Request/reply on multitier ignores credentials , exception during Send

[Yoeri Van Damme]

Here I am again, this time with something that looks like a bug.

I have a request reply mechanism using a client pc WPF app and a server with RabbitMQ and a Windows Service installed.

When I configure the Windows Service bus instance to use the server name:

                           Const rabbitMQServer As String = "SDWBusT01"

                           Const appName As String = "DossierbeheerderDashboard"

                           Const dossierbeheerderdashboardUrl As String = "rabbitmq://" & rabbitMQServer & "/" & appName

                           config.UseRabbitMq(Sub(rmq)

                                                  rmq.ConfigureHost(New Uri(dossierbeheerderdashboardUrl), _

                                                                                       Sub(host)

                                                                                           host.SetPassword("services")

                                                                                           host.SetUsername("services")

                                                                                       End Sub)

                                              End Sub)

                           config.ReceiveFrom(dossierbeheerderdashboardUrl)

Everything works fine, messages are sent and received as expected.

However when I change the configuration to use localhost like this:

                           Const rabbitMQServer As String = "localhost"

                           Const appName As String = "DossierbeheerderDashboard"

                           Const dossierbeheerderdashboardUrl As String = "rabbitmq://" & rabbitMQServer & "/" & appName

                           config.UseRabbitMq(Sub(rmq)

                                                  rmq.ConfigureHost(New Uri(dossierbeheerderdashboardUrl), _

                                                                                       Sub(host)

                                                                                           host.SetPassword("services")

                                                                                           host.SetUsername("services")

                                                                                       End Sub)

                                              End Sub)

                           config.ReceiveFrom(dossierbeheerderdashboardUrl)

The windows service still receives the message, but an exception will occur during the send method.

Message: rabbitmq://sdwbust01/DossierbeheerderDashboard => An exception was thrown during Send

Inner Exception: None of the specified endpoints were reachable

 If I dig through the RabbitMQ logs I found the following problem:

=INFO REPORT==== 7-May-2014::15:03:13 ===

accepting AMQP connection <0.20918.1> ([FE80::1983:53BD:45B4:6374]:58216 -> [FE80::1983:53BD:45B4:6374]:5672)

=ERROR REPORT==== 7-May-2014::15:03:16 ===

closing AMQP connection <0.20918.1> ([FE80::1983:53BD:45B4:6374]:58216 -> [FE80::1983:53BD:45B4:6374]:5672):

{handshake_error,starting,0,

{amqp_error,access_refused,

"PLAIN login refused: user 'guest' - invalid credentials",

'connection.start_ok'}}

=WARNING REPORT==== 7-May-2014::15:03:26 ===

closing AMQP connection <0.20857.1> ([::1]:58214 -> [::1]:5672):

connection_closed_abruptly

 Which makes me think the service thinks the reponseaddress (which uses the servername instread of localhost) is on a different host and MassTransit uses the default guest account to login.

To prove my point: when I re-add the default account, no exceptions occur.

My gut tells me this is a bug, but I might be wrong.

[Chris Patterson]

Credentials from URIs are stripped on purpose, to avoid snooping or password exposure. The ConfigureHost() should be used to specify username/password combinations on all services using RabbitMQ.

--
You received this message because you are subscribed to the Google Groups "masstransit-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to masstransit-dis...@googlegroups.com.
To post to this group, send email to masstrans...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/masstransit-discuss/84a80d62-79d5-4661-b66b-acf7c08dc809%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Yoeri Van Damme]

Configure host is used in every application:

 rmq.ConfigureHost(New Uri(dossierbeheerderdashboardUrl), _

                                                                                       Sub(host)

                                                                                           host.SetPassword("services")

                                                                                           host.SetUsername("services")

                                                                                       End Sub)

Both applications succesfully login to rabbitmq. The only place where this fails, is at the point where my windows service replies to the requestor, and only if this service uses "localhost" in the ConfigureHost method:

Public Async Sub Consume(ByVal message As IConsumeContext(Of IGetWerkgeversRequestV2)) Implements Consumes(Of IConsumeContext(Of IGetWerkgeversRequestV2)).All.Consume

            Dim response As New GetWerkgeversResponse
'some operations to produce a response

            message.Respond(response)

        End Sub

Op woensdag 7 mei 2014 18:15:30 UTC+2 schreef Chris Patterson:

To unsubscribe from this group and stop receiving emails from it, send an email to masstransit-discuss+unsub...@googlegroups.com.

