User guest is created as administrator by default after 3.8.4 when management.load_definitions is used
233 views
Skip to first unread message
Marius Ciocan
May 26, 2022, 2:03:34 PM5/26/22
to rabbitmq-users
Hello all,
"name": "guest",
"password_hash": "B3cN/64Xi2Gs+A2pXmJn2X9Ly39tQfvad0ZTm/ws+CVY0K2m",
"hashing_algorithm": "rabbit_password_hashing_sha256",
"tags": [
"administrator"
],
"limits": {}
},
{
"name": "john",
"password_hash": "pqhWy/bafEXFCKeOslojSm5gS2M+yoBywGmY5f+68WZHsj/V",
"hashing_algorithm": "rabbit_password_hashing_sha256",
"tags": [
"administrator"
],
"limits": {}
}
]
We upgraded some of our RabbitMQ instances from 3.8.0 and noticed something strange: user guest is created with administrator tags.
In versions lower than 3.8.5, the user guest is never created by default when management.load_definitions is used.
After 3.8.5, 3.9.x, 3.10.x the user guest is created with administrator tags.
Testing with the legacy load_definitions or definitions.local.path (no management plugin required) we can NOT reproduce this behaviour!
This is is not a major issue because it can be easily fixed by changing the default user and pass or by disabling loopback users, but it was strange to notice without any warnings in change log.
This is a strange behaviour or is FAD?
Our setup is something like this:
rabbit server with custom config to load custom definitions and rabbitmq_management plugin enabled
docker run -d --rm --name rabbit \
--hostname rabbit \
-p 15672:15672 \
-v "$(pwd)"/data:/var/lib/rabbitmq/mnesia \
-v "$(pwd)"/config/definitions.json:/etc/rabbitmq/definitions.json \
-v "$(pwd)"/config/enabled_plugins:/etc/rabbitmq/enabled_plugins \
-v "$(pwd)"/config/rabbitmq.conf:/etc/rabbitmq/rabbitmq.conf \
rabbitmq:3.10.2-management
-p 15672:15672 \
-v "$(pwd)"/data:/var/lib/rabbitmq/mnesia \
-v "$(pwd)"/config/definitions.json:/etc/rabbitmq/definitions.json \
-v "$(pwd)"/config/enabled_plugins:/etc/rabbitmq/enabled_plugins \
-v "$(pwd)"/config/rabbitmq.conf:/etc/rabbitmq/rabbitmq.conf \
rabbitmq:3.10.2-management
where definitions.json
{
"users": [
{
"name": "john",
"password": "john",
"tags": "administrator"
}
],
"vhosts": [
{ "name": "/" }
],
"permissions": [
{
"user": "john",
"vhost": "/",
"configure": ".*",
"write": ".*",
"read": "^.*"
}
],
"parameters": [],
"policies": [],
"queues": [
{
"name": "messages",
"vhost": "/",
"durable": false,
"auto_delete": false,
"arguments": {}
}
]
}
"users": [
{
"name": "john",
"password": "john",
"tags": "administrator"
}
],
"vhosts": [
{ "name": "/" }
],
"permissions": [
{
"user": "john",
"vhost": "/",
"configure": ".*",
"write": ".*",
"read": "^.*"
}
],
"parameters": [],
"policies": [],
"queues": [
{
"name": "messages",
"vhost": "/",
"durable": false,
"auto_delete": false,
"arguments": {}
}
]
}
enabled_plugins
[rabbitmq_management].
rabbitmq.conf
loopback_users.guest = false (enabled for testing purposes)
listeners.tcp.default = 5672
management.listener.port = 15672
management.listener.ssl = false
management.load_definitions = /etc/rabbitmq/definitions.json
listeners.tcp.default = 5672
management.listener.port = 15672
management.listener.ssl = false
management.load_definitions = /etc/rabbitmq/definitions.json
Testing with different versions:
3.8.4: curl -u "john:john" --silent http://127.0.0.1:15672/api/users/ | jq
[
{
"name": "john",
"password_hash": "kQPcMWd2FIyXyvnD8jKUwFKAS02Fbu1t3/71Ej6NEZ0msaSR",
"hashing_algorithm": "rabbit_password_hashing_sha256",
"tags": "administrator"
}
]
{
"name": "john",
"password_hash": "kQPcMWd2FIyXyvnD8jKUwFKAS02Fbu1t3/71Ej6NEZ0msaSR",
"hashing_algorithm": "rabbit_password_hashing_sha256",
"tags": "administrator"
}
]
>3.8.5, 3.9.x, 3.10.x: curl -u "john:john" --silent http://127.0.0.1:15672/api/users/ | jq
[
{"name": "guest",
"password_hash": "B3cN/64Xi2Gs+A2pXmJn2X9Ly39tQfvad0ZTm/ws+CVY0K2m",
"hashing_algorithm": "rabbit_password_hashing_sha256",
"tags": [
"administrator"
],
"limits": {}
},
{
"name": "john",
"password_hash": "pqhWy/bafEXFCKeOslojSm5gS2M+yoBywGmY5f+68WZHsj/V",
"hashing_algorithm": "rabbit_password_hashing_sha256",
"tags": [
"administrator"
],
"limits": {}
}
]
Thank you!
Michal Kuratczyk
May 26, 2022, 3:07:33 PM5/26/22
to rabbitm...@googlegroups.com
Hi,
There was indeed a change to how definitions are imported in 3.8.5. It seems like the bug is here: https://github.com/rabbitmq/rabbitmq-server/blob/master/deps/rabbit/src/rabbit_definitions.erl#L219
It skips the default definitions if other configuration properties are used but management.load_definitions is not considered so even though it's set - the default definitions are still imported. That's
why you end up with both "guest" and "john".
Seems like a great first PR if you are interested. Just add a third function that checks for management.load_definitions and add another "or" on the line linked above.
If you are not interested, we can fix it soon.
Best,
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/b09cf493-f137-4490-8807-e1182ab3a20cn%40googlegroups.com.
--
Michał
RabbitMQ teamMarius Ciocan
May 26, 2022, 3:29:27 PM5/26/22
to rabbitmq-users
Hello Michał,
Thank you for your quick response!
Despite having the best intentions to submit a PR, I don't have any experience with Erlang or with RabbitMQ internals in order to fix the bug and write some tests.
Maybe the next time I'll take my chances, but for the moment I'll be thankful if you try a fix. I'll try to learn from your PR.
Thank you,
Marius.
Michal Kuratczyk
May 27, 2022, 7:43:43 AM5/27/22
to rabbitm...@googlegroups.com
Hi,
The fix has been merged and will be included in the next patch releases.
Best,
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/0fcb05a4-f116-4f96-8c43-c402b7438442n%40googlegroups.com.
--
Michał
RabbitMQ teamReply all
Reply to author
Forward
0 new messages