Problem with rabbitmq_auth_backend_http

[Rambabu]

Hi,

I would like to use rabbitmq_auth_backend_http. So i installed rabbitmq_auth_backend_http binary and changed the config as suggested and enabled the plugin. When i tried to get connection i am getting following error.

com.rabbitmq.client.AuthenticationFailureException: ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.
    at com.rabbitmq.client.impl.AMQConnection.start(AMQConnection.java:339)
    at com.rabbitmq.client.ConnectionFactory.newConnection(ConnectionFactory.java:621)
    at com.rabbitmq.client.ConnectionFactory.newConnection(ConnectionFactory.java:648)
    at android.imgrac.sdk.chat.FCChannel.getChannel(FCChannel.java:36)
    at android.imgrac.sdk.chat.FCConsumer.<init>(FCConsumer.java:31)
    at android.imgrac.sdk.chat.FlowChat.register(FlowChat.java:35)
    at Client3.main(Client3.java:175)

I am using nodejs as http server. But its not hitting.

rabbitmq_config
[{rabbit, [{auth_backends, [rabbit_auth_backend_http]}]},
{rabbitmq_auth_backend_http,
[{user_path, "http://127.0.0.1:9000/auth/user"},
{vhost_path,    "http://127.0.0.1:9000/auth/vhost"},
{resource_path, "http://127.0.0.1:9000/auth/resource"}
]}
].

version:
 {rabbit,"RabbitMQ","3.5.4"},


Please help me how to proceed.

Thanks

[Michael Klishin]

Does tour HTTP backend return a response the plugin expects? That would be the first thing to verify, e.g. with Wireshark or an HTTP-specific protocol capture tool.

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Rambabu]

Hi MK,

I could able to solve the issue. There is a problem with my code.


Thanks

[Arif Pathan]

Could you specify what was the exact issue in your code, I am getting the same error, I have webapi in dotnet written it returns "allow" or "allow *", I have also tested it via postman it returns succesfully, but still getting the same error on client

[HttpPost]

        public string user()

        {

               return "allow *"; 

or   return "allow"; 

        }

Error is ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile and in Log file

Error on AMQP connection <0.705.0> (xxxxx:5672, state: starting):

PLAIN login refused: rabbit_auth_backend_http failed authenticating paymentuser: {bad_response,

                                                             "\"allow *\""}

or PLAIN login refused: rabbit_auth_backend_http failed authenticating vmsuser: {bad_response,

                                                         "\"allow\""}

Rabbitmq.config is as follows

[

{rabbit, [

            {auth_backends, [rabbit_auth_backend_http]}

          ]

},

{rabbitmq_auth_backend_http,

   [

   {http_method,   post},

    {user_path,     "http://localhost/AuthService/auth/user"},

    {vhost_path,    "http://localhost/AuthService/auth/vhost"},

    {resource_path, "http://localhost/AuthService/auth/resource"},

    {topic_path,    "http://localhost/AuthService/auth/topic"}

]

}

].

[Arnaud Cogoluègnes]

Not sure the plugin expects "allow *". Can you modify your HTTP backend to return also user tags on the user_path endpoint (e.g. "allow administrator management")?

To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.

[Arif Pathan]

Thanks for the reply but have tried, that does not work either

PLAIN login refused: rabbit_auth_backend_http failed authenticating customuser: {bad_response,

                                                             "\"allow administrator\""}

Installed versions are rabbitmq_server-3.6.11

Erlang OTP 20(9.0)

It seems something on rabbitmq itself, as it is receving the response, Any help is much appreciated

On Monday, October 9, 2017 at 5:37:37 PM UTC+5:30, Arnaud Cogoluègnes wrote:

Not sure the plugin expects "allow *". Can you modify your HTTP backend to return also user tags on the user_path endpoint (e.g. "allow administrator management")?

On Mon, Oct 9, 2017 at 1:09 PM, Arif Pathan <arif42...@gmail.com> wrote:

Could you specify what was the exact issue in your code, I am getting the same error, I have webapi in dotnet written it returns "allow" or "allow *", I have also tested it via postman it returns succesfully, but still getting the same error on client

[HttpPost]

        public string user()

        {

               return "allow *"; 

or   return "allow"; 

        }

Error is ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile and in Log file

Error on AMQP connection <0.705.0> (xxxxx:5672, state: starting):

PLAIN login refused: rabbit_auth_backend_http failed authenticating customentuser: {bad_response,

                                                             "\"allow *\""}

or PLAIN login refused: rabbit_auth_backend_http failed authenticating customuser: {bad_response,

[Arif Pathan]

Finally somewhat its working now, The problem was it was expecting plain text response and my http service was a web api and it was by default returning json response

so I changed the previous implementation from 

[HttpPost]

        public HttpResponseMessage user(FormDataCollection form)

