[Questions] Rabbitmq and keycloak UI user specific queue\host premission #14200

batchen-gsr · 2025-07-07T13:10:47Z

batchen-gsr
Jul 7, 2025

Community Support Policy

I have read RabbitMQ's Community Support Policy
I run RabbitMQ 4.x, the only series currently covered by community support
I promise to provide all relevant information (versions, logs from all nodes, rabbitmq-diagnostics output, detailed reproduction steps)

RabbitMQ version used

4.1.0

Erlang version used

27.3.x

Operating system (distribution) used

docker rabbitmq:4.1.0-management

How is RabbitMQ deployed?

Community Docker image

rabbitmq-diagnostics status output

See https://www.rabbitmq.com/docs/cli to learn how to use rabbitmq-diagnostics

Status of node rabbit@rabbitmq ...
[]
Runtime

OS PID: 20
OS: Linux
Uptime (seconds): 3456
Is under maintenance?: false
RabbitMQ version: 4.1.0
RabbitMQ release series support status: see https://www.rabbitmq.com/release-information
Node name: rabbit@rabbitmq
Erlang configuration: Erlang/OTP 27 [erts-15.2.7] [source] [64-bit] [smp:10:10] [ds:10:10:10] [async-threads:1] [jit]
Crypto library: OpenSSL 3.3.3 11 Feb 2025
Erlang processes: 518 used, 1048576 limit
Scheduler run queue: 1
Cluster heartbeat timeout (net_ticktime): 60

Plugins

Enabled plugin file: /etc/rabbitmq/enabled_plugins
Enabled plugins:

 * rabbitmq_auth_mechanism_ssl
 * rabbitmq_auth_backend_oauth2
 * base64url
 * rabbitmq_stream_management
 * rabbitmq_stream
 * rabbitmq_stream_common
 * rabbitmq_amqp1_0
 * rabbitmq_web_mqtt
 * rabbitmq_mqtt
 * rabbitmq_management
 * rabbitmq_management_agent
 * rabbitmq_web_dispatch
 * amqp_client
 * cowboy
 * oauth2_client
 * jose

Data directory

Node data directory: /var/lib/rabbitmq/mnesia/rabbit@rabbitmq
Raft data directory: /var/lib/rabbitmq/mnesia/rabbit@rabbitmq/quorum/rabbit@rabbitmq

Config files

 * /etc/rabbitmq/rabbitmq.conf

Log file(s)

 * <stdout>

Alarms

(none)

Tags

(none)

Memory

Total memory used: 0.1385 gb
Calculation strategy: rss
Memory high watermark setting: 0.6 of available memory, computed to: 4.9308 gb

reserved_unallocated: 0.0617 gb (44.52 %)
code: 0.0232 gb (16.75 %)
other_system: 0.0221 gb (15.97 %)
other_proc: 0.0176 gb (12.68 %)
allocated_unused: 0.0065 gb (4.69 %)
other_ets: 0.0018 gb (1.28 %)
plugins: 0.0017 gb (1.19 %)
metrics: 0.0014 gb (1.03 %)
atom: 0.0012 gb (0.88 %)
msg_index: 0.0005 gb (0.37 %)
mgmt_db: 0.0003 gb (0.19 %)
binary: 0.0003 gb (0.18 %)
quorum_queue_procs: 0.0002 gb (0.14 %)
mnesia: 0.0001 gb (0.06 %)
quorum_ets: 0.0 gb (0.04 %)
metadata_store: 0.0 gb (0.03 %)
metadata_store_ets: 0.0 gb (0.0 %)
connection_other: 0.0 gb (0.0 %)
quorum_queue_dlx_procs: 0.0 gb (0.0 %)
stream_queue_procs: 0.0 gb (0.0 %)
stream_queue_replica_reader_procs: 0.0 gb (0.0 %)
connection_readers: 0.0 gb (0.0 %)
connection_writers: 0.0 gb (0.0 %)
connection_channels: 0.0 gb (0.0 %)
queue_procs: 0.0 gb (0.0 %)
stream_queue_coordinator_procs: 0.0 gb (0.0 %)

