how do I give a new user access to the vhost?

[Caleb Cushing]

I'm guessing based on these logs that I need to change the configuration (using new style) to allow the user to have access to this vhost, how can I do this?

2019-09-16 09:36:46.584 [info] <0.655.0> Creating user '382b72dc-713b-4ae9-b33b-64f9c324cd43'

2019-09-16 09:36:46.589 [info] <0.655.0> Setting user tags for user '382b72dc-713b-4ae9-b33b-64f9c324cd43' to []

2019-09-16 09:36:47.756 [info] <0.661.0> MQTT vhost picked using plugin configuration or default

2019-09-16 09:36:47.757 [warning] <0.661.0> MQTT login failed for "382b72dc-713b-4ae9-b33b-64f9c324cd43" access_refused (vhost access not allowed)

2019-09-16 09:36:47.768 [info] <0.667.0> MQTT vhost picked using plugin configuration or default

2019-09-16 09:36:47.769 [warning] <0.667.0> MQTT login failed for "382b72dc-713b-4ae9-b33b-64f9c324cd43" access_refused (vhost access not allowed)

[Wesley Peng]

Hi

on 2019/9/16 18:09, Caleb Cushing wrote:
> I'm guessing based on these logs that I need to change the configuration
> (using new style) to allow the user to have access to this vhost, how
> can I do this?
>

May you check the help documentation:
https://www.rabbitmq.com/access-control.html

for example, rabbitmqctl can help with doing it.

regards.

[Caleb Cushing]

I've got to be honest, having read through the access control documentation, I'm still not sure how to achieve this. I need to do it through the api. 

currently I'm getting bad username or password from mqtt, which doesn't make much sense to me

internal class PairingApplicationServiceTest @Autowired constructor(
    private val pas: PairingApplicationService,
    private val mpas: MonitorPowerUpApplicationService
) {
    private lateinit var client: IMqttClient
    @BeforeEach
    fun setup() {
        client = MqttClient( "tcp://localhost:1883", MqttClient.generateClientId(), MemoryPersistence())
    }

    @Test
    fun activate() {
        val sn = UUID.randomUUID().toString()
        val pass = "pass"
        val conOpt = MqttConnectOptions()
        conOpt.userName = sn
        conOpt.password = pass.toCharArray()
        assertThrows<MqttSecurityException> {
            client.connect(conOpt)
        }
        val registration = MonitorPowerUpApplicationService.Registration(sn, "2", pass)
        mpas.register(registration)
        pas.activate(sn)

        client.connect(conOpt)
    }

this is the relevant http details, not trying to authorize / for the new user.

http-outgoing-0 >> "PUT /api/users/7e9ccdcc-9dc6-4621-a45d-76e542aa43df HTTP/1.1[\r][\n]"

http-outgoing-0 >> "Content-Length: 77[\r][\n]"

http-outgoing-0 >> "Content-Type: application/json; charset=UTF-8[\r][\n]"

http-outgoing-0 >> "Host: localhost:15672[\r][\n]"

http-outgoing-0 >> "Connection: Keep-Alive[\r][\n]"

http-outgoing-0 >> "User-Agent: Apache-HttpClient/4.5.9 (Java/1.8.0_171)[\r][\n]"

http-outgoing-0 >> "Accept-Encoding: gzip,deflate[\r][\n]"

http-outgoing-0 >> "[\r][\n]"

http-outgoing-0 >> "{"passwordHash":"UgVfHGZx2Q9AU5J+B//No1lkhUMdVvoJVIBDSWQMRtT/xUK5","tags":""}"

http-outgoing-0 << "HTTP/1.1 401 Unauthorized[\r][\n]"

http-outgoing-0 << "content-length: 0[\r][\n]"

http-outgoing-0 << "content-security-policy: default-src 'self'[\r][\n]"

http-outgoing-0 << "date: Mon, 16 Sep 2019 15:48:55 GMT[\r][\n]"

http-outgoing-0 << "server: Cowboy[\r][\n]"

http-outgoing-0 << "vary: origin[\r][\n]"

http-outgoing-0 << "www-authenticate: Basic realm="RabbitMQ Management"[\r][\n]"

http-outgoing-0 << "[\r][\n]"

http-outgoing-0 >> "PUT /api/users/7e9ccdcc-9dc6-4621-a45d-76e542aa43df HTTP/1.1[\r][\n]"

http-outgoing-0 >> "Content-Length: 77[\r][\n]"

http-outgoing-0 >> "Content-Type: application/json; charset=UTF-8[\r][\n]"

http-outgoing-0 >> "Host: localhost:15672[\r][\n]"

http-outgoing-0 >> "Connection: Keep-Alive[\r][\n]"

