Rabbit MQ backend http authorisation not working
1,537 views
Skip to first unread message
Suraj Khanduri
Aug 19, 2017, 4:19:21 AM8/19/17
to rabbitmq-users
I have configured
rabbitmq-auth-backend-http and my rabbitmq.config looks like below[
{rabbit, [{auth_backends, [rabbit_auth_backend_http, rabbit_auth_backend_internal]}]},
{rabbitmq_auth_backend_http,
[{http_method, get},
{user_path, "http://localhost:8080/auth/user"},
{vhost_path, "http://localhost:8080/auth/vhost"},
{resource_path, "http://localhost:8080/auth/resource"},
{topic_path, "http://localhost:8080/auth/topic"}]}
].
Authorization end points http://localhost:8080/auth/ are up and running.
But when I am trying to login ui-portal http://localhost:15672/api/whoami api is getting failed with status code 500.
Authentication with rabbitmq internal database is working fine. i.e if I replace {rabbit, [{auth_backends, [rabbit_auth_backend_http, rabbit_auth_backend_internal]}]} with {rabbit, [{auth_backends, [rabbit_auth_backend_internal]}]} its working fine and I am able to login.
The problem is when addingrabbit_auth_backend_http in auth_backends is not working. It's not even hitting the authorization end points. I have checked the logs in var/rabbitmq/rab...@localhost.log, but no help. I am posting logs here :
=ERROR REPORT==== 18-Aug-2017::21:55:46 === Ranch listener rabbit_web_dispatch_sup_15672 had connection process started with cowboy_protocol:start_link/4 at <0.574.0> exit with reason: {[{reason,undef},{mfa,{rabbit_mgmt_wm_whoami,is_authorized,2}},{stacktrace,[{rabbit_auth_backend_http,user_login_authentication,[<<"test">>,[{password,<<"test">>}]],[]},{rabbit_access_control,try_authenticate,3,[{file,"src/rabbit_access_control.erl"},{line,88}]},{rabbit_access_control,'-check_user_login/2-fun-0-',4,[{file,"src/rabbit_access_control.erl"},{line,74}]},{lists,foldl,3,[{file,"lists.erl"},{line,1263}]},{rabbit_mgmt_util,is_authorized,6,[{file,"src/rabbit_mgmt_util.erl"},{line,149}]},{cowboy_rest,call,3,[{file,"src/cowboy_rest.erl"},{line,976}]},{cowboy_rest,is_authorized,2,[{file,"src/cowboy_rest.erl"},{line,150}]},{cowboy_protocol,execute,4,[{file,"src/cowboy_protocol.erl"},{line,442}]}]},{req,[{socket,#Port<0.26006>},{transport,ranch_tcp},{connection,keepalive},{pid,<0.574.0>},{method,<<"GET">>},{version,'HTTP/1.1'},{peer,{{127,0,0,1},51220}},{host,<<"localhost">>},{host_info,undefined},{port,15672},{path,<<"/api/whoami">>},{path_info,undefined},{qs,<<>>},{qs_vals,[]},{bindings,[]},{headers,[{<<"host">>,<<"localhost:15672">>},{<<"connection">>,<<"keep-alive">>},{<<"authorization">>,<<"Basic dGVzdDp0ZXN0">>},{<<"user-agent">>,<<"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36">>},{<<"content-type">>,<<"application/json">>},{<<"accept">>,<<"/">>},{<<"referer">>,<<"http://localhost:15672/">>},{<<"accept-encoding">>,<<"gzip, deflate, br">>},{<<"accept-language">>,<<"en-US,en;q=0.8">>},[{<<"connection">>,[<<"keep-alive">>]}]},{cookies,undefined},{meta,[]},{body_state,waiting},{buffer,<<>>},{multipart,undefined},{resp_compress,true},{resp_state,waiting},{resp_headers,[{<<"vary">>,<<"origin">>}]},{resp_body,<<>>},{onresponse,#Fun}]},{state,{context,undefined,none,undefined}}],[{cowboy_rest,error_terminate,5,[{file,"src/cowboy_rest.erl"},{line,1009}]},{cowboy_rest,is_authorized,2,[{file,"src/cowboy_rest.erl"},{line,150}]},{cowboy_protocol,execute,4,[{file,"src/cowboy_protocol.erl"},{line,442}]}]}
what I am doing wrong here?
thanks for any help.
Luke Bakken
Aug 19, 2017, 10:55:36 AM8/19/17
to rabbitmq-users
Hi Suraj -
Could you please let us know what version of RabbitMQ you are using, the Erlang version, your server environment, and how you installed RabbitMQ?
Here's the error:
{[{reason,undef},{mfa,{rabbit_mgmt_wm_whoami,is_authorized,2}}
I suspect that you have not enabled the management plugin, which is what drives the /api http endpoint:
I suspect that you have not enabled the management plugin, which is what drives the /api http endpoint:
Thanks,
Luke
On Saturday, August 19, 2017 at 1:19:21 AM UTC-7, Suraj Khanduri wrote:
I have configuredrabbitmq-auth-backend-httpand myrabbitmq.configlooks like below
[
{rabbit, [{auth_backends, [rabbit_auth_backend_http, rabbit_auth_backend_internal]}]},
{rabbitmq_auth_backend_http,
[{http_method, get},
{user_path, "http://localhost:8080/auth/user"},
{vhost_path, "http://localhost:8080/auth/vhost"},
{resource_path, "http://localhost:8080/auth/resource"},
{topic_path, "http://localhost:8080/auth/topic"}]}
].Authorization end points
http://localhost:8080/auth/are up and running.But when I am trying to login ui-portal
http://localhost:15672/api/whoamiapi is getting failed with status code 500.Authentication with rabbitmq internal database is working fine. i.e if I replace {rabbit, [{auth_backends, [rabbit_auth_backend_http, rabbit_auth_backend_internal]}]} with {rabbit, [{auth_backends, [rabbit_auth_backend_internal]}]} its working fine and I am able to login.
