cannot access rabbitmq through oauth2 plugins
450 views
Skip to first unread message
bunnymind
Nov 7, 2019, 3:34:14 AM11/7/19
to rabbitmq-users
I followed the instruction from https://github.com/rabbitmq/rabbitmq-auth-backend-oauth2, and already installed uaa on the same machine with rabbitmq (the config script is on the below section)
I am using web-stomp as a client that use the access token to connect to rabbitmq.
After I run demo/setup.sh, I can get the access_token, but I cannot access it from my client side.
I thought, although the setup.sh said that "Use access_token as a RabbitMQ password, the username is ignored", the rabbitmq still cannot verify the access token.
Any idea about this?
NB:
I add this to my config file.
{rabbit, [
{auth_backends, [rabbit_auth_backend_oauth2, rabbit_auth_backend_internal]}
]},
{rabbitmq_auth_backend_oauth2, [
{resource_server_id, <<"rabbitmq">>},
{key_config, [
{default_key, <<"legacy-token-key">>},
{signing_keys,
#{<<"legacy-token-key">> => {pem, <<"-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2dP+vRn+Kj+S/oGd49kq
6+CKNAduCC1raLfTH7B3qjmZYm45yDl+XmgK9CNmHXkho9qvmhdksdzDVsdeDlhK
IdcIWadhqDzdtn1hj/22iUwrhH0bd475hlKcsiZ+oy/sdgGgAzvmmTQmdMqEXqV2
B9q9KFBmo4Ahh/6+d4wM1rH9kxl0RvMAKLe+daoIHIjok8hCO4cKQQEw/ErBe4SF
2cr3wQwCfF1qVu4eAVNVfxfy/uEvG3Q7x005P3TcK+QcYgJxav3lictSi5dyWLgG
QAvkknWitpRK8KVLypEj5WKej6CF8nq30utn15FQg0JkHoqzwiCqqeen8GIPteI7
VwIDAQAB
-----END PUBLIC KEY-----">>}
Luke Bakken
Nov 7, 2019, 5:35:20 AM11/7/19
to rabbitmq-users
Hello,
What version of RabbitMQ and Erlang are you using?
What is logged by RabbitMQ when access is denied?
Thanks -
Luke
bunnymind
Nov 7, 2019, 5:42:40 AM11/7/19
to rabbitmq-users
RabbitMQ version: 3.8.1
Erlang version: 21.3.4
the error said
[error] <0.23502.0> STOMP error frame sent:
Message: "Bad CONNECT"
Detail: "Access refused for user 'guest'\n"
Server private detail: none
bunnymind
Nov 8, 2019, 5:58:40 AM11/8/19
to rabbitmq-users
when I access rabbitmq management on port 15672, it said "http://localhost:8080/uaa does not appear to be a running UAA instance or may not have a trusted SSL certificate"
is that expected?
i am running on UAA instance, but do not have the idea about ssl certificate.
On Thursday, November 7, 2019 at 6:35:20 PM UTC+8, Luke Bakken wrote:
Arnaud Cogoluègnes
Nov 13, 2019, 3:29:34 AM11/13/19
to rabbitm...@googlegroups.com
Have you tried with an AMQP client? The final authentication process
is the same between Web Stomp and AMQP, but using AMQP removes some
extra layers and this could help investigating the problem.
> --
> You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
> To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/4d43e711-d254-43fe-bc23-2e42f9913ac0%40googlegroups.com.
is the same between Web Stomp and AMQP, but using AMQP removes some
extra layers and this could help investigating the problem.
> You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
> To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/4d43e711-d254-43fe-bc23-2e42f9913ac0%40googlegroups.com.
Arnaud Cogoluègnes
Nov 13, 2019, 3:42:48 AM11/13/19
to rabbitm...@googlegroups.com
Have you configured the management plugin to authenticate through UAA?
This is disabled by default, so the management plugin should not try
to access the UAA server. If you configured anything OAuth-related in
the management plugin, please provide your full configuration file.
This is disabled by default, so the management plugin should not try
to access the UAA server. If you configured anything OAuth-related in
the management plugin, please provide your full configuration file.
> --
> You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
> To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/a34b4f4d-103a-4716-801e-2800229b2ce9%40googlegroups.com.