http-outgoing-0 >> "User-Agent: Apache-HttpClient/4.5.9 (Java/1.8.0_171)[\r][\n]"

http-outgoing-0 >> "Accept-Encoding: gzip,deflate[\r][\n]"

http-outgoing-0 >> "Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=[\r][\n]"

http-outgoing-0 >> "[\r][\n]"

http-outgoing-0 >> "{"passwordHash":"UgVfHGZx2Q9AU5J+B//No1lkhUMdVvoJVIBDSWQMRtT/xUK5","tags":""}"

http-outgoing-0 << "HTTP/1.1 201 Created[\r][\n]"

http-outgoing-0 << "content-length: 0[\r][\n]"

http-outgoing-0 << "content-security-policy: default-src 'self'[\r][\n]"

http-outgoing-0 << "date: Mon, 16 Sep 2019 15:48:56 GMT[\r][\n]"

http-outgoing-0 << "server: Cowboy[\r][\n]"

http-outgoing-0 << "vary: accept, accept-encoding, origin[\r][\n]"

http-outgoing-0 << "[\r][\n]"

http-outgoing-0 >> "PUT /api/permissions/%2F/7e9ccdcc-9dc6-4621-a45d-76e542aa43df HTTP/1.1[\r][\n]"

http-outgoing-0 >> "Content-Length: 41[\r][\n]"

http-outgoing-0 >> "Content-Type: application/json; charset=UTF-8[\r][\n]"

http-outgoing-0 >> "Host: localhost:15672[\r][\n]"

http-outgoing-0 >> "Connection: Keep-Alive[\r][\n]"

http-outgoing-0 >> "User-Agent: Apache-HttpClient/4.5.9 (Java/1.8.0_171)[\r][\n]"

http-outgoing-0 >> "Accept-Encoding: gzip,deflate[\r][\n]"

http-outgoing-0 >> "Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=[\r][\n]"

http-outgoing-0 >> "[\r][\n]"

http-outgoing-0 >> "{"configure":"","read":".*","write":".*"}"

http-outgoing-0 << "HTTP/1.1 201 Created[\r][\n]"

http-outgoing-0 << "content-length: 0[\r][\n]"

http-outgoing-0 << "content-security-policy: default-src 'self'[\r][\n]"

http-outgoing-0 << "date: Mon, 16 Sep 2019 15:48:56 GMT[\r][\n]"

http-outgoing-0 << "server: Cowboy[\r][\n]"

http-outgoing-0 << "vary: accept, accept-encoding, origin[\r][\n]"

http-outgoing-0 << "[\r][\n]"

--
You received this message because you are subscribed to a topic in the Google Groups "rabbitmq-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rabbitmq-users/GtnQR0BSn88/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/20558206-5f4f-f784-1cc0-a315db619965%40thepeng.eu.

--

Caleb Cushing

http://xenoterracide.com

[Luke Bakken]

Hi Caleb,

You should use the rabbitmqctl authenticate_user command to confirm that the hashed password you're sending is being used correctly.

Thanks,

Luke

To unsubscribe from this group and all its topics, send an email to rabbitmq-users+unsubscribe@googlegroups.com.

To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/20558206-5f4f-f784-1cc0-a315db619965%40thepeng.eu.

[Caleb Cushing]

yes I was just trying that, and it also fails with invalid credentials, which is making little sense to me. Only thing I can think of is something is wrong with my password encoder implementation. If that is true, then why was it failing with an authorization failure earlier, or can that fail prior to authentication in rabbitmq?

import org.springframework.security.crypto.codec.Utf8
import org.springframework.security.crypto.keygen.KeyGenerators
import org.springframework.security.crypto.password.PasswordEncoder
import org.springframework.security.crypto.util.EncodingUtils.concatenate
import java.security.MessageDigest
import java.util.Base64

class RabbitMqPasswordEncoder(
    algorithm: String = "SHA-256"
) : PasswordEncoder {
    private val digester = MessageDigest.getInstance(algorithm)
    private val saltGenerator = KeyGenerators.secureRandom(4)

    override fun encode(rawPassword: CharSequence): String {
        return encode(rawPassword, saltGenerator.generateKey())
    }

    override fun matches(rawPassword: CharSequence, encodedPassword: String): Boolean {
        throw UnsupportedOperationException("don't use this class for authentication")
    }

    fun encode(rawPassword: CharSequence, salt: ByteArray): String {
        val digest = digest(rawPassword, salt)
        return Base64.getEncoder().encodeToString(digest)
    }

    private fun digest(rawPassword: CharSequence, salt: ByteArray): ByteArray {
        val digest = digester.digest(
            concatenate(
                salt,
                Utf8.encode(rawPassword)
            )
        )
        return concatenate(salt, digest)
    }

}

To unsubscribe from this group and all its topics, send an email to rabbitmq-user...@googlegroups.com.