The problem is when adding
rabbit_auth_backend_httpinauth_backendsis not working. It's not even hitting the authorization end points. I have checked the logs invar/rabbitmq/rabbit@localhost.log, but no help. I am posting logs here :
=ERROR REPORT==== 18-Aug-2017::21:55:46 === Ranch listener rabbit_web_dispatch_sup_15672 had connection process started with cowboy_protocol:start_link/4 at <0.574.0> exit with reason: {[{reason,undef},{mfa,{rabbit_mgmt_wm_whoami,is_authorized,2}},{stacktrace,[{rabbit_auth_backend_http,user_login_authentication,[<<"test">>,[{password,<<"test">>}]],[]},{rabbit_access_control,try_authenticate,3,[{file,"src/rabbit_access_control.erl"},{line,88}]},{rabbit_access_control,'-check_user_login/2-fun-0-',4,[{file,"src/rabbit_access_control.erl"},{line,74}]},{lists,foldl,3,[{file,"lists.erl"},{line,1263}]},{rabbit_mgmt_util,is_authorized,6,[{file,"src/rabbit_mgmt_util.erl"},{line,149}]},{cowboy_rest,call,3,[{file,"src/cowboy_rest.erl"},{line,976}]},{cowboy_rest,is_authorized,2,[{file,"src/cowboy_rest.erl"},{line,150}]},{cowboy_protocol,execute,4,[{file,"src/cowboy_protocol.erl"},{line,442}]}]},{req,[{socket,#Port<0.26006>},{transport,ranch_tcp},{connection,keepalive},{pid,<0.574.0>},{method,<<"GET">>},{version,'HTTP/1.1'},{peer,{{127,0,0,1},51220}},{host,<<"localhost">>},{host_info,undefined},{port,15672},{path,<<"/api/whoami">>},{path_info,undefined},{qs,<<>>},{qs_vals,[]},{bindings,[]},{headers,[{<<"host">>,<<"localhost:15672">>},{<<"connection">>,<<"keep-alive">>},{<<"authorization">>,<<"Basic dGVzdDp0ZXN0">>},{<<"user-agent">>,<<"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36">>},{<<"content-type">>,<<"application/json">>},{<<"accept">>,<<"/">>},{<<"referer">>,<<"http://localhost:15672/">>},{<<"accept-encoding">>,<<"gzip, deflate, br">>},{<<"accept-language">>,<<"en-US,en;q=0.8">>},[{<<"connection">>,[<<"keep-alive">>]}]},{cookies,undefined},{meta,[]},{body_state,waiting},{buffer,<<>>},{multipart,undefined},{resp_compress,true},{resp_state,waiting},{resp_headers,[{<<"vary">>,<<"origin">>}]},{resp_body,<<>>},{onresponse,#Fun}]},{state,{context,undefined,none,undefined}}],[{cowboy_rest,error_terminate,5,[{file,"src/cowboy_rest.erl"},{line,1009}]},{cowboy_rest,is_authorized,2,[{file,"src/cowboy_rest.erl"},{line,150}]},{cowboy_protocol,execute,4,[{file,"src/cowboy_protocol.erl"},{line,442}]}]}
Suraj Khanduri
Aug 19, 2017, 3:44:54 PM8/19/17
to rabbitm...@googlegroups.com
Hi Luke,
Thanks for your reply. Here are the environment and version details:
OS: MacOS sierra version 10.12.6
RabbitMQ : 3.6.9
Erlang/OTP 19
I have Installed RabbitMQ using "brew install rabbitmq" command.
To make sure management plugin is enable I ran rabbitmq-plugins list command. it says
"[E*] rabbitmq_management 3.6.9"
And when I replace {rabbit, [{auth_backends,[rabbit_auth_backend_http, rabbit_auth_backend_internal]}]} with {rabbit, [{auth_backends,[rabbit_auth_backend_internal]}]} its working fine and I am able to login.
please suggest and let me know if any more detail is required.
Thanks
--
You received this message because you are subscribed to a topic in the Google Groups "rabbitmq-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rabbitmq-users/q6aM9HrzXmo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Arnaud Cogoluègnes
Aug 21, 2017, 5:01:31 AM8/21/17
to rabbitm...@googlegroups.com
You also need to install and enable the rabbitmq_auth_backend_http plugin [1]. Did you?
To post to this group, send email to rabbitm...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
Suraj Khanduri
Aug 21, 2017, 9:02:56 AM8/21/17
to rabbitm...@googlegroups.com
Ah. That was a silly mistake. After Installing rabbitmq_auth_backend_http plugin it's working fine now. Thanks a lot.
After playing a bit more with rabbitmq_auth_backend_plugin I observed that: If I want authorization for only "resource_path" I need to configure all 4 endpoints(user_path, vhost_path, topic_path, resource_path) in rabbitmq.config file. If I configure only "resource_path" end point like below it's not working.
{rabbitmq_auth_backend_http,[{http_method, post},{resource_path, "http://localhost:3999/auth/resource"}]}
is this the expected behavior? do I need to configure all endpoints even if my use case is to authorize only "resource_path"?
thanks.
Arnaud Cogoluègnes
Aug 21, 2017, 9:46:31 AM8/21/17
to rabbitm...@googlegroups.com
Yes, it is expected. If you don't specify any value for a resource path, it will use the default one [1].
Suraj Khanduri
Aug 21, 2017, 10:08:20 AM8/21/17
to rabbitm...@googlegroups.com
Thanks. That helps a lot.
Reply all
Reply to author
Forward
0 new messages