RabbitMQ, NServiceBus endpoint Installation and the principle of least privilege

376 views
Skip to first unread message

Jason

unread,
Oct 19, 2015, 5:34:35 AM10/19/15
to Particular Software
Hello,

We have a problem with the NServiceBus endpoint installation when using RabbitMQ as a transport. When installing an endpoint matching the afore mentioned description, using a backing service account with less than RabbitMQ administrator privilidges, the installation fails with the following exception message:


2015-10-19 09:12:55.838 ERROR NServiceBus.GenericHost Exception when starting endpoint.
RabbitMQ.Client.Exceptions.OperationInterruptedException: The AMQP operation was interrupted: AMQP close-reason, initiated by Peer, code=403, text="ACCESS_REFUSED - access to queue 'MyQueue' in vhost '/' refused for user 'CN=svc_endpoint,OU=Service Accounts,OU=dev.somdomain.local,DC=dev,DC=somedomain,DC=local'", classId=50, methodId=10, cause=
   at RabbitMQ.Client.Impl.SimpleBlockingRpcContinuation.GetReply()
   at RabbitMQ.Client.Impl.ModelBase.QueueDeclare(String queue, Boolean passive, Boolean durable, Boolean exclusive, Boolean autoDelete, IDictionary`2 arguments)
   at RabbitMQ.Client.Impl.ModelBase.QueueDeclare(String queue, Boolean durable, Boolean exclusive, Boolean autoDelete, IDictionary`2 arguments)
   at RabbitMQ.Client.Impl.AutorecoveringModel.QueueDeclare(String queue, Boolean durable, Boolean exclusive, Boolean autoDelete, IDictionary`2 arguments)
   at NServiceBus.Transports.RabbitMQ.RabbitMqQueueCreator.CreateQueueIfNecessary(Address address, String account) in c:\BuildAgent\work\ef98ad7376e3379a\src\NServiceBus.RabbitMQ\RabbitMqQueueCreator.cs:line 20
   at NServiceBus.Unicast.Queuing.QueuesCreator.Install(String identity, Configure config) in c:\BuildAgent\work\3206e2123f54fce4\src\NServiceBus.Core\Unicast\Queuing\QueuesCreator.cs:line 37
   at NServiceBus.Features.InstallationSupport.Starter.Run(Configure config) in c:\BuildAgent\work\3206e2123f54fce4\src\NServiceBus.Core\Installation\InstallationSupport.cs:line 75
   at NServiceBus.Configure.Initialize() in c:\BuildAgent\work\3206e2123f54fce4\src\NServiceBus.Core\Configure.cs:line 125
   at NServiceBus.Bus.Create(BusConfiguration configuration) in c:\BuildAgent\work\3206e2123f54fce4\src\NServiceBus.Core\Bus.cs:line 21
   at NServiceBus.GenericHost.PerformConfiguration(Action`1 moreConfiguration) in c:\BuildAgent\work\a3de8759ee491634\src\NServiceBus.Hosting.Windows\GenericHost.cs:line 121
   at NServiceBus.GenericHost.Start() in c:\BuildAgent\work\a3de8759ee491634\src\NServiceBus.Hosting.Windows\GenericHost.cs:line 58

We have a separate configuration managment system whose role is to manage (create, update and delete) RabbitMQ queues within our environment. Our security policy requires us to adhere to the principle of least priviledge, which means the NServiceBus endpoint should not require "administrator" access.

We currently have no option but to leave the the NServiceBus endpoint with "administrator" privileges if we want the service endpoint to work. This is not acceptable for our use in production.

Is anybody able to provide instructions on how to achieve what we are trying to do, and to explain why this has been implemented in this way?

Andreas Ohlund

unread,
Oct 19, 2015, 7:19:56 AM10/19/15
to particula...@googlegroups.com
Hi Jason!

I would suggest that you turn off the installers  


and instead script your install:


Does this make sense?

Cheers,

Andreas

--
You received this message because you are subscribed to the Google Groups "Particular Software" group.
To unsubscribe from this group and stop receiving emails from it, send an email to particularsoftw...@googlegroups.com.
To post to this group, send email to particula...@googlegroups.com.
Visit this group at http://groups.google.com/group/particularsoftware.
To view this discussion on the web visit https://groups.google.com/d/msgid/particularsoftware/b8140a90-f94d-41a5-b3cc-239664c64555%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Jason

unread,
Oct 19, 2015, 7:43:01 AM10/19/15
to Particular Software
Hi Andreas,

Thanks for your prompt reply.

