User Not In Group But Still Can Access To Resource
54 views
Skip to first unread message
Sefa Teber
Feb 8, 2022, 8:57:33 AM2/8/22
to rabbitmq-users
In my test case i have:
cn=server,o=test,c=tr -> groupOfNames
cn=ts,ou=participants,o=test,c=tr -> user memberOf server group
cn=ts,ou=participants,o=test,c=tr -> user memberOf server group
cn=test_user,ou=group_1,ou=participants,o=test,c=tr -> user not memberOf server group
in my LDAP server.
In advanced.config file, i have following query:
{resource_access_query,
{for, [{permission, configure, {in_group, "cn=server,o=test,c=tr"}},
{permission, write,
{for, [{resource, queue, {in_group, "cn=server,o=test,c=tr"}},
{resource, exchange, {constant, true}}]}},
{permission, read,
{for, [{resource, exchange, {constant, true}},
{resource, queue, {equals, "${name}", "${username}"}}]}}
]
}}
{for, [{permission, configure, {in_group, "cn=server,o=test,c=tr"}},
{permission, write,
{for, [{resource, queue, {in_group, "cn=server,o=test,c=tr"}},
{resource, exchange, {constant, true}}]}},
{permission, read,
{for, [{resource, exchange, {constant, true}},
{resource, queue, {equals, "${name}", "${username}"}}]}}
]
}}
query so i want that only members of server group can configure and write resources, and only user which has same name with queue can read from queue.
Second part works fine but test_user which is not memberOf server group still can configure and write to resources. I tried to write so not existing group instead of "cn=server,o=test,c=tr", then none user can write or configure resources.
Also tried for vhost access but test_user also can access to vhosts.
{vhost_access_query, {in_group, "cn=server,o=test,c=tr"}}
What can be the problem with my approach? Do i understand something wrong about documentation below:
Luke Bakken
Feb 8, 2022, 6:57:07 PM2/8/22
to rabbitmq-users
Please execute this LDAP query and provide the results.
(&(objectClass=user)(cn=test_user,ou=group_1,ou=participants,o=test,c=tr)(memberOf=cn=server,o=test,c=tr))
Provide the full results like I did here -
Thanks,
Luke
On Tuesday, February 8, 2022 at 5:57:33 AM UTC-8 sefa...@gmail.com wrote:
In my test case i have:cn=server,o=test,c=tr -> groupOfNames
cn=ts,ou=participants,o=test,c=tr -> user memberOf server groupcn=test_user,ou=group_1,ou=participants,o=test,c=tr -> user not memberOf server group
Luke Bakken
Feb 9, 2022, 8:29:59 AM2/9/22
to rabbitmq-users
Sefa Teber
Feb 9, 2022, 8:46:08 AM2/9/22
to rabbitmq-users
Hi Luke,
I found the problem by using the logs of LDAP server, "rabbit_auth_backend_ldap.erl" file from rabbitmq and queries like you send.
Problem:
I use SASL External while connecting to RabbitMQ. In my rabbitmq.conf file, i had "ssl_cert_login_from = common_name" line. Because of that, RabbitMQ sends "member=test_user" filter instead of "member=cn=test_user,ou=group_1,ou=participants,o=test,c=tr". Then my LDAP server says "attribute-value pair is wrong" for "member=test_user" and ignores the filter and returns all the groupOfNames objects. So, Rabbit finds "cn=server,o=test,c=tr" entry and gives access permission to test_user.
Thanks for your help.
9 Şubat 2022 Çarşamba tarihinde saat 16:29:59 UTC+3 itibarıyla Luke Bakken şunları yazdı:
Reply all
Reply to author
Forward
0 new messages