To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/20558206-5f4f-f784-1cc0-a315db619965%40thepeng.eu.

--

Caleb Cushing

http://xenoterracide.com

--

You received this message because you are subscribed to a topic in the Google Groups "rabbitmq-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rabbitmq-users/GtnQR0BSn88/unsubscribe.

To unsubscribe from this group and all its topics, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/d722007b-e83c-4b3e-996f-0ca1c35ac8ab%40googlegroups.com.

[Luke Bakken]

Hi Caleb,

If authenticate_user fails it probably means the hashing method you're using is incorrect. To verify this, use the HTTP API to create your user but send a plain text password instead of a hashed one.

I'm sure you've already read this but just in case you haven't ... https://www.rabbitmq.com/passwords.html#computing-password-hash

Thanks,

Luke

[Caleb Cushing]

yes, I've read that, I even implemented a test that ensure's my implementation is correct... now I know why this isn't making sense.

in my log output above you can see that I transmitted `passwordHash` not `password_hash`, this seems to be a feature wanting... to throw a 400 on missing key, instead of it getting a 201 Created. Trying to figure out how this happened to begin with... something to do with jackson on my end, but not sure what.

--

You received this message because you are subscribed to a topic in the Google Groups "rabbitmq-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rabbitmq-users/GtnQR0BSn88/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rabbitmq-user...@googlegroups.com.

To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/7dee6f6c-1551-4f0b-9db9-5b8fc6ea5d29%40googlegroups.com.

[Luke Bakken]

Hi Caleb,

Well, considering you can create a password-less user, neither password nor password_hash are required. I'll bring up validation with the team.

Thanks for following up -

Luke

On Monday, September 16, 2019 at 11:05:00 AM UTC-7, Caleb Cushing wrote:

yes, I've read that, I even implemented a test that ensure's my implementation is correct... now I know why this isn't making sense.

in my log output above you can see that I transmitted `passwordHash` not `password_hash`, this seems to be a feature wanting... to throw a 400 on missing key, instead of it getting a 201 Created. Trying to figure out how this happened to begin with... something to do with jackson on my end, but not sure what.

On Mon, Sep 16, 2019 at 11:39 AM Luke Bakken <lba...@pivotal.io> wrote:

Hi Caleb,

If authenticate_user fails it probably means the hashing method you're using is incorrect. To verify this, use the HTTP API to create your user but send a plain text password instead of a hashed one.

I'm sure you've already read this but just in case you haven't ... https://www.rabbitmq.com/passwords.html#computing-password-hash

Thanks,

Luke

On Monday, September 16, 2019 at 9:36:35 AM UTC-7, Caleb Cushing wrote:

yes I was just trying that, and it also fails with invalid credentials, which is making little sense to me. Only thing I can think of is something is wrong with my password encoder implementation. If that is true, then why was it failing with an authorization failure earlier, or can that fail prior to authentication in rabbitmq?

--
You received this message because you are subscribed to a topic in the Google Groups "rabbitmq-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rabbitmq-users/GtnQR0BSn88/unsubscribe.

To unsubscribe from this group and all its topics, send an email to rabbitmq-users+unsubscribe@googlegroups.com.

To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/7dee6f6c-1551-4f0b-9db9-5b8fc6ea5d29%40googlegroups.com.

[Caleb Cushing]

that's not what the api documentation says

The tags key is mandatory. Either password or password_hash must be set. Setting password_hash to "" will ensure the user cannot use a password to log in. tags is a comma-separated list of tags for the user. Currently recognised tags are administrator, monitoring and management. password_hash must be generated using the algorithm described here. You may also specify the hash function being used by adding the hashing_algorithm key to the body. Currently recognised algorithms are rabbit_password_hashing_sha256, rabbit_password_hashing_sha512, and rabbit_password_hashing_md5.

On Mon, Sep 16, 2019 at 3:21 PM Luke Bakken <lba...@pivotal.io> wrote:

Hi Caleb,

Well, considering you can create a password-less user, neither password nor password_hash are required. I'll bring up validation with the team.

Thanks for following up -

Luke

On Monday, September 16, 2019 at 11:05:00 AM UTC-7, Caleb Cushing wrote:

yes, I've read that, I even implemented a test that ensure's my implementation is correct... now I know why this isn't making sense.

in my log output above you can see that I transmitted `passwordHash` not `password_hash`, this seems to be a feature wanting... to throw a 400 on missing key, instead of it getting a 201 Created. Trying to figure out how this happened to begin with... something to do with jackson on my end, but not sure what.

