User has 'management' tag. "Not management user" error when logging in.

[Rick]

I am running RabbitMQ version 3.7.6 in a Docker container. The management plugin is enabled.

I receive the following error when logging in to the management UI:

I am using the following rabbitmq.conf:

default_user                    = "admin"
default_pass                    = "redacted"
default_user_tags.administrator = true
default_user_tags.management    = true

The confusing part is that it appears user "admin" does indeed have management enabled. The following is shown during boot up:

Creating user '"admin"'
Setting user tags for user '"admin"' to [management,administrator]
Setting permissions for '"admin"' in '/' to '.*', '.*', '.*'

As requested, here is the output of list_users:

$ rabbitmqctl list_users
Listing users ...
"admin" [management, administrator]

Why am I unable to log in to the management console on an account that appears to have the tagmanagement enabled?

Original StackOverflow question here: https://stackoverflow.com/questions/51173873/rabbitmq-admin-cant-log-in-to-management-ui

Thanks

[Luke Bakken]

Hi Rick,

I used the configuration you posted to StackOverflow and attached it here as well. There is a difference between that file and what you provided here - namely, your use of double-quotes, which should not be there. You are creating a user named "admin", including the quotes.

Here is the output from the log upon startup:

2018-07-05 11:01:53.984 [info] <0.206.0> Creating user 'admin'

2018-07-05 11:01:53.989 [info] <0.206.0> Setting user tags for user 'admin' to [management,administrator]

2018-07-05 11:01:53.994 [info] <0.206.0> Setting permissions for 'admin' in '/' to '.*', '.*', '.*'

List users output:

./sbin/rabbitmqctl list_users

Listing users ...

admin   [management, administrator]

I can successfully log into the management UI.

Thanks,

Luke

[Rick]

Hi Luke,

Thanks for the fast response.

I did notice the superfluous quotes this morning and removed them. Unfortunately, the error persists. Here's an updated RabbitMQ conf:

auth_backends.1 = http

auth_cache.cached_backend = http

auth_cache.cache_ttl = 600000

auth_http.http_method = post

auth_http.resource_path = http://0.0.0.0:1234/api/rmq/resource

auth_http.topic_path = http://0.0.0.0:1234/api/rmq/topic

auth_http.user_path = http://0.0.0.0:1234/api/rmq/user

auth_http.vhost_path = http://0.0.0.0:1234/api/rmq/vhost

default_user = admin

default_pass = password123

default_user_tags.administrator = true

default_user_tags.management = true

mqtt.allow_anonymous = false

I temporarily stubbed the auth HTTP server to always return `allow`. When re-attempting a login, I received the same "Not management user " message. Here's the output of `list_users` currently:

$ rabbitmqctl list_users

Listing users ...

admin [management, administrator]

And also this log during boot up:

2018-07-05 18:18:51.952 [info] <0.201.0> Creating user 'admin'

2018-07-05 18:18:51.955 [info] <0.201.0> Setting user tags for user 'admin' to [management,administrator]

2018-07-05 18:18:51.963 [info] <0.201.0> Setting permissions for 'admin' in '/' to '.*', '.*', '.*'

Is it possible this is caused by an interaction with some other plugin, such as auth_backend_http ?

[Michael Klishin]

We will add a note about quotes to the configuration doc guide.

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

MK

Staff Software Engineer, Pivotal/RabbitMQ

[Michael Klishin]

"Not management user" means the user has no "management" (or a tag that implies "management") tag.

If you use an HTTP service/backend only then the log entries do not matter: they are for the *internal*

authN/authZ backend which you explicitly told RabbitMQ not to use.

See examples in [1], e.g. this Python one [2], they all demonstrate how HTTP auth services return a list of user tags. That's where "management" must appear

for the right user(s).

1. https://github.com/rabbitmq/rabbitmq-auth-backend-http/blob/master/examples/

2. https://github.com/rabbitmq/rabbitmq-auth-backend-http/blob/master/examples/rabbitmq_auth_backend_django/rabbitmq_auth_backend_django/auth/views.py

--

You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Luke Bakken]

Hi Rick -

> Is it possible this is caused by an interaction with some other plugin, such as auth_backend_http ?

Yes, this is exactly what is going on. You only have the http backend enabled and this user probably doesn't exist in it. That was an important detail that had been left out until now.

Either enable the internal auth backend as well, or add this user to your external one. RabbitMQ can't do that for you!

Thanks,

Luke

[Rick Carlino]

Thank you, Luke. This looks like the solution!

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.