File Descriptors

Total: 0, limit: 1048479

Free Disk Space

Low free disk space watermark: 0.05 gb
Free disk space: 856.7219 gb

Totals

Connection count: 0
Queue count: 3
Virtual host count: 2

Listeners

Interface: [::], port: 15671, protocol: https, purpose: HTTP API over TLS (HTTPS)
Interface: [::], port: 1883, protocol: mqtt, purpose: MQTT
Interface: [::], port: 15675, protocol: http/web-mqtt, purpose: MQTT over WebSocket
Interface: [::], port: 5551, protocol: stream/ssl, purpose: stream/ssl
Interface: [::], port: 25672, protocol: clustering, purpose: inter-node and CLI tool communication
Interface: [::], port: 5672, protocol: amqp, purpose: AMQP 0-9-1 and AMQP 1.0
Interface: [::], port: 5671, protocol: amqp/ssl, purpose: AMQP 0-9-1 and AMQP 1.0 over TLS```
</details>


### Logs from node 1 (with sensitive values edited out)

See https://www.rabbitmq.com/docs/logging to learn how to collect logs
<details>

rabbitmq-1 | 2025-07-07 13:01:50.470707+00:00 [debug] <0.14784.0> Using root oauth_provider "{id: "", issuer: "https://nginx/realms/test\", discovery_endpoint: "https://nginx/realms/test/.well-known/openid-configuration\", token_endpoint: <<"https://nginx/realms/test/protocol/openid-connect/token\">>, authorization_endpoint: <<"https://nginx/realms/test/protocol/openid-connect/auth\">>, end_session_endpoint: <<"https://nginx/realms/test/protocol/openid-connect/logout\">>, jwks_uri: <<"https://nginx/realms/test/protocol/openid-connect/certs\">>, ssl_options: "{verify: verify_none, fail_if_no_peer_cert: undefined, crl_check: undefined, depth: undefined, cacertfile: undefined, cacerts(count): 0 }" }"
rabbitmq-1 | 2025-07-07 13:01:50.534890+00:00 [debug] <0.14880.0> Using root oauth_provider "{id: "", issuer: "https://nginx/realms/test\", discovery_endpoint: "https://nginx/realms/test/.well-known/openid-configuration\", token_endpoint: <<"https://nginx/realms/test/protocol/openid-connect/token\">>, authorization_endpoint: <<"https://nginx/realms/test/protocol/openid-connect/auth\">>, end_session_endpoint: <<"https://nginx/realms/test/protocol/openid-connect/logout\">>, jwks_uri: <<"https://nginx/realms/test/protocol/openid-connect/certs\">>, ssl_options: "{verify: verify_none, fail_if_no_peer_cert: undefined, crl_check: undefined, depth: undefined, cacertfile: undefined, cacerts(count): 0 }" }"
rabbitmq-1 | 2025-07-07 13:01:50.556905+00:00 [debug] <0.14905.0> Decoding token for resource_server: <<"rabbitmq">> using oauth_provider_id: ""
rabbitmq-1 | 2025-07-07 13:01:50.557009+00:00 [debug] <0.14905.0> Signing key <<"Gnl2ZlbRh3rAr6Wymc988_5cY7T5GuePd5dpJlXDJUk">> found
rabbitmq-1 | 2025-07-07 13:01:50.557029+00:00 [debug] <0.14905.0> Verifying signature using signing_key_id : '<<"Gnl2ZlbRh3rAr6Wymc988_5cY7T5GuePd5dpJlXDJUk">>' and algorithms: undefined
rabbitmq-1 | 2025-07-07 13:01:50.557272+00:00 [debug] <0.14905.0> Computing username from client's JWT token: [<<"rabbit_admin">>] -> rabbit_admin
