RabbitMQMailQueue should not require administrative rights

[chibenwa]

Why

Today, James requires management API rights to list mail queues.

Why?

• List of mailqueues can be heterogeneous across the cluster (especially in case of specialized instances)
• AMQP client do not support listing mail queues
• Thus we ended up relying on the management plugin.

This, of course, is a security violation, as it might lead to right escalation, and might affect other tenants co-hosted on RabbitMQ.

Definition of Done

• James no longer require administrative rights
• An ADR needs to be written about this

How

As deleting a mail queue is not a supporting implementation, we can rely on a Set<String> cassandra table containing the names of the mail queues in use.

James nodes can then rely on this to know if a mail queue is used or not.

Eventual consistency will be achieved between this cassandra view and the actual rabbitMQ content:

• Register a created queue in Cassandra first, then create it in Rabbit.
• Given a cassandra registered queue, not existing in rabbit, a james node restart configured with that queue will create the queue in rabbit.

[chibenwa]

ML discussion https://www.mail-archive.com/server-dev@james.apache.org/msg69190.html

[Arsnael]

I'm not sure to understand theway to migrate with this... when you restart James with those changes, the queues in Cassandra will not exist yet.

Is it checking at the startup, adding them to Cassandra, then creating them in Rabbit if necessary then?

[rouazana]

should you provide a tool to automatically remove removed queues?

[chibenwa]

should you provide a tool to automatically remove removed queues?

I checked, James itself never removes queues. Thus imo this is pointless.