rabbitmq-auth-backend-ip-range authentication failed with error:undef:
397 views
Skip to first unread message
Egor Ignatov
Feb 11, 2022, 3:27:07 AM2/11/22
to rabbitmq-users
Hi,
I'm trying to setup rabbitmq-auth-backend-ip-range on my rabbitmq server:
RabbitMQ version: 3.9.13
Erlang configuration: Erlang/OTP 24 [erts-12.1.3] [source] [64-bit] [smp:4:4] [ds:4:4:10] [async-threads:1] [jit]
I configured rabbitmq as in rabbitmq-auth-backend-ip-range README
auth_backends.1.authn = intearnal
auth_backends.1.authz = rabbit_auth_backend_ip_range
auth_backends.2.authz = intearnal
and now I get the following error:
Supervisor {<0.3021.0>,rabbit_connection_sup}: child helper_sup started (<0.3022.0>): {rabbit_connection_helper_sup,start_link,[]}
Supervisor {<0.3021.0>,rabbit_connection_sup}: child reader started (<0.3023.0>): {rabbit_reader,start_link,[<0.3022.0>,{acceptor,{0,0,0,0,0,0,0,0},5672}]}
accepting AMQP connection <0.3023.0> (192.168.1.110:54690 -> 192.168.1.145:5672)
Raw client connection hostname during authN phase: {0,0,0,0,0,65535,2648,3402}
Resolved client hostname during authN phase: ::ffff:192.168.1.145
User 'admin' authentication failed with error:undef:
[{intearnal,user_login_authentication,
[<<"admin">>,[{password,<<"admin">>}]],
[]},
{rabbit_access_control,try_authenticate,3,
[{file,"rabbit_access_control.erl"},{line,92}]},
{rabbit_access_control,'-check_user_login/2-fun-0-',4,
[{file,"rabbit_access_control.erl"},{line,57}]},
{lists,foldl,3,[{file,"lists.erl"},{line,1267}]},
{rabbit_access_control,check_user_login,2,
[{file,"rabbit_access_control.erl"},{line,42}]},
{rabbit_reader,auth_phase,2,[{file,"rabbit_reader.erl"},{line,1423}]},
{rabbit_reader,handle_method0,3,[{file,"rabbit_reader.erl"},{line,1133}]},
{rabbit_reader,handle_input,3,[{file,"rabbit_reader.erl"},{line,1047}]}]
Error on AMQP connection <0.3023.0> (192.168.1.110:54690 -> 192.168.1.145:5672, state: starting):
PLAIN login refused: User 'admin' authentication failed with internal error. Enable debug logs to see the real error.
closing AMQP connection <0.3023.0> (192.168.1.110:54690 -> 192.168.1.145:5672)
Closing all channels from connection '192.168.1.110:54690 -> 192.168.1.145:5672' because it has been closed
Can someone help me figure out why this is happening?