On Mon, Sep 16, 2019 at 11:39 AM Luke Bakken <lba...@pivotal.io> wrote:

Hi Caleb,

If authenticate_user fails it probably means the hashing method you're using is incorrect. To verify this, use the HTTP API to create your user but send a plain text password instead of a hashed one.

I'm sure you've already read this but just in case you haven't ... https://www.rabbitmq.com/passwords.html#computing-password-hash

Thanks,

Luke

On Monday, September 16, 2019 at 9:36:35 AM UTC-7, Caleb Cushing wrote:

yes I was just trying that, and it also fails with invalid credentials, which is making little sense to me. Only thing I can think of is something is wrong with my password encoder implementation. If that is true, then why was it failing with an authorization failure earlier, or can that fail prior to authentication in rabbitmq?

--
You received this message because you are subscribed to a topic in the Google Groups "rabbitmq-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rabbitmq-users/GtnQR0BSn88/unsubscribe.

To unsubscribe from this group and all its topics, send an email to rabbitmq-user...@googlegroups.com.

To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/7dee6f6c-1551-4f0b-9db9-5b8fc6ea5d29%40googlegroups.com.

--

Caleb Cushing

http://xenoterracide.com

--

You received this message because you are subscribed to a topic in the Google Groups "rabbitmq-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rabbitmq-users/GtnQR0BSn88/unsubscribe.

To unsubscribe from this group and all its topics, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/862c50f7-cf4f-4f0b-a5a4-a647deae3be9%40googlegroups.com.

[Luke Bakken]

Hi Caleb,

Thanks for pointing that out. Unfortunately the docs are not correct as you can see in the attached transcript. I'll make sure the HTTP API docs are updated.

If you're curious, this is the code that creates the password-less user: https://github.com/rabbitmq/rabbitmq-management/blob/master/src/rabbit_mgmt_wm_user.erl#L143-L147

At that point, PassedCredentialValidation is true.

Luke

On Monday, September 16, 2019 at 1:34:15 PM UTC-7, Caleb Cushing wrote:

that's not what the api documentation says

The tags key is mandatory. Either password or password_hash must be set. Setting password_hash to "" will ensure the user cannot use a password to log in. tags is a comma-separated list of tags for the user. Currently recognised tags are administrator, monitoring and management. password_hash must be generated using the algorithm described here. You may also specify the hash function being used by adding the hashing_algorithm key to the body. Currently recognised algorithms are rabbit_password_hashing_sha256, rabbit_password_hashing_sha512, and rabbit_password_hashing_md5.

On Mon, Sep 16, 2019 at 3:21 PM Luke Bakken <lba...@pivotal.io> wrote:

Hi Caleb,

Well, considering you can create a password-less user, neither password nor password_hash are required. I'll bring up validation with the team.

Thanks for following up -

Luke

On Monday, September 16, 2019 at 11:05:00 AM UTC-7, Caleb Cushing wrote:

yes, I've read that, I even implemented a test that ensure's my implementation is correct... now I know why this isn't making sense.

in my log output above you can see that I transmitted `passwordHash` not `password_hash`, this seems to be a feature wanting... to throw a 400 on missing key, instead of it getting a 201 Created. Trying to figure out how this happened to begin with... something to do with jackson on my end, but not sure what.

On Mon, Sep 16, 2019 at 11:39 AM Luke Bakken <lba...@pivotal.io> wrote:

Hi Caleb,

If authenticate_user fails it probably means the hashing method you're using is incorrect. To verify this, use the HTTP API to create your user but send a plain text password instead of a hashed one.

I'm sure you've already read this but just in case you haven't ... https://www.rabbitmq.com/passwords.html#computing-password-hash

Thanks,

Luke

On Monday, September 16, 2019 at 9:36:35 AM UTC-7, Caleb Cushing wrote:

yes I was just trying that, and it also fails with invalid credentials, which is making little sense to me. Only thing I can think of is something is wrong with my password encoder implementation. If that is true, then why was it failing with an authorization failure earlier, or can that fail prior to authentication in rabbitmq?

--
You received this message because you are subscribed to a topic in the Google Groups "rabbitmq-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rabbitmq-users/GtnQR0BSn88/unsubscribe.

To unsubscribe from this group and all its topics, send an email to rabbitmq-users+unsubscribe@googlegroups.com.

To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/7dee6f6c-1551-4f0b-9db9-5b8fc6ea5d29%40googlegroups.com.

--

Caleb Cushing

http://xenoterracide.com

--
You received this message because you are subscribed to a topic in the Google Groups "rabbitmq-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rabbitmq-users/GtnQR0BSn88/unsubscribe.

To unsubscribe from this group and all its topics, send an email to rabbitmq-users+unsubscribe@googlegroups.com.

To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/862c50f7-cf4f-4f0b-a5a4-a647deae3be9%40googlegroups.com.