added a flag to set_permissions to control their scope

set_permissions -check_user_named is the default and checks
permissions only for user named permissions.  I.e. server generated
names are not checked.

set_permissions -check_all_resources enables the check for server
generated names.

I had to shorten the argument names in the man page because otherwise
the set_permissions line would have exceeded 80 characters.

All parameters passed from rabbit_control to rabbit_access_control are
binary(), hence why we're passing <<"check_user_name">> rather than
'check_user_named'.

Rabbit_access_control:set_permissions now takes 6 parameters.  There's
also a 5 parameter version that sets the default value for Check and
calls the other one.  I've added it because I don't want the default
value for Check in 10 different places.

3 files changed, 34 insertions, 22 deletions

diff --git a/docs/rabbitmqctl.1.xml b/docs/rabbitmqctl.1.xml
index 26863ae78a..74ac95686b 100644
--- a/docs/rabbitmqctl.1.xml
+++ b/docs/rabbitmqctl.1.xml
@@ -547,7 +547,7 @@
         </varlistentry>
 
         <varlistentry>
-          <term><cmdsynopsis><command>set_permissions</command> <arg choice="opt">-p <replaceable>vhostpath</replaceable></arg> <arg choice="req"><replaceable>username</replaceable></arg> <arg choice="req"><replaceable>configure</replaceable></arg> <arg choice="req"><replaceable>write</replaceable></arg> <arg choice="req"><replaceable>read</replaceable></arg></cmdsynopsis></term>
+          <term><cmdsynopsis><command>set_permissions</command> <arg choice="opt">-p <replaceable>vhostpath</replaceable></arg> <arg choice="opt">-<replaceable>check</replaceable></arg> <arg choice="req"><replaceable>user</replaceable></arg> <arg choice="req"><replaceable>conf</replaceable></arg> <arg choice="req"><replaceable>write</replaceable></arg> <arg choice="req"><replaceable>read</replaceable></arg></cmdsynopsis></term>
           <listitem>
             <variablelist>
               <varlistentry>
@@ -555,11 +555,18 @@
                 <listitem><para>The name of the virtual host to which to grant the user access, defaulting to <command>/</command>.</para></listitem>
               </varlistentry>
               <varlistentry>
-                <term>username</term>
+                <term>check</term>
+                <listitem><para>Which resources should permissions be
+                checked for?  Either
+                <command>check_user_named</command> (the default) or
+                <command>check_all_resources</command>.</para></listitem>
+              </varlistentry>
+              <varlistentry>
+                <term>user</term>
                 <listitem><para>The name of the user to grant access to the specified virtual host.</para></listitem>
               </varlistentry>
               <varlistentry>
-                <term>configure</term>
+                <term>conf</term>
                 <listitem><para>A regular expression matching resource names for which the user is granted configure permissions.</para></listitem>
               </varlistentry>
               <varlistentry>
diff --git a/src/rabbit_access_control.erl b/src/rabbit_access_control.erl
index 4863c9d9ea..e4f557cc1a 100644
--- a/src/rabbit_access_control.erl
+++ b/src/rabbit_access_control.erl
@@ -38,7 +38,7 @@
 -export([add_user/2, delete_user/1, change_password/2, list_users/0,
          lookup_user/1]).
 -export([add_vhost/1, delete_vhost/1, list_vhosts/0]).
--export([set_permissions/5, set_permissions_all/5, clear_permissions/2,
+-export([set_permissions/5, set_permissions/6, clear_permissions/2,
          list_vhost_permissions/1, list_user_permissions/1]).
 
 %%----------------------------------------------------------------------------
@@ -51,6 +51,7 @@
 -type(username() :: binary()).
 -type(password() :: binary()).
 -type(regexp() :: binary()).
+-type(check_flag() :: binary()).
 