This does look like it may offer what we are looking for, however I am unclear on how to use this to prevent the installation process from creating RabbitMQ dependent artaefacts.

Are you able to offer any further information/examples?

Thanks,
Jason
To unsubscribe from this group and stop receiving emails from it, send an email to particularsoftware+unsub...@googlegroups.com.

Andreas Ohlund

unread,
Oct 19, 2015, 9:03:52 AM10/19/15
to particula...@googlegroups.com
>This does look like it may offer what we are looking for, however I am unclear on how to use this to prevent the installation process from creating RabbitMQ dependent artaefacts.

If you're self-hosting not calling `.EnableInstallers` will make sure that NServiceBus won't try to create any infrastructure related artefacts like queues, tables etc.

If you're running the NServiceBus Host you need to skip "installing" the host using `NServiceBus.Host.exe /install` to get the same behavior.

Since the RabbitMQ artifacts are created by the above mentioned "installers" they won't get created. 

Does this make sense?


To unsubscribe from this group and stop receiving emails from it, send an email to particularsoftw...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Particular Software" group.
To unsubscribe from this group and stop receiving emails from it, send an email to particularsoftw...@googlegroups.com.

To post to this group, send email to particula...@googlegroups.com.
Visit this group at http://groups.google.com/group/particularsoftware.
To view this discussion on the web visit https://groups.google.com/d/msgid/particularsoftware/653f08e1-06f0-43da-834a-8b18a890628e%40googlegroups.com.

Jason

unread,
Oct 19, 2015, 8:17:03 PM10/19/15
to Particular Software
Hi Andreas,

We are not calling ".EnableInstaller" explicitly during our endpoint configuration.

What is the default behaviour when ".EnableInstaller"  is not called.  We are observing that all dependencies are still created (ie. RabbitMQ Queues)...

Is there something critical which we are missing?

Please advise?

Jason
To unsubscribe from this group and stop receiving emails from it, send an email to particularsoftware+unsub...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Particular Software" group.
To unsubscribe from this group and stop receiving emails from it, send an email to particularsoftware+unsub...@googlegroups.com.

To post to this group, send email to particula...@googlegroups.com.
Visit this group at http://groups.google.com/group/particularsoftware.

Andreas Ohlund

unread,
Oct 20, 2015, 3:56:10 AM10/20/15
to particula...@googlegroups.com
>We are not calling ".EnableInstaller" explicitly during our endpoint configuration.

Are you self hosting or using the NServiceBus host? (the host will control the installer for you)

To unsubscribe from this group and stop receiving emails from it, send an email to particularsoftw...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Particular Software" group.
To unsubscribe from this group and stop receiving emails from it, send an email to particularsoftw...@googlegroups.com.

To post to this group, send email to particula...@googlegroups.com.
Visit this group at http://groups.google.com/group/particularsoftware.

--
You received this message because you are subscribed to the Google Groups "Particular Software" group.
To unsubscribe from this group and stop receiving emails from it, send an email to particularsoftw...@googlegroups.com.

To post to this group, send email to particula...@googlegroups.com.
Visit this group at http://groups.google.com/group/particularsoftware.
To view this discussion on the web visit https://groups.google.com/d/msgid/particularsoftware/6fbcd072-aaa4-4707-91a2-59ba264c5daa%40googlegroups.com.

simon.cropp

unread,
Oct 20, 2015, 4:10:26 AM10/20/15
to Particular Software
Jason

Specifically are you using the NServiceBus.Host nuget https://www.nuget.org/packages/NServiceBus.Host/

Jason

unread,
Oct 20, 2015, 5:10:25 AM10/20/15
to Particular Software
Hi Simon/Andreas,

We are using the NServiceBus.Host process to host our endpoint.

Is there specific command which we should be using to install?

Regards,
Jason

Andreas Ohlund

unread,
Oct 20, 2015, 5:51:45 AM10/20/15
to particula...@googlegroups.com
>Is there specific command which we should be using to install?

Not calling `NServiceBus.Host.exe /install` should be enough?

Note that you would have to use sc.exe to install the windows service in this case.

You can read more here



Cheers,

Andreas

--
You received this message because you are subscribed to the Google Groups "Particular Software" group.
To unsubscribe from this group and stop receiving emails from it, send an email to particularsoftw...@googlegroups.com.
To post to this group, send email to particula...@googlegroups.com.
Visit this group at http://groups.google.com/group/particularsoftware.
To view this discussion on the web visit https://groups.google.com/d/msgid/particularsoftware/c8e2acd3-5d49-49cd-a655-29a36de7825b%40googlegroups.com.