> You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
bunnymind
Nov 13, 2019, 9:29:05 PM11/13/19
to rabbitmq-users
yes, I have tried using AMQP too, but still can't connect.
Attached:
1. config file
2. AMQP client code (I am using python client, in the terminal, it showed 'ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.')
3. log for AMQP connection failure
> To unsubscribe from this group and stop receiving emails from it, send an email to rabbitm...@googlegroups.com.
Arnaud Cogoluègnes
Nov 14, 2019, 7:53:01 AM11/14/19
to rabbitm...@googlegroups.com
I decoded the token [1] used in the Python script and its scopes do
not grant access to the "/" virtual host:
"scope": [
"rabbitmq.read:uaa_vhost/some*",
"rabbitmq.write:uaa_vhost/*"
],
You can read more about scopes and permissions at [2].
I suggest you create a uaa_vhost virtual host to experiment or simply
use the rabbit_super user from the sample who has access to "/".
[1] https://jwt.io/
[2] https://github.com/rabbitmq/rabbitmq-auth-backend-oauth2#scope-to-permission-translation
> To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
> To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/9058b93c-95a6-4f64-bac0-4442966398f1%40googlegroups.com.
not grant access to the "/" virtual host:
"scope": [
"rabbitmq.read:uaa_vhost/some*",
"rabbitmq.write:uaa_vhost/*"
],
You can read more about scopes and permissions at [2].
I suggest you create a uaa_vhost virtual host to experiment or simply
use the rabbit_super user from the sample who has access to "/".
[1] https://jwt.io/
[2] https://github.com/rabbitmq/rabbitmq-auth-backend-oauth2#scope-to-permission-translation
> To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/9058b93c-95a6-4f64-bac0-4442966398f1%40googlegroups.com.
bunnymind
Nov 14, 2019, 8:58:43 PM11/14/19
to rabbitmq-users
Oops, I just sent you the code when I tried rabbit_nosuper.whats wrong with my config?
When I used rabbit_super, still cannot connect.
This is the jwt
eyJhbGciOiJIUzI1NiIsImprdSI6Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvdWFhL3Rva2VuX2tleXMiLCJraWQiOiJsZWdhY3ktdG9rZW4ta2V5IiwidHlwIjoiSldUIn0.eyJqdGkiOiJkNzMyY2Q5NmUxM2U0OTk3YmI4MTVhZWM1MTljYmUwZSIsInN1YiI6ImJhN2Q5NzJiLTM1MGEtNGY2Ny1iYjAwLWFlMTg0YTVhN2QzNCIsInNjb3BlIjpbInJhYmJpdG1xLnJlYWQ6Ki8qIiwicmFiYml0bXEud3JpdGU6Ki8qIiwicmFiYml0bXEudGFnOmFkbWluaXN0cmF0b3IiLCJyYWJiaXRtcS5jb25maWd1cmU6Ki8qIl0sImNsaWVudF9pZCI6InJhYmJpdF9jbGllbnQiLCJjaWQiOiJyYWJiaXRfY2xpZW50IiwiYXpwIjoicmFiYml0X2NsaWVudCIsImdyYW50X3R5cGUiOiJwYXNzd29yZCIsInVzZXJfaWQiOiJiYTdkOTcyYi0zNTBhLTRmNjctYmIwMC1hZTE4NGE1YTdkMzQiLCJvcmlnaW4iOiJ1YWEiLCJ1c2VyX25hbWUiOiJyYWJiaXRfc3VwZXIiLCJlbWFpbCI6InJhYmJpdF9zdXBlckBleGFtcGxlLmNvbSIsImF1dGhfdGltZSI6MTU3Mzc4MjYyNiwicmV2X3NpZyI6Ijc1NzcyZTM3IiwiaWF0IjoxNTczNzgyNjI2LCJleHAiOjE1NzM4MjU4MjYsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC91YWEvb2F1dGgvdG9rZW4iLCJ6aWQiOiJ1YWEiLCJhdWQiOlsicmFiYml0bXEiLCJyYWJiaXRfY2xpZW50Il19.5jhJj9UhZt3sZbbLuauiTC-_KYmA43Gezd7nOYmbCFo
what should I put on uaa_client on rabbitmq.config under rabbitmq_management?