I'm trying to setup rabbitmq-auth-backend-ip-range on my rabbitmq server:
RabbitMQ version: 3.9.13
Erlang configuration: Erlang/OTP 24 [erts-12.1.3] [source] [64-bit] [smp:4:4] [ds:4:4:10] [async-threads:1] [jit]
I configured rabbitmq as in rabbitmq-auth-backend-ip-range README
auth_backends.1.authn = intearnal
auth_backends.1.authz = rabbit_auth_backend_ip_range
auth_backends.2.authz = intearnal
and now I get the following error:
Supervisor {<0.3021.0>,rabbit_connection_sup}: child helper_sup started (<0.3022.0>): {rabbit_connection_helper_sup,start_link,[]}
Supervisor {<0.3021.0>,rabbit_connection_sup}: child reader started (<0.3023.0>): {rabbit_reader,start_link,[<0.3022.0>,{acceptor,{0,0,0,0,0,0,0,0},5672}]}
accepting AMQP connection <0.3023.0> (192.168.1.110:54690 -> 192.168.1.145:5672)
Raw client connection hostname during authN phase: {0,0,0,0,0,65535,2648,3402}
Resolved client hostname during authN phase: ::ffff:192.168.1.145
User 'admin' authentication failed with error:undef:
[{intearnal,user_login_authentication,
[<<"admin">>,[{password,<<"admin">>}]],
[]},
{rabbit_access_control,try_authenticate,3,
[{file,"rabbit_access_control.erl"},{line,92}]},
{rabbit_access_control,'-check_user_login/2-fun-0-',4,
[{file,"rabbit_access_control.erl"},{line,57}]},
{lists,foldl,3,[{file,"lists.erl"},{line,1267}]},
{rabbit_access_control,check_user_login,2,
[{file,"rabbit_access_control.erl"},{line,42}]},
{rabbit_reader,auth_phase,2,[{file,"rabbit_reader.erl"},{line,1423}]},
{rabbit_reader,handle_method0,3,[{file,"rabbit_reader.erl"},{line,1133}]},
{rabbit_reader,handle_input,3,[{file,"rabbit_reader.erl"},{line,1047}]}]
Error on AMQP connection <0.3023.0> (192.168.1.110:54690 -> 192.168.1.145:5672, state: starting):
PLAIN login refused: User 'admin' authentication failed with internal error. Enable debug logs to see the real error.
closing AMQP connection <0.3023.0> (192.168.1.110:54690 -> 192.168.1.145:5672)
Closing all channels from connection '192.168.1.110:54690 -> 192.168.1.145:5672' because it has been closed
Can someone help me figure out why this is happening?
Wes Peng
Feb 11, 2022, 3:55:44 AM2/11/22
to rabbitm...@googlegroups.com
It has told you that you can not use a plain auth:
PLAIN login refused: User 'admin' authentication failed with internal error. Enable debug logs to see the real error.
You would set up RMQ to use SSL connections.
Thanks.
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/9fbd72d6-d29b-4b07-9bae-760c6eed1949n%40googlegroups.com.
Egor Ignatov
Feb 11, 2022, 4:39:08 AM2/11/22
to rabbitmq-users
Thank you for your reply!
Well I have the same error if I connect over ssl/tls with PLAIN mechanism.
Should I use EXTERNAL instead? I already tried it but got a different error about client's cert.
And since nothing is mentioned about auth mechanisms in rabbitmq-auth-backend-ip-range README I assumed that PLAIN is by default.
But again docs[https://www.rabbitmq.com/access-control.html#mechanisms] says that for ip-range authz I need EXTERNAL.
I'm kind of confused at this point :|
Well I have the same error if I connect over ssl/tls with PLAIN mechanism.
Should I use EXTERNAL instead? I already tried it but got a different error about client's cert.
And since nothing is mentioned about auth mechanisms in rabbitmq-auth-backend-ip-range README I assumed that PLAIN is by default.
But again docs[https://www.rabbitmq.com/access-control.html#mechanisms] says that for ip-range authz I need EXTERNAL.
I'm kind of confused at this point :|
Luke Bakken
Feb 11, 2022, 1:35:11 PM2/11/22
to rabbitmq-users
Hello -
auth_backends.2.authz = internal
I've responded in-line -
auth_backends.1.authn = intearnal
auth_backends.1.authz = rabbit_auth_backend_ip_range
auth_backends.2.authz = intearnal
"internal" is spelled incorrectly. Your configuration should look like this:
auth_backends.1.authn = internal
auth_backends.1.authz = rabbit_auth_backend_ip_rangeauth_backends.2.authz = internal
Could you please also provide the output of this command?