        {

           var resp = new HttpResponseMessage(HttpStatusCode.OK);

            resp.Content = new StringContent("allow");

            return resp;

        }

to 

[HttpPost]

        public HttpResponseMessage user(FormDataCollection form)

        {

           var resp = new HttpResponseMessage(HttpStatusCode.OK);

            resp.Content = new StringContent("allow", System.Text.Encoding.UTF8, "text/plain");

            return resp;

        }

So problem1 solved 

Now Problem2 -

it works only with allow as response - but This works only for  rabbitmq dotnet Client but when I try to login via mangement Portal it says 

HTTP access denied: user 'guest' - Not management user

But then when i return allow administrator management as reponse, it works for mangement Portal, I am able to login but 

does not work for rabbitmq dotnet Client  it gives the error

closing AMQP connection <0.1353.0> (10.167.113.118:4177 -> 10.167.113.118:5672):

{handshake_error,opening,0,

    {error,

        {case_clause,"allow administrator"},

        'connection.open',

        [{rabbit_access_control,check_access,5,

             [{file,"src/rabbit_access_control.erl"},{line,177}]},

         {lists,foldl,3,[{file,"lists.erl"},{line,1263}]},

         {rabbit_reader,handle_method0,2,

             [{file,"src/rabbit_reader.erl"},{line,1235}]},

         {rabbit_reader,handle_method0,3,

             [{file,"src/rabbit_reader.erl"},{line,1149}]},

         {rabbit_reader,handle_input,3,

             [{file,"src/rabbit_reader.erl"},{line,1064}]},

         {rabbit_reader,recvloop,4,

             [{file,"src/rabbit_reader.erl"},{line,472}]},

         {rabbit_reader,run,1,[{file,"src/rabbit_reader.erl"},{line,454}]},

         {rabbit_reader,start_connection,4,

             [{file,"src/rabbit_reader.erl"},{line,390}]}]}}

Problem3 - What about the other calls to

auth/vhost

auth/resource

auth/topic

These methods are never called, why is that so

[Arif Pathan]

Finally all the problems are solved, Those were small mistakes but difficult to guess or identify and some were technology implementation specific, I guess here we should go as it is in the doucmentation

I will post the dotnet http service for this plugin as an example so anyone dealing with dot net client can easily utilize this

Problem2 solved-

it works only with allow as response - but This works only for  rabbitmq dotnet Client but when I try to login via mangement Portal it says 

HTTP access denied: user 'guest' - Not management user

But then when i return allow administrator management as reponse, it works for mangement Portal, I am able to login but 

does not work for rabbitmq dotnet Client  it gives the error

The response I was returning was "allow administrator management" and this worked for Management Portal login but for the code that is rabbitmq dot net client the syntax is as stated in documents

"allow [administrator]" with the brackets 

Problem3 solved- What about the other calls to

auth/vhost

auth/resource

auth/topic

These methods are never called - The problem was specific to dotnet webapi implementation

Changed the below which was not working for all the three types vhost,resource and topic respectively to

[HttpPost]

        public HttpResponseMessage vhost(string username, string vhost, string ip)

{

}

to below which is working 

[HttpPost]

  public HttpResponseMessage vhost(FormDataCollection form)

{

}

As I said I will host the dotnet http service for this plugin as an example so anyone dealing with dot net client can easily utilize this and update a link over here

But thanks for your comment @Arnaud Cogoluègnes  as that clicked me that the response was text format and not json format

[Arnaud Cogoluègnes]

Thanks for your feedback. You can have a look to the Spring Boot application integration test [1]. It should give you an idea of the input/output for all endpoints.

[1] https://github.com/rabbitmq/rabbitmq-auth-backend-http/blob/1b3f98677a2be45427bd490f92f99722eb763652/examples/rabbitmq_auth_backend_spring_boot/src/test/java/com/rabbitmq/examples/AuthBackendHttpControllerTest.java#L39-L72

--

You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.

[Michael Klishin]

"Bad response" means your HTTP handler returned a value the plugin does not expect.

To post to this group, send email to rabbitm...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

MK

Staff Software Engineer, Pivotal/RabbitMQ

[Arif Pathan]

Thanks for your response, As mentioned in later comment the problem is resolved I have also stated the reasons and solutions for the same

I have made a sample dot net webapi service that rabbitmq-auth-backend-http can authenticate against

https://github.com/arif-pathan/rabbitmq-auth-backend-http/tree/master/examples/rabbitmq_auth_backend_webapi_dotnet, I have also created a pull request to be added it in the samples are https://github.com/rabbitmq/rabbitmq-auth-backend-http

It would be great if thats incorporated in the main branch itself, Thanks

To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.

To post to this group, send email to rabbitm...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.

To post to this group, send email to rabbitm...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

[Michael Klishin]

Thank you, the PR was merged.

To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.