Alarms when a credential is near expiry

[manoj365study]

Is your feature request related to a problem? Please describe.

Alarm management in rabbitmq for user credential and certificate expiry.

Describe the solution you'd like

Systems must raise alarms when a credential is near expiry.

Alert message/alarm/notification message to the admin user if the user use management UI and log message with high priority to send in any case.

Expiration warning time shall be configurable, separate parameter to add in the config section to set before how many days the alarm should trigger.

Ex: default value shall be 14 days.

Describe alternatives you've considered

No response

Additional context

No response

[lukebakken]

Hello, thanks for using RabbitMQ.

Since you're talking about credential expiration, I assume you must be talking about OAuth2. RabbitMQ's community support policy excludes OAuth2, as support (including enhancements) for that component are limited to customers who pay for RabbitMQ support.

I will bring this idea to the team, but realize that, if implemented, it would only be available to commercial users of RabbitMQ.

[ansd]

OAuth2 tokens are rather short lived. Usual expiration times are a few minutes or a few hours. It's the client's responsibility to refresh the token in time. I don't think a notification for the server admin is a great idea.

[michaelklishin]

I completely agree with this line of thinking, JWT token renewal is a standard part of the OAuth 2 set of specs, and it is a client-driven feature that our clients plus plugins such as Shovels support.

[manoj365study]

Hi Team,

How about certificate expiry(Talking about TLS certificates) alarm. Suppose if we use one year valid certificates and when they are getting expired in two weeks, would it be possible to create a mechanism to send alarm in that case? Lets say before 14days with high severity and after expiry send alarm with critical severity.

[ansd]

@manoj365study please be specific. Are you asking about RabbitMQ server certificates or client certificates?

[manoj365study]

It is about RabbitMQ server certificates.

[ansd]

What kind of "message/alarm/notification" do you have in mind?

There is already an HTTP API endpoint:

/api/health/checks/certificate-expiration/within/unit | Checks the expiration date on the certificates for every listener configured to use TLS. Responds a 200 OK if all certificates are valid (have not expired), otherwise responds with a 503 Service Unavailable.Valid units: days, weeks, months, years. The value of the within argument is the number of units. So, when within is 2 and unit is "months", the expiration period used by the check will be the next two months.

and a CLI command:

rabbitmq-diagnostics [--node <node>] [--longnames] [--quiet] check_certificate_expiration [--within <period>] [--unit <unit>]

Checks the expiration date of every certificate (leaf, intermediary or any CA) in every certificate bundle file used by the node.


Arguments and Options

<period>
	period of time to check. Default is four (weeks).

<unit>
	time unit for the period, can be days, weeks, months, years. Default is weeks.

So, it should be straightforward to build your own alert, for example by polling the HTTP endpoint once a day.