[Richard Evans]

Hi,

I'm having exactly the same issue with responses failing authentication on a remote server, having already successfully authenticated the request.

Was there ever a resolution to this?

I'm using MT 2.9.9 and RabbitMQ Client and Server 3.4.3.

Thanks

Rich

[Yoeri Van Damme]

Hi Richard

I worked around it by always using the host machine name since all my services and the rabbitmq service were installed on the same machine. Before this became a real problem I was transfered to other projects and I haven't worked with MassTransit since then. I am sorry I cannot be of more help.

Op donderdag 12 februari 2015 11:27:02 UTC+1 schreef Richard Evans:

[Richard Evans]

Thank you for responding Yoeri.

I've now resolved my issue (as I wasn't explicitly providing credentials at the server end for the response and assuming the same credentials that were received by the request should have been used).

All good now!

Thanks

[Chris Patterson]

Glad you worked it out. Yes, the server needs its own credentials for the host, we don't include these in the message to avoid leakage of security elements.

To unsubscribe from this group and stop receiving emails from it, send an email to masstransit-dis...@googlegroups.com.

To post to this group, send email to masstrans...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/masstransit-discuss/48924cc2-d4bd-44e3-8795-e0a484cb5c82%40googlegroups.com.

[Jerome Haltom]

I'm having this issue, too, I think.

When replying to a message, how do I set the credentials? I kind of just want the reply to go out the same Bus and everything that the request came in.

I'm using a clustered configuration. I think it's trying to send directly to the node the message was originally sent to, instead of back to the cluster.

[Jerome Haltom]

Okay. I see what's going on. This does seem flawed.

The original request sender sets a URI for the response. And the response is directed to that URI. If the request is connected to one node, remotely, using, say rabbitmq://app-1.fqdn/vhost/queue, and the request is read from rabbitmq://localhost/ (it's read by a consumer running directly on a rabbit node), then the consumer node tries to send it back using the hostname the original client connected from. Which just isn't right, since it was connecting using a FQDN.

[Chris Patterson]

How is this flawed? Why would one service be connecting to the cluster with the FQDN, and another connecting using a completely different address (in your example, localhost)?

The services should be able to resolve the FQDN address, even if you have to setup a hostname that tells the service "oh, by the way, app-1.domain.com is really localhost, so, enjoy.

Seems like you've setup some things much more complicated than they need to be, perhaps dial back the customization of connection methods and simplify the network a bit?

FWIW, we run RabbitMQ in a cluster behind an F5. The F5 monitors the AMQP ports and picks the best server for the client connection. All services connect via that same method, using the same server address. No services connect directly to the RabbitMQ server, since it might disappear if we fail over the cluster.

Worse case, you enter a host name in your hosts file to map to the FQDN.

On Thu, Mar 12, 2015 at 11:15 PM, Jerome Haltom <wasabi...@gmail.com> wrote:

Okay. I see what's going on. This does seem flawed.

The original request sender sets a URI for the response. And the response is directed to that URI. If the request is connected to one node, remotely, using, say rabbitmq://app-1.fqdn/vhost/queue, and the request is read from rabbitmq://localhost/ (it's read by a consumer running directly on a rabbit node), then the consumer node tries to send it back using the hostname the original client connected from. Which just isn't right, since it was connecting using a FQDN.

--
You received this message because you are subscribed to the Google Groups "masstransit-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to masstransit-dis...@googlegroups.com.
To post to this group, send email to masstrans...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/masstransit-discuss/c626ae8e-a5aa-4fa6-a9b3-6c59f44789e4%40googlegroups.com.