Overwrite user credentials warning message?

Andrew D.

unread,

Aug 21, 2019, 7:47:49 AM8/21/19

to rabbitmq-users

Hello, we experienced a problem recently where we used the GUI to create a "new" user with a new password, but the user already existed. Instead of a warning that the account already exists, the password was overwritten (when testing, we were also kicked out of the session, because we were logged in as that user). We were able to log in as the existing user with the new password, but to avoid overwriting credentials for existing users, it would have been better to get an error message that "warning: this user already exists. If you want to change their password, please do XYZ." (This caused a brief system outage because the credentials were already used elsewhere in our system and we didn't realize we were overwriting the existing user's credentials.) Can there be some kind of a test if the credentials are already in use before they are overwritten in the GUI?

Luke Bakken

unread,

Aug 21, 2019, 1:29:11 PM8/21/19

to rabbitmq-users

Hi Andrew,

I just reproduced this behavior. Under the hood, an HTTP PUT request is made to the /api/users REST endpoint. PUT is used for creating or updating a user in RabbitMQ's API (https://cdn.rawgit.com/rabbitmq/rabbitmq-management/v3.7.17/priv/www/api/index.html / https://stackoverflow.com/q/630453)

I'll modify the UI to make it clear that you are adding OR updating a user via that screen. If you view the "Policies" screen it shows that you are adding or updating a policy.

If you try to run rabbitmqctl add_user multiple times for the same user, an error will be displayed.

Thanks,

Luke

Luke Bakken

unread,

Aug 21, 2019, 1:48:39 PM8/21/19

to rabbitmq-users

Hi again Andrew -

Please see the following PR - https://github.com/rabbitmq/rabbitmq-management/pull/732

Andrew D.

unread,

Aug 22, 2019, 4:51:13 AM8/22/19

to rabbitmq-users

Hi Luke, thanks for the quick response! Is it possible to modify the HTTP response back that an existing user's credentials have been overwritten, as opposed to creating a new user? Even if not, the GUI changes are definitely still an improvement. Thanks again. Cheers, Andrew

Luke Bakken

unread,

Aug 22, 2019, 11:13:42 AM8/22/19

to rabbitmq-users

Hi Andrew,

The API already provides a 201 response for a new user vs 204 for an updated one. Please see the attached file for a transcript.

Thanks,

Luke

http-responses.txt

Reply all

Reply to author

Forward