Issue using rabbitmq-auth-backend-http to authenticate MQTT and AMQP requests

Sabeur Lafi

unread,

May 7, 2020, 1:27:38 PM5/7/20

to rabbitmq-users

I set up a RabbitMQ node (RabbitMQ 3.6.10, Erlang 20.2.2) to enable connections using both AMQP and MQTT protocols. I also planned to use the rabbitmq-auth-backend-http plugin in order to authenticate / authorize all requests.

This is my RabbitMQ node configuration (/etc/rabbitmq/rabbitmq.conf):

loopback_users.guest = false
listeners.tcp.default = 5672
management.tcp.port = 15672
log.console.level = debug
mqtt.allow_anonymous = false
auth_backends.1 = http
auth_http.http_method   = post
auth_http.user_path     = http://localhost/authenticator/api/v1/user
auth_http.vhost_path    = http://localhost/authenticator/api/v1/vhost
auth_http.resource_path = http://localhost/authenticator/api/v1/resource
auth_http.topic_path    = http://localhost/authenticator/api/v1/topic

A REST API runs on the localhost and provides four endpoints for authentication / authorization. For instance, this is an example of usage:

Request: http://localhost/authenticator/api/v1/user?username=device_1&password=helloWorld
API Response: allow with OK 200

The plugins enabled on the RabbitMQ node are the following:

[E*] rabbitmq_amqp1_0           3.6.10
[E*] rabbitmq_auth_backend_http 20171215-3.6.x
[E*] rabbitmq_management        3.6.10
[E*] rabbitmq_mqtt              3.6.10

When attempting to connect with an MQTT client using the same credentials as above (username=device_1, password=helloWorld), the client prints CONNACK received with code 4. The RabbitMQ node log shows the following:

=INFO REPORT==== 7-May-2020::03:50:09 ===
MQTT vhost picked using plugin configuration or default

=ERROR REPORT==== 7-May-2020::03:50:09 ===
MQTT login failed for "device_1" auth_failure: Refused

When trying to connect using an AMQP client with the same credentials, it throws an exception ConnectionClosedByBroker: (403) 'ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.'.

The RabbitMQ logs show the following:

accepting AMQP connection <0.1878.0> (127.0.0.1:57994 -> 127.0.0.1:5672)

=ERROR REPORT==== 7-May-2020::03:53:14 ===
Error on AMQP connection <0.1878.0> (127.0.0.1:57994 -> 127.0.0.1:5672, state: starting):
PLAIN login refused: user 'device_1' - invalid credentials

=INFO REPORT==== 7-May-2020::03:53:14 ===
closing AMQP connection <0.1878.0> (127.0.0.1:57994 -> 127.0.0.1:5672)

In both cases, the REST API log does not show any connection attempt coming from the RabbitMQ node to authenticate both requests.

It's been few days that I'm reading the RabbitMQ documentation and trying different parameters. However, I could not get it right yet.

What am I missing here?

PS: The same issues occur with RabbitMQ 3.7.25 and 3.8

Luke Bakken

unread,

May 7, 2020, 6:30:16 PM5/7/20

to rabbitmq-users

Hello,

I confirmed that the HTTP backend works as expected using RabbitMQ 3.8.3 and this HTTP auth application - https://github.com/rabbitmq/rabbitmq-auth-backend-http/tree/master/examples/rabbitmq_auth_backend_django

I have attached my configuration file. Note that the django example expects GET requests.

I have also attached a transcript of how I set up my environment to run the Django app.

Thanks,

Luke

rabbitmq.conf

transcript.txt

Luke Bakken

unread,

May 7, 2020, 6:31:31 PM5/7/20

to rabbitmq-users

Also,

Please note that RabbitMQ version 3.6.X does NOT work with rabbitmq.conf-style configuration files, only "config" (erlang term based) configuration.

Please use RabbitMQ 3.8.3 in your environment to test.

Sabeur Lafi

unread,

May 9, 2020, 11:49:39 AM5/9/20

to rabbitmq-users

Hello Luke,

Thank you very much for these insights. Your files and comments make it possible for me to operate RabbitMQ with the rabbitmq_auth_backend_http.

However, this worked for a brief time before it started crashing. Both MQTT and AMQP connections hang after the authentication occurs normally. RMQ (3.8.3 and 3.7.25) is crashing constantly with the following message:

2020-05-09 15:38:23.527 [error] <0.757.0> ** Generic server <0.757.0> terminating 
** Last message in was {'EXIT',<0.754.0>,{noproc,{gen_server,call,[<0.769.0>,{close,200,<<"Goodbye">>},60000]}}}
** When Server state == {state,amqp_direct_connection,{state,rabbit@cd29baf0001b,{user,<<"device_1">>,[],[{rabbit_auth_backend_http,none}]},<<"/">>,{amqp_params_direct,<<"device_1">>,<<"3HJ5l3M2weGz4th3cXjKi851eT1J8clepQkwIq38iaaVKfBzh3I6GMDBzNQ8k7cC">>,<<"/">>,rabbit@cd29baf0001b,{amqp_adapter_info,{0,0,0,0,0,65535,44050,2},1883,{0,0,0,0,0,65535,44050,1},33292,<<"172.18.0.1:33292 -> 172.18.0.2:1883">>,{'MQTT',"3.1.1"},[{variable_map,#{<<"client_id">> => <<"nnrgVQ1I8eAEAYaw25AwTA">>}},{channels,1},{channel_max,1},{frame_max,0},{client_properties,[{<<"product">>,longstr,<<"MQTT client">>},{client_id,longstr,<<"nnrgVQ1I8eAEAYaw25AwTA">>}]},{ssl,false}]},[]},{amqp_adapter_info,{0,0,0,0,0,65535,44050,2},1883,{0,0,0,0,0,65535,44050,1},33292,<<"172.18.0.1:33292 -> 172.18.0.2:1883">>,{'MQTT',"3.1.1"},[{variable_map,#{<<"client_id">> => <<"nnrgVQ1I8eAEAYaw25AwTA">>}},{channels,1},{channel_max,1},{frame_max,0},{client_properties,[{<<"product">>,longstr,<<"MQTT client">>},{client_id,longstr,<<"nnrgVQ1I8eAEAYaw25AwTA">>}]},{ssl,false}]},<0.760.0>,undefined,1589038703499},<0.759.0>,{amqp_params_direct,<<"device_1">>,<<"3HJ5l3M2weGz4th3cXjKi851eT1J8clepQkwIq38iaaVKfBzh3I6GMDBzNQ8k7cC">>,<<"/">>,rabbit@cd29baf0001b,{amqp_adapter_info,{0,0,0,0,0,65535,44050,2},1883,{0,0,0,0,0,65535,44050,1},33292,<<"172.18.0.1:33292 -> 172.18.0.2:1883">>,{'MQTT',"3.1.1"},[{variable_map,#{<<"client_id">> => <<"nnrgVQ1I8eAEAYaw25AwTA">>}},{channels,1},{channel_max,1},{frame_max,0},{client_properties,[{<<"product">>,longstr,<<"MQTT client">>},{client_id,longstr,<<"nnrgVQ1I8eAEAYaw25AwTA">>}]},{ssl,false}]},[]},0,[{<<"capabilities">>,table,[{<<"publisher_confirms">>,bool,true},{<<"exchange_exchange_bindings">>,bool,true},{<<"basic.nack">>,bool,true},{<<"consumer_cancel_notify">>,bool,true},{<<"connection.blocked">>,bool,true},{<<"consumer_priorities">>,bool,true},{<<"authentication_failure_close">>,bool,true},...]},...],...}
** Reason for termination ==
** "stopping because dependent process <0.754.0> died: {noproc,\n                                                    {gen_server,call,\n                                                     [<0.769.0>,\n                                                      {close,200,\n                                                       <<\"Goodbye\">>},\n                                                      60000]}}"
2020-05-09 15:38:23.527 [error] <0.757.0> CRASH REPORT Process <0.757.0> with 0 neighbours exited with reason: "stopping because dependent process <0.754.0> died: {noproc,\n                                                    {gen_server,call,\n                                                     [<0.769.0>,\n                                                      {close,200,\n                                                       <<\"Goodbye\">>},\n                                                      60000]}}" in gen_server:handle_common_reply/8 line 751

Please, find attached the full docker container log file.

Thank you.

error_log.txt

Luke Bakken

unread,

May 10, 2020, 11:01:19 AM5/10/20

to rabbitmq-users

Hello,

Thanks for providing debug log files.

Your HTTP auth service has an error and returns a 404 to the following GET request:

GET http://nginx/authenticator/api/v1/resource?username=device_1&vhost=%2F&resource=queue&name=mqtt-subscription-g5js9n2B0OBv5bBnqVRq8Aqos1&permission=configure&tags=

Here are the relevant lines from your log file:

2020-05-09 15:37:51.486 [debug] <0.747.0> auth_backend_http: GET http://nginx/authenticator/api/v1/resource?username=device_1&vhost=%2F&resource=queue&name=mqtt-subscription-g5js9n2B0OBv5bBnqVRq8Aqos1&permission=configure&tags=

2020-05-09 15:37:51.488 [debug] <0.747.0> auth_backend_http: response code is 404, body: "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2 Final//EN\">\n<title>404 Not Found</title>\n<h1>Not Found</h1>\n<p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>\n"

2020-05-09 15:37:51.489 [error] <0.747.0> access to queue 'mqtt-subscription-g5js9n2B0OBv5bBnqVRq8Aqos1' in vhost '/' refused for user 'device_1', backend rabbit_auth_backend_http returned an error: {404,"<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2 Final//EN\">\n<title>404 Not Found</title>\n<h1>Not Found</h1>\n<p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>\n"}

2020-05-09 15:37:51.489 [error] <0.747.0> Channel error on connection <0.730.0> (172.18.0.1:33280 -> 172.18.0.2:1883, vhost: '/', user: 'device_1'), channel 2:

operation queue.delete caused a channel exception access_refused: access to queue 'mqtt-subscription-g5js9n2B0OBv5bBnqVRq8Aqos1' in vhost '/' refused for user 'device_1', backend rabbit_auth_backend_http returned an error: {404,

"<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2 Final//EN\">\n<title>404 Not Found</title>\n<h1>Not Found</h1>\n<p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>\n"}

Reply all

Reply to author

Forward