Re: [rabbitmq-users] tag_queries issue
71 views
Skip to first unread message
Message has been deleted
Wes Peng
Feb 8, 2022, 3:36:17 PM2/8/22
to rabbitm...@googlegroups.com
Versions please.
On Tue, Feb 8, 2022 at 10:40 PM Sylvain P <sylvai...@gmail.com> wrote:
--Hi,I have this confiig with ldap[{rabbitmq_auth_backend_ldap,[{vhost_access_query,{in_group, "CN=${vhost}_administrator, ..."}},{tag_queries,[{administrator,{ constant,true }},{management, { constant,true }}]}]}on log,I have in order1. administrator is true2. management is truebut in management ui, I make a curl http://localhost:15672/api/whoami i have only management tag it seems management tags overwrite administrator permissionhow to solve it ?
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/dd75d2eb-34dc-4ba5-9496-fc287a20b88an%40googlegroups.com.
sylvain pham
Feb 8, 2022, 3:56:34 PM2/8/22
to rabbitm...@googlegroups.com
version 3.9.13
You received this message because you are subscribed to a topic in the Google Groups "rabbitmq-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rabbitmq-users/jhvt37Byixo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/CAPiMwJL9fpQsaanFatRbFB2ga_3%3DMPS6DtMkTiThCJaxLAe8cA%40mail.gmail.com.
Wes Peng
Feb 8, 2022, 3:59:56 PM2/8/22
to rabbitm...@googlegroups.com
Can you reproduce it in another instance?
If so there is probably a bug, you can submit an issue.
Thanks
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/CAKw9M%2BtVvPXUe5dAkFpv-xD5Ep7rryOA9BpOufNyNq-pGqiZew%40mail.gmail.com.
sylvain pham
Feb 8, 2022, 4:47:42 PM2/8/22
to rabbitm...@googlegroups.com
Yes. With Vagrant, VirtualBox and ansible.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/CAPiMwJK3K6NkkSii-c7H2deAmAT%3DHt-a%2BHsUSaDrudRLS7ZqQg%40mail.gmail.com.
Luke Bakken
Feb 8, 2022, 6:53:04 PM2/8/22
to rabbitmq-users
Hello,
I can't reproduce this issue. I have attached my configuration files.
C:\Users\bakkenl\rmq-server\rabbitmq_server-3.9.13> .\sbin\rabbitmqctl.bat authenticate_user vhost1user test1234
Authenticating user "vhost1user" ...
Success
C:\Users\bakkenl\rmq-server\rabbitmq_server-3.9.13> curl -4vvvu 'vhost1user:test1234' localhost:15672/api/whoami
* Trying 127.0.0.1:15672...
* Connected to localhost (127.0.0.1) port 15672 (#0)
* Server auth using Basic with user 'vhost1user'
> GET /api/whoami HTTP/1.1
> Host: localhost:15672
> Authorization: Basic dmhvc3QxdXNlcjp0ZXN0MTIzNA==
> User-Agent: curl/7.81.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< cache-control: no-cache
< content-length: 59
< content-security-policy: script-src 'self' 'unsafe-eval' 'unsafe-inline'; object-src 'self'
< content-type: application/json
< date: Tue, 08 Feb 2022 23:50:11 GMT
< server: Cowboy
< vary: accept, accept-encoding, origin
<
{"name":"vhost1user","tags":["administrator","management"]}* Connection #0 to host localhost left intact
C:\Users\bakkenl\rmq-server\rabbitmq_server-3.9.13> .\sbin\rabbitmqctl.bat authenticate_user vhost1user test1234
Authenticating user "vhost1user" ...
Success
C:\Users\bakkenl\rmq-server\rabbitmq_server-3.9.13> curl -4vvvu 'vhost1user:test1234' localhost:15672/api/whoami
* Trying 127.0.0.1:15672...
* Connected to localhost (127.0.0.1) port 15672 (#0)
* Server auth using Basic with user 'vhost1user'
> GET /api/whoami HTTP/1.1
> Host: localhost:15672
> Authorization: Basic dmhvc3QxdXNlcjp0ZXN0MTIzNA==
> User-Agent: curl/7.81.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< cache-control: no-cache
< content-length: 59
< content-security-policy: script-src 'self' 'unsafe-eval' 'unsafe-inline'; object-src 'self'
< content-type: application/json
< date: Tue, 08 Feb 2022 23:50:11 GMT
< server: Cowboy
< vary: accept, accept-encoding, origin
<
{"name":"vhost1user","tags":["administrator","management"]}* Connection #0 to host localhost left intact
Sylvain P
Feb 9, 2022, 5:17:54 AM2/9/22
to rabbitmq-users
:-) you have set
{administrator, {constant, true}},
and it's ok ... i'm agree
but you when uncomment
{administrator, {in_group, "CN=${vhost},OU=groups,DC=bakken,DC=io"}},
in my opinion, $vhost is not evaluted or have bug
Sylvain P
Feb 9, 2022, 5:24:00 AM2/9/22
to rabbitmq-users
I try another way, this without success
{ administrator, {constant, { in_group, "CN=${vhost}_administrator, OU=RabbitMQ, OU=Logins services & admins, OU=France, DC=ad, DC=corp" } } },
Sylvain P
Feb 9, 2022, 5:36:57 AM2/9/22
to rabbitmq-users
with {administrator, {in_group, "CN=${vhost},OU=groups,DC=bakken,DC=io"}},
my log :
2022-02-09 10:31:10.787167+00:00 [info] <0.386.0> LDAP DECISION: does ... have tag administrator? true
2022-02-09 10:32:06.454543+00:00 [info] <0.386.0> LDAP DECISION: does ... have tag management? true
return of curl -i -u http://localhost:15672/api/whoami
{"name":"...","tags":["management"]}
Luke Bakken
Feb 9, 2022, 8:23:10 AM2/9/22
to rabbitmq-users
Hello,
When you report an issue, please ALWAYS accurately state how you produce it. In your original message, you have "true" for your tag_queries.
I will follow up here - https://github.com/rabbitmq/rabbitmq-server/discussions/4123?converting=1
Reply all
Reply to author
Forward
0 new messages