Jason

unread,
Oct 21, 2015, 6:45:28 AM10/21/15
to Particular Software
Hi Andreas,

I am confused. We have followed all of the suggestions you have made so far.

Specifically when installing our NServiceBus endpoint we are using the "sc.exe" command using the following parameters.
sc.exe create SomeServiceName binpath= "NServiceBus.Host.exe -service /serviceName: SomeServiceName Production SomeServiceName" obj= userName password= "password" start= auto DisplayName= SomeDisplayName"

Is there any further instructions which we need to follow or are missing?


On Tuesday, 20 October 2015 20:51:45 UTC+11, andreas.ohlund wrote:
>Is there specific command which we should be using to install?

Not calling `NServiceBus.Host.exe /install` should be enough?

Note that you would have to use sc.exe to install the windows service in this case.

You can read more here



Cheers,

Andreas
On Tue, Oct 20, 2015 at 11:10 AM, Jason <chin.subs...@gmail.com> wrote:
Hi Simon/Andreas,

We are using the NServiceBus.Host process to host our endpoint.

Is there specific command which we should be using to install?

Regards,
Jason

On Tuesday, 20 October 2015 19:10:26 UTC+11, simon.cropp wrote:
Jason

Specifically are you using the NServiceBus.Host nuget https://www.nuget.org/packages/NServiceBus.Host/

--
You received this message because you are subscribed to the Google Groups "Particular Software" group.
To unsubscribe from this group and stop receiving emails from it, send an email to particularsoftware+unsub...@googlegroups.com.

To post to this group, send email to particula...@googlegroups.com.
Visit this group at http://groups.google.com/group/particularsoftware.

Andreas Ohlund

unread,
Oct 21, 2015, 6:54:46 AM10/21/15
to particula...@googlegroups.com
Hi Jason!

I think I know what's going on, let me confirm.

The RabbitMQ transport will be default use a routing topology that creates exchanges on the fly as you subscribe to messages. This would happen during runtime and under the account that the endpoint is running on. To confirm this can you please check if:

* Queues are not created automatically
* Exchanges and their bindings are created at runtime

If this is the fact and you don't want this behavior you need to take control over the topology yourself using:


This way you can setup any exchanges and bindings upfront and NServiceBus won't try to create anything at runtime.

Does this make sense?

Cheers,

Andreas
To unsubscribe from this group and stop receiving emails from it, send an email to particularsoftw...@googlegroups.com.
To post to this group, send email to particula...@googlegroups.com.
Visit this group at http://groups.google.com/group/particularsoftware.

--
You received this message because you are subscribed to the Google Groups "Particular Software" group.
To unsubscribe from this group and stop receiving emails from it, send an email to particularsoftw...@googlegroups.com.

To post to this group, send email to particula...@googlegroups.com.
Visit this group at http://groups.google.com/group/particularsoftware.
To view this discussion on the web visit https://groups.google.com/d/msgid/particularsoftware/d8164cd0-9861-42e9-ad5a-25f4a0f8c160%40googlegroups.com.

Jason

unread,
Oct 21, 2015, 7:17:56 AM10/21/15
to Particular Software
Hi Andreas,

I'll talk with our team. 

This sounds like something we can try.

Thank you for your time and effort in trying to help us. I will report back after we have tested this.

Regards,
Jason
To unsubscribe from this group and stop receiving emails from it, send an email to particularsoftware+unsub...@googlegroups.com.
To post to this group, send email to particula...@googlegroups.com.
Visit this group at http://groups.google.com/group/particularsoftware.

--
You received this message because you are subscribed to the Google Groups "Particular Software" group.
To unsubscribe from this group and stop receiving emails from it, send an email to particularsoftware+unsub...@googlegroups.com.

To post to this group, send email to particula...@googlegroups.com.
Visit this group at http://groups.google.com/group/particularsoftware.

Jason

unread,
Oct 22, 2015, 12:57:53 AM10/22/15
to Particular Software
Hi Andreas,

In the end, this configuration option fixed our immediate problem:

 configuration.DoNotCreateQueues();

The routing NServiceBus topology link you mentioned is interesting, I think we will need to look into writing a customer topology if we start using more dynamic exchange/queue creation as you have suggested.

Thanks for your time and suggestions.

Jason
Reply all
Reply to author
Forward
0 new messages