rabbitmq-1 | 2025-07-07 13:01:50.557308+00:00 [debug] <0.14905.0> User 'rabbit_admin' authenticated successfully by backend rabbit_auth_backend_oauth2
rabbitmq-1 | 2025-07-07 13:01:50.574449+00:00 [debug] <0.14925.0> Decoding token for resource_server: <<"rabbitmq">> using oauth_provider_id: ""
rabbitmq-1 | 2025-07-07 13:01:50.574538+00:00 [debug] <0.14925.0> Signing key <<"Gnl2ZlbRh3rAr6Wymc988_5cY7T5GuePd5dpJlXDJUk">> found
rabbitmq-1 | 2025-07-07 13:01:50.574558+00:00 [debug] <0.14925.0> Verifying signature using signing_key_id : '<<"Gnl2ZlbRh3rAr6Wymc988_5cY7T5GuePd5dpJlXDJUk">>' and algorithms: undefined
rabbitmq-1 | 2025-07-07 13:01:50.574820+00:00 [debug] <0.14925.0> Computing username from client's JWT token: [<<"rabbit_admin">>] -> rabbit_admin
rabbitmq-1 | 2025-07-07 13:01:50.574851+00:00 [debug] <0.14925.0> User 'rabbit_admin' authenticated successfully by backend rabbit_auth_backend_oauth2
rabbitmq-1 | 2025-07-07 13:01:50.580080+00:00 [debug] <0.14932.0> Decoding token for resource_server: <<"rabbitmq">> using oauth_provider_id: ""
rabbitmq-1 | 2025-07-07 13:01:50.580157+00:00 [debug] <0.14932.0> Signing key <<"Gnl2ZlbRh3rAr6Wymc988_5cY7T5GuePd5dpJlXDJUk">> found
rabbitmq-1 | 2025-07-07 13:01:50.580193+00:00 [debug] <0.14932.0> Verifying signature using signing_key_id : '<<"Gnl2ZlbRh3rAr6Wymc988_5cY7T5GuePd5dpJlXDJUk">>' and algorithms: undefined
rabbitmq-1 | 2025-07-07 13:01:50.580380+00:00 [debug] <0.14932.0> Computing username from client's JWT token: [<<"rabbit_admin">>] -> rabbit_admin
rabbitmq-1 | 2025-07-07 13:01:50.580406+00:00 [debug] <0.14932.0> User 'rabbit_admin' authenticated successfully by backend rabbit_auth_backend_oauth2
rabbitmq-1 | 2025-07-07 13:01:50.586500+00:00 [debug] <0.14937.0> Decoding token for resource_server: <<"rabbitmq">> using oauth_provider_id: ""
rabbitmq-1 | 2025-07-07 13:01:50.586614+00:00 [debug] <0.14937.0> Signing key <<"Gnl2ZlbRh3rAr6Wymc988_5cY7T5GuePd5dpJlXDJUk">> found
rabbitmq-1 | 2025-07-07 13:01:50.586667+00:00 [debug] <0.14937.0> Verifying signature using signing_key_id : '<<"Gnl2ZlbRh3rAr6Wymc988_5cY7T5GuePd5dpJlXDJUk">>' and algorithms: undefined
rabbitmq-1 | 2025-07-07 13:01:50.586937+00:00 [debug] <0.14937.0> Computing username from client's JWT token: [<<"rabbit_admin">>] -> rabbit_admin
rabbitmq-1 | 2025-07-07 13:01:50.587010+00:00 [debug] <0.14937.0> User 'rabbit_admin' authenticated successfully by backend rabbit_auth_backend_oauth2
rabbitmq-1 | 2025-07-07 13:01:50.594088+00:00 [debug] <0.14945.0> Decoding token for resource_server: <<"rabbitmq">> using oauth_provider_id: ""
rabbitmq-1 | 2025-07-07 13:01:50.594162+00:00 [debug] <0.14945.0> Signing key <<"Gnl2ZlbRh3rAr6Wymc988_5cY7T5GuePd5dpJlXDJUk">> found
rabbitmq-1 | 2025-07-07 13:01:50.594180+00:00 [debug] <0.14945.0> Verifying signature using signing_key_id : '<<"Gnl2ZlbRh3rAr6Wymc988_5cY7T5GuePd5dpJlXDJUk">>' and algorithms: undefined
