I build my application using the django rest framework.
How can I customize the data format that RabbitMQ expects?
The fact is that the django rest framework defines json and the Content-Type: application / json header.
RabbitMQ does not understand the body of the answer.
What do i do?

Hello,
After cloning this repo, and executing a "make" command. I was getting this error.

src/rabbit_auth_backend_http.erl:44: field auth_backend undefined in record user
src/rabbit_auth_backend_http.erl:45: field impl undefined in record user
src/rabbit_auth_backend_http.erl:20: Warning: behaviour rabbit_auth_backend undefined
make: *** [ebin/rabbit_auth_backend_http.beam] Error 1

Upon further investigation, the UserRecord from rabbitmq-commons is outdated, I've manually changed it, so it will built.

Thanks,
Melvin

Hi,

I'm making some publishing tests with different clients such as amqplib (JS) and Bunny (Ruby).
I noticed that when I publish messages slower than 1 message per second an HTTP request for write permission on the exchange to which I'm connected is made for every single message.
Otherwise, if I publish faster than 1 message per second the HTTP request for write permission is made only for the first message.
Does Rabbitmq caches the results of access control checks? If yes can I configure the cache timeout in order to avoid this check for every message?

Thanks

Simon,

I love this plugin and want to use it, but my production environment would require SSL so that no one can place a man-in-the-middle between your plugin and my auth web service.

Any idea when you might be able to spike that bit out?

Thanks!

In your README you're saying

So a configuration fragment that enables this plugin only would look like:

[{rabbit, [{auth_backends, [rabbit_auth_backend_http]}]}].

to use only HTTP, or:

[{rabbit,
  [{auth_backends, [rabbit_auth_backend_http, rabbit_auth_backend_internal]}]
 }].

to use both HTTP and the internal database.

Is that means we can use only user_path with this plugin, but once user is id & auth letting rabbitmq fallback to internal database for vhost & resource?

We are not receiving any data to the rest path /auth/user while i try to login to Management UI also while trying to connect to MQTT plugin.

My rest path returning 200 with "allow".

Also rabbitmq_auth_backend_http plugin somehow tries to hit on /auth/user even though not provided in config file.

Please someone explain me whats happening. Any help is appreciated.

rabbitmq 3.6.0

With this config:

      {auth_backends, {rabbit_auth_backend_http, rabbit_auth_backend_internal}}

I get rabbitmq restarted well, but when I try to login with http://localhost:15672
I get errors below.
When I change the line with auth_backends to square brackets, it works ok, but uses for only http_backend authorization, not connecting to internal backend at all.
So, to using both backends only that work:

{auth_backends, [rabbit_auth_backend_internal, rabbit_auth_backend_http]}

Error log.

webmachine error: path="/api/whoami"
{error,function_clause,
       [{lists,foldl,
               [#Fun<rabbit_access_control.0.120764792>,
                {refused,<<"root">>,"No modules checked '~s'",[<<"root">>]},
                {rabbit_auth_backend_http,rabbit_auth_backend_internal}],
               [{file,"lists.erl"},{line,1261}]},
        {rabbit_mgmt_util,is_authorized,6,
                          [{file,"src/rabbit_mgmt_util.erl"},{line,128}]},
        {webmachine_resource,resource_call,3,
                             [{file,"src/webmachine_resource.erl"},
                              {line,186}]},
        {webmachine_resource,do,3,
                             [{file,"src/webmachine_resource.erl"},
                              {line,142}]},
        {webmachine_decision_core,resource_call,1,
                                  [{file,"src/webmachine_decision_core.erl"},
                                   {line,48}]},
        {webmachine_decision_core,decision,1,
                                  [{file,"src/webmachine_decision_core.erl"},
                                   {line,213}]},
        {webmachine_decision_core,handle_request,2,
                                  [{file,"src/webmachine_decision_core.erl"},
                                   {line,33}]},
        {rabbit_webmachine,'-makeloop/1-fun-0-',2,
                           [{file,"src/rabbit_webmachine.erl"},{line,55}]}]}

I don't find a way to check user periodically from auth plugin.