 -spec(check_login/2 :: (binary(), binary()) -> rabbit_types:user()).
 -spec(user_pass_login/2 :: (username(), password()) -> rabbit_types:user()).
@@ -70,6 +71,8 @@
 -spec(list_vhosts/0 :: () -> [rabbit_types:vhost()]).
 -spec(set_permissions/5 ::(username(), rabbit_types:vhost(), regexp(),
                            regexp(), regexp()) -> 'ok').
+-spec(set_permissions/6 ::(check_flag(), username(), rabbit_types:vhost(),
+                           regexp(), regexp(), regexp()) -> 'ok').
 -spec(clear_permissions/2 :: (username(), rabbit_types:vhost()) -> 'ok').
 -spec(list_vhost_permissions/1 ::
         (rabbit_types:vhost())
@@ -307,9 +310,17 @@ validate_regexp(RegexpBin) ->
         {error, Reason} -> throw({error, {invalid_regexp, Regexp, Reason}})
     end.
 
-set_permissions_internal(Username, VHostPath, Check, ConfigurePerm,
-                         WritePerm, ReadPerm) ->
+set_permissions(Username, VHostPath, ConfigurePerm, WritePerm, ReadPerm) ->
+    set_permissions(<<"check_user_named">>, Username, VHostPath, ConfigurePerm,
+                    WritePerm, ReadPerm).
+
+set_permissions(Check, Username, VHostPath, ConfigurePerm, WritePerm, ReadPerm) ->
     lists:map(fun validate_regexp/1, [ConfigurePerm, WritePerm, ReadPerm]),
+    Check1 = case Check of
+                 <<"check_user_named">> -> check_user_named;
+                 <<"check_all_resources">> -> check_all_resources;
+                 _ -> throw({error, {invalid_check_flag, Check}})
+             end,
     rabbit_misc:execute_mnesia_transaction(
       rabbit_misc:with_user_and_vhost(
         Username, VHostPath,
@@ -319,20 +330,13 @@ set_permissions_internal(Username, VHostPath, Check, ConfigurePerm,
                                             username = Username,
                                             virtual_host = VHostPath},
                                           permission = #permission{
-                                            check = Check,
+                                            check = Check1,
                                             configure = ConfigurePerm,
                                             write = WritePerm,
                                             read = ReadPerm}},
                          write)
         end)).
 
-set_permissions(Username, VHostPath, ConfigurePerm, WritePerm, ReadPerm) ->
-    set_permissions_internal(Username, VHostPath, 'check_user_named', ConfigurePerm,
-                             WritePerm, ReadPerm).
-
-set_permissions_all(Username, VHostPath, ConfigurePerm, WritePerm, ReadPerm) ->
-    set_permissions_internal(Username, VHostPath, 'check_all_resources', ConfigurePerm,
-                             WritePerm, ReadPerm).
 
 clear_permissions(Username, VHostPath) ->
     rabbit_misc:execute_mnesia_transaction(
diff --git a/src/rabbit_control.erl b/src/rabbit_control.erl
index 2f13a0a6d4..602b4660fc 100644
--- a/src/rabbit_control.erl
+++ b/src/rabbit_control.erl
@@ -271,16 +271,17 @@ action(Command, Node, Args, Inform) ->
     {VHost, RemainingArgs} = parse_vhost_flag(Args),
     action(Command, Node, VHost, RemainingArgs, Inform).
 
-action(set_permissions, Node, VHost, [Username, CPerm, WPerm, RPerm], Inform) ->
+action(set_permissions, Node, VHost, Args, Inform) ->
+    {Check, [Username, CPerm, WPerm, RPerm]} =
+        case Args of
+            [[$- | Flag] | RemainingArgs] ->
+                {Flag, RemainingArgs};
+            RemainingArgs ->
+                {"check_user_named", RemainingArgs}
+        end,
     Inform("Setting permissions for user ~p in vhost ~p", [Username, VHost]),
     call(Node, {rabbit_access_control, set_permissions,
-                [Username, VHost, CPerm, WPerm, RPerm]});
-
-action(set_permissions_all, Node, VHost, [Username, CPerm, WPerm, RPerm], Inform) ->
-    Inform("Setting permissions for all resources for user ~p in vhost ~p",
-           [Username, VHost]),
-    call(Node, {rabbit_access_control, set_permissions_all,
-                [Username, VHost, CPerm, WPerm, RPerm]});
+                [Check, Username, VHost, CPerm, WPerm, RPerm]});
 
 action(clear_permissions, Node, VHost, [Username], Inform) ->
     Inform("Clearing permissions for user ~p in vhost ~p", [Username, VHost]),