"rabbit_client" or "rabbit_user_client" ? I tried both but resulting the same. In fact, I tried the config on symmetric keys, and run demo/setup.sh, the configuration should be the same as yours
if we run with this plugin, can we access the 15672 port? because I can't access mine. It redirects to uaa interface and said "A redirect_uri can only be used by implicit or authorization_code grant types." (when I used rabbit_client under rabbitmq_management)
> To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/9058b93c-95a6-4f64-bac0-4442966398f1%40googlegroups.com.
Arnaud Cogoluègnes
Nov 15, 2019, 4:41:28 AM11/15/19
to rabbitm...@googlegroups.com
OK, let's try to fix the AMQP connection first, before moving on the
management plugin.
I followed the steps from the plugin readme [1] and it worked on my
laptop. Let's recap.
UAA (make sure you have Java 11):
git clone g...@github.com:cloudfoundry/uaa.git
cd uaa
CLOUDFOUNDRY_CONFIG_PATH=<path_to_oauth2_plugin>/demo/symmetric_keys
./gradlew run
RabbitMQ:
./rabbitmq-plugins enable rabbitmq_auth_backend_oauth2
export RABBITMQ_CONFIG_FILE=<path_to_oauth2_plugin>/demo/symmetric_keys/rabbitmq.config
./rabbitmq-server -detached
Note I removed the management plugin part in the configuration file:
[
%% Enable rabbit_auth_backend_oauth2
prefixed with `rabbitmq.`
{rabbitmq_auth_backend_oauth2, [
{resource_server_id, <<"rabbitmq">>},
% Set up a legacy signing key
<<"alg">> => <<"HS256">>,
<<"value">> => <<"rabbit_signing_key">>,
<<"kty">> => <<"MAC">>,
<<"use">> => <<"sig">>}
}
}
} %% signing keys
]} % key_config
]} % rabbitmq_auth_backend_oauth2
].
UAA and RabbitMQ configuration (from the OAuth 2 plugin directory,
make sure the cf-uaac and bunny gems are installed as explained in the
readme):
RABBITMQCTL=<path_to_rabbitmq_sbin>/rabbitmqctl demo/setup.sh
Copy the access token from the rabbit_super user.
AMQP connection:
Paste the token in the Python script.
python send.py
[x] Message sent to consumer
I used RabbitMQ 3.8.1 and Erlang 22.1.3.
Please make sure to follow this procedure before we move on to
diagnose the issue with the management plugin.
[1] https://github.com/rabbitmq/rabbitmq-auth-backend-oauth2#examples
> To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
> To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/e981e769-165a-4933-9f9e-f8834f360e1c%40googlegroups.com.
management plugin.
I followed the steps from the plugin readme [1] and it worked on my
laptop. Let's recap.
UAA (make sure you have Java 11):
git clone g...@github.com:cloudfoundry/uaa.git
cd uaa
CLOUDFOUNDRY_CONFIG_PATH=<path_to_oauth2_plugin>/demo/symmetric_keys
./gradlew run
RabbitMQ:
./rabbitmq-plugins enable rabbitmq_auth_backend_oauth2
export RABBITMQ_CONFIG_FILE=<path_to_oauth2_plugin>/demo/symmetric_keys/rabbitmq.config
./rabbitmq-server -detached
Note I removed the management plugin part in the configuration file:
[
%% Enable rabbit_auth_backend_oauth2
{rabbit, [
{auth_backends, [rabbit_auth_backend_oauth2,
rabbit_auth_backend_internal]}
]},
%% Set a resource server ID. Will require all scopes to be
{auth_backends, [rabbit_auth_backend_oauth2,
rabbit_auth_backend_internal]}
]},
prefixed with `rabbitmq.`
{rabbitmq_auth_backend_oauth2, [
{resource_server_id, <<"rabbitmq">>},
% Set up a legacy signing key
{key_config, [
{default_key, <<"legacy-token-key">>},
{signing_keys, #{
<<"legacy-token-key">> =>
{map, #{
{default_key, <<"legacy-token-key">>},
{signing_keys, #{
<<"legacy-token-key">> =>
<<"alg">> => <<"HS256">>,
<<"value">> => <<"rabbit_signing_key">>,
<<"kty">> => <<"MAC">>,
<<"use">> => <<"sig">>}
}
}
} %% signing keys
]} % key_config
]} % rabbitmq_auth_backend_oauth2
].