rabbitmq-plugins list
Thank you -
Luke
Egor Ignatov
Feb 13, 2022, 4:20:13 AM2/13/22
to rabbitmq-users
Hello -I've responded in-line -auth_backends.1.authn = intearnal
auth_backends.1.authz = rabbit_auth_backend_ip_range
auth_backends.2.authz = intearnal"internal" is spelled incorrectly. Your configuration should look like this:
My bad, fixing this helped but not much. Now I get a different error:
Supervisor {<0.771.0>,rabbit_connection_sup}: child helper_sup started (<0.772.0>): {rabbit_connection_helper_sup,start_link,[]}
Supervisor {<0.771.0>,rabbit_connection_sup}: child reader started (<0.773.0>): {rabbit_reader,start_link,[<0.772.0>,{acceptor,{0,0,0,0,0,0,0,0},5672}]}
accepting AMQP connection <0.773.0> (192.168.1.110:54710 -> 192.168.1.145:5672)
Supervisor {<0.771.0>,rabbit_connection_sup}: child reader started (<0.773.0>): {rabbit_reader,start_link,[<0.772.0>,{acceptor,{0,0,0,0,0,0,0,0},5672}]}
accepting AMQP connection <0.773.0> (192.168.1.110:54710 -> 192.168.1.145:5672)
Raw client connection hostname during authN phase: {0,0,0,0,0,65535,2648,3402}
Resolved client hostname during authN phase: ::ffff:192.168.1.145
User 'test' authenticated successfully by backend rabbit_auth_backend_internal
Supervisor {<0.772.0>,rabbit_connection_helper_sup}: child collector started (<0.774.0>): {rabbit_queue_collector,start_link,[<<"192.168.1.110:54710 -> 192.168.1.145:5672">>]}
closing AMQP connection <0.773.0> (192.168.1.110:54710 -> 192.168.1.145:5672):
{handshake_error,opening,0,
{error,undef,'connection.open',
[{lager_config,get,[{rabbit_log_lager_event,loglevel},{0,[]}],[]},
{rabbit_auth_backend_ip_range,check_masks,2,
[{file,"src/rabbit_auth_backend_ip_range.erl"},{line,69}]},
{rabbit_access_control,check_access,5,
[{file,"rabbit_access_control.erl"},{line,219}]},
Supervisor {<0.772.0>,rabbit_connection_helper_sup}: child collector started (<0.774.0>): {rabbit_queue_collector,start_link,[<<"192.168.1.110:54710 -> 192.168.1.145:5672">>]}
closing AMQP connection <0.773.0> (192.168.1.110:54710 -> 192.168.1.145:5672):
{handshake_error,opening,0,
{error,undef,'connection.open',
[{lager_config,get,[{rabbit_log_lager_event,loglevel},{0,[]}],[]},
{rabbit_auth_backend_ip_range,check_masks,2,
[{file,"src/rabbit_auth_backend_ip_range.erl"},{line,69}]},
{rabbit_access_control,check_access,5,
[{file,"rabbit_access_control.erl"},{line,219}]},
{lists,foldl,3,[{file,"lists.erl"},{line,1267}]},
{rabbit_reader,handle_method0,2,
[{file,"rabbit_reader.erl"},{line,1230}]},
[{file,"rabbit_reader.erl"},{line,1230}]},
{rabbit_reader,handle_method0,3,
[{file,"rabbit_reader.erl"},{line,1133}]},
{rabbit_reader,handle_input,3,p
[{file,"rabbit_reader.erl"},{line,1037}]},
{rabbit_reader,recvloop,4,[{file,"rabbit_reader.erl"},{line,477}]}]}}pp
Closing all channels from connection '192.168.1.110:54710 -> 192.168.1.145:5672' because it has been closed
[{file,"rabbit_reader.erl"},{line,1037}]},
{rabbit_reader,recvloop,4,[{file,"rabbit_reader.erl"},{line,477}]}]}}pp
Closing all channels from connection '192.168.1.110:54710 -> 192.168.1.145:5672' because it has been closed
Looking at the source code it looks like error occurs in 'rabbit_log:debug' (https://github.com/gotthardp/rabbitmq-auth-backend-ip-range/blob/b21b6fc9d0a347dd0ed7d55639bdf05989c2cac6/src/rabbit_auth_backend_ip_range.erl#L69) for matching address and in rabbit_log:warning for not matching (https://github.com/gotthardp/rabbitmq-auth-backend-ip-range/blob/b21b6fc9d0a347dd0ed7d55639bdf05989c2cac6/src/rabbit_auth_backend_ip_range.erl#L65)
auth_backends.1.authn = internalauth_backends.1.authz = rabbit_auth_backend_ip_range
auth_backends.2.authz = internalCould you please also provide the output of this command?rabbitmq-plugins list
Listing plugins with pattern ".*" ...