rabbitmq-1 | 2025-07-07 13:01:50.594361+00:00 [debug] <0.14945.0> Computing username from client's JWT token: [<<"rabbit_admin">>] -> rabbit_admin
rabbitmq-1 | 2025-07-07 13:01:50.594385+00:00 [debug] <0.14945.0> User 'rabbit_admin' authenticated successfully by backend rabbit_auth_backend_oauth2
rabbitmq-1 | 2025-07-07 13:01:50.601162+00:00 [debug] <0.14950.0> Decoding token for resource_server: <<"rabbitmq">> using oauth_provider_id: ""
rabbitmq-1 | 2025-07-07 13:01:50.601243+00:00 [debug] <0.14950.0> Signing key <<"Gnl2ZlbRh3rAr6Wymc988_5cY7T5GuePd5dpJlXDJUk">> found
rabbitmq-1 | 2025-07-07 13:01:50.601306+00:00 [debug] <0.14950.0> Verifying signature using signing_key_id : '<<"Gnl2ZlbRh3rAr6Wymc988_5cY7T5GuePd5dpJlXDJUk">>' and algorithms: undefined
rabbitmq-1 | 2025-07-07 13:01:50.601556+00:00 [debug] <0.14950.0> Computing username from client's JWT token: [<<"rabbit_admin">>] -> rabbit_admin
rabbitmq-1 | 2025-07-07 13:01:50.601587+00:00 [debug] <0.14950.0> User 'rabbit_admin' authenticated successfully by backend rabbit_auth_backend_oauth2
rabbitmq-1 | 2025-07-07 13:01:50.616028+00:00 [debug] <0.14965.0> Decoding token for resource_server: <<"rabbitmq">> using oauth_provider_id: ""
rabbitmq-1 | 2025-07-07 13:01:50.616119+00:00 [debug] <0.14965.0> Signing key <<"Gnl2ZlbRh3rAr6Wymc988_5cY7T5GuePd5dpJlXDJUk">> found
rabbitmq-1 | 2025-07-07 13:01:50.616158+00:00 [debug] <0.14965.0> Verifying signature using signing_key_id : '<<"Gnl2ZlbRh3rAr6Wymc988_5cY7T5GuePd5dpJlXDJUk">>' and algorithms: undefined
rabbitmq-1 | 2025-07-07 13:01:50.616360+00:00 [debug] <0.14965.0> Computing username from client's JWT token: [<<"rabbit_admin">>] -> rabbit_admin
rabbitmq-1 | 2025-07-07 13:01:50.616412+00:00 [debug] <0.14965.0> User 'rabbit_admin' authenticated successfully by backend rabbit_auth_backend_oauth2
rabbitmq-1 | 2025-07-07 13:01:50.624498+00:00 [debug] <0.14973.0> Decoding token for resource_server: <<"rabbitmq">> using oauth_provider_id: ""
rabbitmq-1 | 2025-07-07 13:01:50.624604+00:00 [debug] <0.14973.0> Signing key <<"Gnl2ZlbRh3rAr6Wymc988_5cY7T5GuePd5dpJlXDJUk">> found
rabbitmq-1 | 2025-07-07 13:01:50.624643+00:00 [debug] <0.14973.0> Verifying signature using signing_key_id : '<<"Gnl2ZlbRh3rAr6Wymc988_5cY7T5GuePd5dpJlXDJUk">>' and algorithms: undefined
rabbitmq-1 | 2025-07-07 13:01:50.624870+00:00 [debug] <0.14973.0> Computing username from client's JWT token: [<<"rabbit_admin">>] -> rabbit_admin
rabbitmq-1 | 2025-07-07 13:01:50.624900+00:00 [debug] <0.14973.0> User 'rabbit_admin' authenticated successfully by backend rabbit_auth_backend_oauth2
rabbitmq-1 | 2025-07-07 13:01:50.629759+00:00 [debug] <0.14980.0> Decoding token for resource_server: <<"rabbitmq">> using oauth_provider_id: ""
rabbitmq-1 | 2025-07-07 13:01:50.629836+00:00 [debug] <0.14980.0> Signing key <<"Gnl2ZlbRh3rAr6Wymc988_5cY7T5GuePd5dpJlXDJUk">> found