UAA and RabbitMQ configuration (from the OAuth 2 plugin directory,
make sure the cf-uaac and bunny gems are installed as explained in the
readme):
RABBITMQCTL=<path_to_rabbitmq_sbin>/rabbitmqctl demo/setup.sh
Copy the access token from the rabbit_super user.
AMQP connection:
Paste the token in the Python script.
python send.py
[x] Message sent to consumer
I used RabbitMQ 3.8.1 and Erlang 22.1.3.
Please make sure to follow this procedure before we move on to
diagnose the issue with the management plugin.
[1] https://github.com/rabbitmq/rabbitmq-auth-backend-oauth2#examples
> To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/e981e769-165a-4933-9f9e-f8834f360e1c%40googlegroups.com.
Message has been deleted
bunnymind
Nov 18, 2019, 1:30:15 AM11/18/19
to rabbitmq-users
Hi !
I just reinstalled UAA and rabbitmq on my server, and now it works like a charm either accessing through AMQP or web-stomp. Maybe I skipped few configurations or the installation setting was not correct.
Thanks a lot for your help !
> To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/e981e769-165a-4933-9f9e-f8834f360e1c%40googlegroups.com.
Arnaud Cogoluègnes
Nov 19, 2019, 5:38:03 AM11/19/19
to rabbitm...@googlegroups.com
STOMP (Web STOMP) requires topic authorization (read [1] for
background) to be declared here. This is documented in the OAuth 2
plugin readme [2].
For the sample to work, you can make the following changes:
"rabbitmq.read:*/*" => "rabbitmq.read:*/*/*"
"rabbitmq.write:*/*" => "rabbitmq.write:*/*/*"
Note these are "allow everything" settings, OK for testing, change
them accordingly for a real system.
Note the server logs are quite meaningful in this case and could have
helped diagnosing the problem in the first place:
2019-11-19 11:23:59.747 [error] <0.12833.0> STOMP error frame sent:
Message: access_refused
Detail: "access to topic 'test' in exchange 'amq.topic' in vhost '/'
refused for user 'rabbit_client'\n"
Server private detail: none
[1] https://www.rabbitmq.com/access-control.html#topic-authorisation
[2] https://github.com/rabbitmq/rabbitmq-auth-backend-oauth2#scope-to-permission-translation
On Mon, Nov 18, 2019 at 5:50 AM bunnymind <easyma...@gmail.com> wrote:
>
> Hi !
>
> I just reinstalled UAA and rabbitmq on my server, and now it works like a charm either accessing through AMQP or web-stomp. Maybe I skipped few configurations or the installation setting was not correct.
> But now I have an issue for accessing through web-stomp. Why does it always disconnect immediately after connecting? It worked when I used AMQP as the protocol, but not web-stomp.
>
> I used web-stomp-examples and edited it.
> Attached my edited code and the error.
>> > To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/e981e769-165a-4933-9f9e-f8834f360e1c%40googlegroups.com.
background) to be declared here. This is documented in the OAuth 2
plugin readme [2].
For the sample to work, you can make the following changes:
"rabbitmq.read:*/*" => "rabbitmq.read:*/*/*"
"rabbitmq.write:*/*" => "rabbitmq.write:*/*/*"
Note these are "allow everything" settings, OK for testing, change
them accordingly for a real system.
Note the server logs are quite meaningful in this case and could have
helped diagnosing the problem in the first place:
2019-11-19 11:23:59.747 [error] <0.12833.0> STOMP error frame sent:
Message: access_refused
Detail: "access to topic 'test' in exchange 'amq.topic' in vhost '/'
refused for user 'rabbit_client'\n"
Server private detail: none
[1] https://www.rabbitmq.com/access-control.html#topic-authorisation
[2] https://github.com/rabbitmq/rabbitmq-auth-backend-oauth2#scope-to-permission-translation
On Mon, Nov 18, 2019 at 5:50 AM bunnymind <easyma...@gmail.com> wrote:
>
> Hi !
>
> I just reinstalled UAA and rabbitmq on my server, and now it works like a charm either accessing through AMQP or web-stomp. Maybe I skipped few configurations or the installation setting was not correct.
>
> I used web-stomp-examples and edited it.
> Attached my edited code and the error.
>
> --
> You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
> To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/bc4473cc-c6b1-46cf-8e0c-8a82ead82695%40googlegroups.com.
> --
> You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages