exchange will be xs_Acme. This exchange is where an sr_subscribe process will send its report messages.

By convention/default, the anonymous user is created on all pumps to permit subscription without a specific account.

• https://metpx.github.io/sarracenia/Explanation/Concepts.html#users-and-roles

should likely be xr_ ... not xs... in agreement with @reidsunderland 's proposal.