rabbitmq-1 | 2025-07-07 13:01:50.629874+00:00 [debug] <0.14980.0> Verifying signature using signing_key_id : '<<"Gnl2ZlbRh3rAr6Wymc988_5cY7T5GuePd5dpJlXDJUk">>' and algorithms: undefined
rabbitmq-1 | 2025-07-07 13:01:50.630052+00:00 [debug] <0.14980.0> Computing username from client's JWT token: [<<"rabbit_admin">>] -> rabbit_admin
rabbitmq-1 | 2025-07-07 13:01:50.630078+00:00 [debug] <0.14980.0> User 'rabbit_admin' authenticated successfully by backend rabbit_auth_backend_oauth2
rabbitmq-1 | 2025-07-07 13:01:50.646913+00:00 [debug] <0.14995.0> Decoding token for resource_server: <<"rabbitmq">> using oauth_provider_id: ""
rabbitmq-1 | 2025-07-07 13:01:50.647011+00:00 [debug] <0.14995.0> Signing key <<"Gnl2ZlbRh3rAr6Wymc988_5cY7T5GuePd5dpJlXDJUk">> found
rabbitmq-1 | 2025-07-07 13:01:50.647068+00:00 [debug] <0.14995.0> Verifying signature using signing_key_id : '<<"Gnl2ZlbRh3rAr6Wymc988_5cY7T5GuePd5dpJlXDJUk">>' and algorithms: undefined
rabbitmq-1 | 2025-07-07 13:01:50.647290+00:00 [debug] <0.14995.0> Computing username from client's JWT token: [<<"rabbit_admin">>] -> rabbit_admin
rabbitmq-1 | 2025-07-07 13:01:50.647322+00:00 [debug] <0.14995.0> User 'rabbit_admin' authenticated successfully by backend rabbit_auth_backend_oauth2
rabbitmq-1 | 2025-07-07 13:01:50.647505+00:00 [debug] <0.14995.0> Feature flags: collecting inventory on nodes: [rabbit@rabbitmq]
rabbitmq-1 | 2025-07-07 13:01:50.652651+00:00 [debug] <0.15003.0> Decoding token for resource_server: <<"rabbitmq">> using oauth_provider_id: ""
rabbitmq-1 | 2025-07-07 13:01:50.652736+00:00 [debug] <0.15003.0> Signing key <<"Gnl2ZlbRh3rAr6Wymc988_5cY7T5GuePd5dpJlXDJUk">> found
rabbitmq-1 | 2025-07-07 13:01:50.652781+00:00 [debug] <0.15003.0> Verifying signature using signing_key_id : '<<"Gnl2ZlbRh3rAr6Wymc988_5cY7T5GuePd5dpJlXDJUk">>' and algorithms: undefined
rabbitmq-1 | 2025-07-07 13:01:50.652960+00:00 [debug] <0.15003.0> Computing username from client's JWT token: [<<"rabbit_admin">>] -> rabbit_admin
rabbitmq-1 | 2025-07-07 13:01:50.652986+00:00 [debug] <0.15003.0> User 'rabbit_admin' authenticated successfully by backend rabbit_auth_backend_oauth2
rabbitmq-1 | 2025-07-07 13:01:50.653199+00:00 [debug] <0.15003.0> Files and directories found in node's data directory: DECISION_TAB.LOG, LATEST.LOG, cluster_nodes.config, coordination, mqtt_retained_00006666cd76f96956469e7be39d750cc7d9.dets, mqtt_retained_0000900150983cd24fb0d6963f7d28e17f72.dets, msg_stores, node-type.txt, nodes_running_at_shutdown, quorum, rabbit_durable_exchange.DCD, rabbit_durable_queue.DCD, rabbit_durable_route.DCD, rabbit_runtime_parameters.DCD, rabbit_runtime_parameters.DCL, rabbit_serial, rabbit_topic_permission.DCD, rabbit_user.DCD, rabbit_user_permission.DCD, rabbit_vhost.DCD, schema.DAT, of them to be ignored: cluster_nodes.config, coordination, msg_stores, nodes_running_at_shutdown, quorum, rabbit@rabbitmq, rabbit@rabbitmq-feature_flags, rabbitmq_metadata, stream