Configured: E = explicitly enabled; e = implicitly enabled
| Status: * = running on rabbit@rabbitmq-test
|/
[ ] rabbitmq_amqp1_0 3.9.13
[ ] rabbitmq_auth_backend_cache 3.9.13
[ ] rabbitmq_auth_backend_http 3.9.13
[E*] rabbitmq_auth_backend_ip_range 2.0.0
[ ] rabbitmq_auth_backend_ldap 3.9.13
[ ] rabbitmq_auth_backend_oauth2 3.9.13
[ ] rabbitmq_auth_mechanism_ssl 3.9.13
[ ] rabbitmq_consistent_hash_exchange 3.9.13
[ ] rabbitmq_event_exchange 3.9.13
[ ] rabbitmq_federation 3.9.13
[ ] rabbitmq_federation_management 3.9.13
[ ] rabbitmq_jms_topic_exchange 3.9.13
[E*] rabbitmq_management 3.9.13
[e*] rabbitmq_management_agent 3.9.13
[ ] rabbitmq_mqtt 3.9.13
[ ] rabbitmq_peer_discovery_aws 3.9.13
[ ] rabbitmq_peer_discovery_common 3.9.13
[ ] rabbitmq_peer_discovery_consul 3.9.13
[ ] rabbitmq_peer_discovery_etcd 3.9.13
[ ] rabbitmq_peer_discovery_k8s 3.9.13
[ ] rabbitmq_prometheus 3.9.13
[ ] rabbitmq_random_exchange 3.9.13
[ ] rabbitmq_recent_history_exchange 3.9.13
[ ] rabbitmq_sharding 3.9.13
[ ] rabbitmq_shovel 3.9.13
[ ] rabbitmq_shovel_management 3.9.13
[ ] rabbitmq_stomp 3.9.13
[ ] rabbitmq_stream 3.9.13
[ ] rabbitmq_stream_management 3.9.13
[ ] rabbitmq_top 3.9.13
[ ] rabbitmq_tracing 3.9.13
[ ] rabbitmq_trust_store 3.9.13
[e*] rabbitmq_web_dispatch 3.9.13
[ ] rabbitmq_web_mqtt 3.9.13
[ ] rabbitmq_web_mqtt_examples 3.9.13
[ ] rabbitmq_web_stomp 3.9.13
[ ] rabbitmq_web_stomp_examples 3.9.13
Configured: E = explicitly enabled; e = implicitly enabled
| Status: * = running on rabbit@rabbitmq-test
|/
[ ] rabbitmq_amqp1_0 3.9.13
[ ] rabbitmq_auth_backend_cache 3.9.13
[ ] rabbitmq_auth_backend_http 3.9.13
[E*] rabbitmq_auth_backend_ip_range 2.0.0
[ ] rabbitmq_auth_backend_ldap 3.9.13
[ ] rabbitmq_auth_backend_oauth2 3.9.13
[ ] rabbitmq_auth_mechanism_ssl 3.9.13
[ ] rabbitmq_consistent_hash_exchange 3.9.13
[ ] rabbitmq_event_exchange 3.9.13
[ ] rabbitmq_federation 3.9.13
[ ] rabbitmq_federation_management 3.9.13
[ ] rabbitmq_jms_topic_exchange 3.9.13
[E*] rabbitmq_management 3.9.13
[e*] rabbitmq_management_agent 3.9.13
[ ] rabbitmq_mqtt 3.9.13
[ ] rabbitmq_peer_discovery_aws 3.9.13
[ ] rabbitmq_peer_discovery_common 3.9.13
[ ] rabbitmq_peer_discovery_consul 3.9.13
[ ] rabbitmq_peer_discovery_etcd 3.9.13
[ ] rabbitmq_peer_discovery_k8s 3.9.13
[ ] rabbitmq_prometheus 3.9.13
[ ] rabbitmq_random_exchange 3.9.13
[ ] rabbitmq_recent_history_exchange 3.9.13
[ ] rabbitmq_sharding 3.9.13
[ ] rabbitmq_shovel 3.9.13
[ ] rabbitmq_shovel_management 3.9.13
[ ] rabbitmq_stomp 3.9.13
[ ] rabbitmq_stream 3.9.13
[ ] rabbitmq_stream_management 3.9.13
[ ] rabbitmq_top 3.9.13
