Chef: how can I stop the user_management recipe in the rabbitmq cookbook from adding a guest account?

Question

I am new to chef and want to use the rabbitmq user_management recipe without the default behavior of adding a rabbitmq guest account.

I am using chef-server 11.1.3 and rabbitmq cookbook version 3.3.0 (https://supermarket.getchef.com/cookbooks/rabbitmq) to install and configure rabbitmq 3.3.5 on ubuntu 14.04.

I defined a chef role where I use the user_management recipe and disabled_users to remove the guest account but with each chef-client run the guest account is first added to rabbitmq and then removed again (as you can see from the "- execute" lines in the client.log output below). What am I doing wrong?

/var/log/chef/client.log output

Recipe: rabbitmq::user_management
  * rabbitmq_user[guest] action addRecipe: <Dynamically Defined Resource>
  * execute[rabbitmqctl add_user guest] action run
    - execute rabbitmqctl add_user guest 'guest'

Recipe: rabbitmq::user_management
  * rabbitmq_user[guest] action set_tags (up to date)
  * rabbitmq_user[guest] action set_permissionsRecipe: <Dynamically Defined Resource>
  * execute[rabbitmqctl set_permissions  guest ".*" ".*" ".*"] action run
    - execute rabbitmqctl set_permissions  guest ".*" ".*" ".*"

Recipe: rabbitmq::user_management
  * rabbitmq_user[user1] action add (up to date)
  * rabbitmq_user[user1] action set_tags (up to date)
  * rabbitmq_user[user1] action set_permissionsRecipe: <Dynamically Defined Resource>
  * execute[rabbitmqctl set_permissions -p / user1 ".*" ".*" ".*"] action run
    - execute rabbitmqctl set_permissions -p / user1 ".*" ".*" ".*"

Recipe: rabbitmq::user_management
  * rabbitmq_user[guest] action deleteRecipe: <Dynamically Defined Resource>
  * execute[rabbitmqctl delete_user guest] action run
    - execute rabbitmqctl delete_user guest

My Chef Role

{
  "name": "server-rabbitmq-test",
  "description": "testing",
  "json_class": "Chef::Role",
  "default_attributes": {
    "rabbitmq": {
      "version": "3.3.5",
      "use_distro_version": "true",
      "port": "5672",
      "virtualhosts": [
        "/vhost1"
      ],
      "disabled_users": [
        "guest"
      ],
      "enabled_users": [
        {
          "name": "user1",
          "password": "user1",
          "tag": "user tag",
          "rights": [
            {
              "vhost": "/vhost1",
              "conf": ".*",
              "write": ".*",
              "read": ".*"
            }
          ]
        }
      ]
    }
  },
  "override_attributes": {
  },
  "chef_type": "role",
  "run_list": [
    "recipe[rabbitmq]",
    "recipe[rabbitmq::mgmt_console]",
    "recipe[rabbitmq::policy_management]",
    "recipe[rabbitmq::user_management]",
    "recipe[rabbitmq::virtualhost_management]",
    "recipe[rabbitmq::plugin_management]"
  ],
  "env_run_lists": {
  }
}

Modify rabbitmq cookbook????

I can stop the behavior by changing the rabbitmq/attributes/default.rb file from this:

# users
default['rabbitmq']['enabled_users'] =
  [{ :name => 'guest', :password => 'guest', :rights =>
    [{ :vhost => nil , :conf => '.*', :write => '.*', :read => '.*' }]
  }]

To this:

# users
    default['rabbitmq']['enabled_users'] = []

But there has to be a better way to do it, no?

Thanks!!

Answer 1

You need to override the [:rabbitmq][:enabled_users] attribute somewhere. Editing the original cookbook is not the best place to do that as some day that cookbook will be updated and you will need to remember to do it again.

As you are dealing with a default attribute that is set in a cookbook attribute file it can be overridden pretty much anywhere in Chef.

Wrapper cookbook

Probably the most portable way is to create your own domain specific RabbitMQ wrapper cookbook and do all your customisation work through that. Basically it's a thin shim that passes most of the work straight down onto the original RabbitMQ cookbook except where you want to change things.

In this case you can set default[:rabbitmq][:enabled_users] = [] in your wrapper cookbooks attributes.rb and as it is loaded first will be the default default.

Role, Environment, Node overrides

You can also set overrides for attributes on the Chef server at the Node (singular), Environment (group) or Role (global) level. If you feel the attribute override will be used in one of these groupings then it might be better done there.

Beware that you lose the versioning (and most likely change tracking) that you get with doing this type of thing in cookbooks.

Answer 2

Yes, almost. You can also explicitly disable users using

node[:rabbitmq][:disabled_users] = ["guest"]

to make sure that it doesn't exist from earlier runs (I use it here).

Answer 3

Thanks again to @mtm. For the record here it the complete role that fixes the issue with the override_attributes section added:

 {
   "name": "server-rabbitmq-test",
   "description": "testing",
   "json_class": "Chef::Role",
   "default_attributes": {
     "rabbitmq": {
       "version": "3.3.5",
       "use_distro_version": "true",
       "port": "5672",
       "virtualhosts": [
         "/vhost1"
       ],
       "disabled_users": [
         "guest"
       ],
       "enabled_users": [
         {
           "name": "user1",
           "password": "user1",
           "tag": "user tag",
           "rights": [
             {
               "vhost": "/vhost1",
               "conf": ".*",
               "write": ".*",
               "read": ".*"
             }
           ]
         }
       ]
     }
   },
   "override_attributes": {
     "rabbitmq": {
       "enabled_users": []
     }
   },
   "chef_type": "role",
   "run_list": [
     "recipe[rabbitmq]",
     "recipe[rabbitmq::mgmt_console]",
     "recipe[rabbitmq::policy_management]",
     "recipe[rabbitmq::user_management]",
     "recipe[rabbitmq::virtualhost_management]",
     "recipe[rabbitmq::plugin_management]"
   ],
   "env_run_lists": {
   }
 }