rabbitmq-1 | 2025-07-07 13:01:50.653298+00:00 [debug] <0.15003.0> Files and directories found in node's data directory sans ignored ones: DECISION_TAB.LOG, LATEST.LOG, mqtt_retained_00006666cd76f96956469e7be39d750cc7d9.dets, mqtt_retained_0000900150983cd24fb0d6963f7d28e17f72.dets, node-type.txt, rabbit_durable_exchange.DCD, rabbit_durable_queue.DCD, rabbit_durable_route.DCD, rabbit_runtime_parameters.DCD, rabbit_runtime_parameters.DCL, rabbit_serial, rabbit_topic_permission.DCD, rabbit_user.DCD, rabbit_user_permission.DCD, rabbit_vhost.DCD, schema.DAT
rabbitmq-1 | 2025-07-07 13:01:55.752974+00:00 [debug] <0.15028.0> Decoding token for resource_server: <<"rabbitmq">> using oauth_provider_id: ""
rabbitmq-1 | 2025-07-07 13:01:55.753077+00:00 [debug] <0.15028.0> Signing key <<"Gnl2ZlbRh3rAr6Wymc988_5cY7T5GuePd5dpJlXDJUk">> found
rabbitmq-1 | 2025-07-07 13:01:55.753128+00:00 [debug] <0.15028.0> Verifying signature using signing_key_id : '<<"Gnl2ZlbRh3rAr6Wymc988_5cY7T5GuePd5dpJlXDJUk">>' and algorithms: undefined
rabbitmq-1 | 2025-07-07 13:01:55.753348+00:00 [debug] <0.15028.0> Computing username from client's JWT token: [<<"rabbit_admin">>] -> rabbit_admin
rabbitmq-1 | 2025-07-07 13:01:55.753387+00:00 [debug] <0.15028.0> User 'rabbit_admin' authenticated successfully by backend rabbit_auth_backend_oauth2
rabbitmq-1 | 2025-07-07 13:01:55.764613+00:00 [debug] <0.15036.0> Decoding token for resource_server: <<"rabbitmq">> using oauth_provider_id: ""
rabbitmq-1 | 2025-07-07 13:01:55.764689+00:00 [debug] <0.15036.0> Signing key <<"Gnl2ZlbRh3rAr6Wymc988_5cY7T5GuePd5dpJlXDJUk">> found
rabbitmq-1 | 2025-07-07 13:01:55.764713+00:00 [debug] <0.15036.0> Verifying signature using signing_key_id : '<<"Gnl2ZlbRh3rAr6Wymc988_5cY7T5GuePd5dpJlXDJUk">>' and algorithms: undefined
rabbitmq-1 | 2025-07-07 13:01:55.764880+00:00 [debug] <0.15036.0> Computing username from client's JWT token: [<<"rabbit_admin">>] -> rabbit_admin
rabbitmq-1 | 2025-07-07 13:01:55.764904+00:00 [debug] <0.15036.0> User 'rabbit_admin' authenticated successfully by backend rabbit_auth_backend_oauth2
rabbitmq-1 | 2025-07-07 13:01:55.772161+00:00 [debug] <0.15043.0> Decoding token for resource_server: <<"rabbitmq">> using oauth_provider_id: ""
rabbitmq-1 | 2025-07-07 13:01:55.772251+00:00 [debug] <0.15043.0> Signing key <<"Gnl2ZlbRh3rAr6Wymc988_5cY7T5GuePd5dpJlXDJUk">> found
rabbitmq-1 | 2025-07-07 13:01:55.772315+00:00 [debug] <0.15043.0> Verifying signature using signing_key_id : '<<"Gnl2ZlbRh3rAr6Wymc988_5cY7T5GuePd5dpJlXDJUk">>' and algorithms: undefined
rabbitmq-1 | 2025-07-07 13:01:55.772525+00:00 [debug] <0.15043.0> Computing username from client's JWT token: [<<"rabbit_admin">>] -> rabbit_admin
rabbitmq-1 | 2025-07-07 13:01:55.772558+00:00 [debug] <0.15043.0> User 'rabbit_admin' authenticated successfully by backend rabbit_auth_backend_oauth2```