[ ] rabbitmq_tracing 3.9.13
[ ] rabbitmq_trust_store 3.9.13
[e*] rabbitmq_web_dispatch 3.9.13
[ ] rabbitmq_web_mqtt 3.9.13
[ ] rabbitmq_web_mqtt_examples 3.9.13
[ ] rabbitmq_web_stomp 3.9.13
[ ] rabbitmq_web_stomp_examples 3.9.13
Thank you -Luke
Luke Bakken
Feb 14, 2022, 7:44:51 PM2/14/22
to rabbitmq-users
Hello,
Thank you for all of the information. I'm looking into it now. My guess is that this plugin needs to be updated to be compatible with RabbitMQ 3.9.x
Updates to follow...
Luke
Egor Ignatov
Feb 15, 2022, 6:54:09 AM2/15/22
to rabbitmq-users
Hi,
It was a release binary build issue. I rebuilt the plugin against latest rabbitmq and erlang and it works now. Thank you for your time and help!
I actually couldn't figure out how to build rabbit_auth_backend_ip_range as a standalone plugin so I had to build it from rabbitmq-server source tree.
Is there a reason rabbit_auth_backend_ip_range is not a part of rabbitmq-server distribution?
It was a release binary build issue. I rebuilt the plugin against latest rabbitmq and erlang and it works now. Thank you for your time and help!
I actually couldn't figure out how to build rabbit_auth_backend_ip_range as a standalone plugin so I had to build it from rabbitmq-server source tree.
Is there a reason rabbit_auth_backend_ip_range is not a part of rabbitmq-server distribution?
Luke Bakken
Feb 15, 2022, 9:45:18 AM2/15/22
to rabbitmq-users
Hi Egor,
I'm working on updating the code to be buildable stand-alone - https://github.com/gotthardp/rabbitmq-auth-backend-ip-range/pull/23
Not enough people use the rabbitmq-auth-backend-ip-range plugin to make it an officially supported part of RabbitMQ.
Thanks,
Thanks,
Luke
Luke Bakken
Feb 15, 2022, 1:25:24 PM2/15/22
to rabbitmq-users
Hello!
Please see the latest release:
You should also be able to build a standalone EZ file by cloning the repository and running this command:
make PROJECT_VERSION=2.0.0+rmq-39 DIST_AS_EZS=1 FULL=1 dist
Thanks!
Luke
Egor Ignatov
Feb 17, 2022, 2:21:32 AM2/17/22
to rabbitmq-users
Hi,
I really appreciate your work. Now I see why this plugin is not so popular as it does not meet my and probably others needs. I end up using rabbitmq_auth_backend_http.
I still don't understand why rabbitmq does not provide client's source ip at the authentication stage (guess some internal architectural issue), so now I need to implement both authn and authz for my http server to get source ip auth to the rabbitmq-server. Anyway from now I think I will be able to achieve my goals, again thank you very much.
Reply all
Reply to author
Forward
0 new messages