Logs from node 2 (if applicable, with sensitive values edited out)

See https://www.rabbitmq.com/docs/logging to learn how to collect logs

# PASTE LOG HERE, BETWEEN BACKTICKS

Logs from node 3 (if applicable, with sensitive values edited out)

See https://www.rabbitmq.com/docs/logging to learn how to collect logs

# PASTE LOG HERE, BETWEEN BACKTICKS

rabbitmq.conf

See https://www.rabbitmq.com/docs/configure#config-location to learn how to find rabbitmq.conf file location

auth_backends.1 = rabbit_auth_backend_oauth2

log.console.level = debug

management.oauth_enabled = true
management.oauth_client_id = rabbitmq-client-code
management.oauth_client_secret = xxxx
management.oauth_scopes = openid profile 

auth_oauth2.resource_server_id = rabbitmq
auth_oauth2.preferred_username_claims.1 = user_name
auth_oauth2.issuer = https://nginx/realms/test
auth_oauth2.https.cacertfile = /certs/keycloak/ca_keycloak_certificate.pem
auth_oauth2.additional_scopes_key = extra_scope
auth_oauth2.https.verify = verify_none
management.oauth_disable_basic_auth = true
management.listener.ssl = true #The Management UI over HTTPS
management.listener.port = 15671

listeners.ssl.default = 5671

# default TLS-enabled port for stream connections
stream.listeners.ssl.1 = 5551 #secure listener
stream.listeners.tcp   = none #deactivate all non-TLS 
ssl_options.certfile   = /certs/keycloak/rabbitmq/rabbitmq.crt
ssl_options.keyfile    = /certs/keycloak/rabbitmq/rabbitmq.key
ssl_options.cacertfile = /certs/keycloak/rabbitmq/rabbitmq-ca.crt
ssl_options.verify = verify_none


loopback_users = none

Steps to deploy RabbitMQ cluster

docker-compose up rabbitmq nginx keycloak

Steps to reproduce the behavior in question

logging in the rabbitmq UI using user rabbit_admin which gets its roles of creds from client rabbitmq-client-code as set in the rabbitmq.conf

advanced.config

See https://www.rabbitmq.com/docs/configure#config-location to learn how to find advanced.config file location

# PASTE advanced.config HERE, BETWEEN BACKTICKS

Application code

# PASTE CODE HERE, BETWEEN BACKTICKS

Kubernetes deployment file

# Relevant parts of K8S deployment that demonstrate how RabbitMQ is deployed
# PASTE YAML HERE, BETWEEN BACKTICKS

What problem are you trying to solve?

I want to know if theres a way to accsess the rabbitmq UI and have the user see specific vhost or specific queue only? because now i log in and i see all vhosts and queues.
im using keycloak as the user management so i have the user rabbit_admin with management premissions and i have in the rabbit conf the management.oauth_client_id = rabbitmq-client-code which means the user rabbit_admin gets its roles from. how to do it ? what should i tell keycloak to set?
this is the current token data:

{
  "exp": 1751890302,
  "iat": 1751890002,
  "jti": "aa4d0c20-19fa-47b9-9f60-55f9eed08518",
  "iss": "https://nginx/realms/test",
  "aud": "rabbitmq",
  "sub": "86a342d9-28d2-4a0a-948f-c5a6f4717254",
  "typ": "Bearer",
  "azp": "rabbitmq-client-code",
  "acr": "1",
  "allowed-origins": [
    "https://nginx"
  ],
  "realm_access": {
    "roles": [
      "default-roles-test",
      "offline_access",
      "uma_authorization"
    ]
  },
  "resource_access": {
    "rabbitmq-client-code": {
      "roles": [
        "uma_protection"
      ]
    },
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    }
  },
  "scope": "profile email rabbitmq.read:*/*",
  "email_verified": false,
  "clientHost": "172.19.0.4",
  "clientId": "rabbitmq-client-code",
  "user_name": "service-account-rabbitmq-client-code",
  "preferred_username": "service-account-rabbitmq-client-code",
  "clientAddress": "172.19.0.4",
  "extra_scope": [
    "default-roles-test",
    "offline_access",
    "uma_authorization"
  ],
  "rabbitmq_tag": "management"
}

Is there a way to set maybe "scope": "profile email rabbitmq.read:abc/queue-1", or somthing like that?
Is it even possible to give the UI premmisions to show only vhost abc?
Thanks!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[Questions] Rabbitmq and keycloak UI user specific queue\host premission #14200

Uh oh!

{{title}}

Uh oh!

Replies: 0 comments

Select a reply

Uh oh!

[Questions] Rabbitmq and keycloak UI user specific queue\host premission #14200

Uh oh!

batchen-gsr Jul 7, 2025

Community Support Policy

RabbitMQ version used

Erlang version used

Operating system (distribution) used

How is RabbitMQ deployed?

rabbitmq-diagnostics status output

Logs from node 2 (if applicable, with sensitive values edited out)

Logs from node 3 (if applicable, with sensitive values edited out)

rabbitmq.conf

Steps to deploy RabbitMQ cluster

Steps to reproduce the behavior in question

advanced.config

Application code

Kubernetes deployment file

What problem are you trying to solve?

Replies: 0 comments

batchen-gsr
Jul 7, 2025