Scenario : User connected to RabbitMQ and AuthPlugin get the call for check_user only at the time of connection, but what if user is no longer available in system after connection or some permission has been removed/modified ? is there any inbuilt way in rabbitmq to have periodic call to check user in some configurable seconds/minutes/hours etc.

Good afternoon!:)

I'm through 1.5 days of debugging and magicking, I happened to be so brave that i've enabled reverse_dns_lookups (set to true) at the config meanwhile using both web-stomp and auth-http-backend plugins.

Since there's no record defined for Sock, by enabling reverse_dns_lookups it was perfectly possible to pass

{authz_socket_info,{<<"73b85905f2f8">>,15674},{<<"172.19.0.1">>,49004}}

instead of

{authz_socket_info,{{172,19,0,3},15674},{{172,19,0,1},49024}}

to extract_address(), which would pass the bitstring (instead of the tuple) to the function inet_parse:ntoa(), which would throw an error since it only accepts ip addresses in a tuple format.

I have no major experience in Erlang, although i would suggest to define a record for the Sock so it can be verified that it's the hostname bitstring or the ip tuple type of socket it's passing around.

TL;DR: People of RabbitMQ, beware, don't use reverse_dns_lookups with web-stomp and auth-http-backend.

Let me know if there's been a decision or so regarding what approach should be taken in order to fix it, i might be able to create a PR for it.

This error happens when calling check_vhost_access after user_login_authentication, find the stack trace here please.

Cheers,
-Dan

I started using this plugin, I added a path(endpoint) for user login to rabbitmq, However I need to authorize users (admin user / readonly user) sending user tags along with the response is not enough.

I tried to send http request from my server to rabbitmq to configure user permissions /api/permissions/${vhost}/${username} before send 'allow' to the broker.
is there another way to send the permissions with the response?

Introduced in 38f7744#diff-3365765bdd3faecfd862b596821939aeR122, see #61 (comment).

I just started looking at this plug in for use in our system, and it appears that the URLs that the plug uses are fixed. They simply use the server IP/name in the configuration and then performs a GET against port 8000 on that server at a predefined URL. Is there any way to customize these URLs so we have better control over where on our server the plugin will make requests?

I am in the process of changing over from Mosquitto to the Rabbit and have MQTT over web-sockets and also using the rabbit_auth_backend_http plugin. I now have it all running successfully on a dev environment but one thing that I have noticed is that there are constantly re-authentication calls coming in on for the same user: [{user_path, "http://www.domainname/rmq_auth.php"}. These calls are about
2 calls every 1 or 2 seconds where on Mosquitto it did it once when a connection was established.

My question is: Is this the intended behavior to frequently re-authenticate all connected users as you can see that this will require more resources as more concurrent connections are made?

I have setup the auth backend http plugin and the http auth service is being called successfully when I try and connect to an exchange with Python. When I try and login to the management plugin using the web interface, it also calls the auth service, but then RabbitMQ throws the error: HTTP access denied: user 'guest' - Not management user. The auth service returns 'allow' for any request at this stage.

Is there a way to configure the auth service to return this management tag and thereby satisfy this requirement? If not, please consider this a feature request, or at least a request to update the readme to make it clear that this plugin will not work with the management plugin and developers must therefore combine it with an internal authenticator for admin users.

Hello,

We are using rabbitmq_web_stomp plugin with stomp.js & sock.js to connect to the RMQ broker. We are using the username & password as the means of authentication. But it looks like the authentication bypasses this plugin completely and connects with the provided credentials without making a call to configured auth endpoints.

Is there any configuration required or is it possible to use this plugin with the web stomp plugin?

Thanks

I'm using RabbitMQ 3.7.2 and getting the following error:

2017-12-23 19:42:20.351 [error] <0.2068.0> STOMP error frame sent:                                                                                                                                                                                          
Message: access_refused                                                                                                                                                                                                                                     
Detail: "ACCESS_REFUSED - access to topic 'test' in exchange 'exchange' in vhost 'vhost' refused for user 'user', backend rabbit_auth_backend_http returned an error: {failed_connect,\n                                                        
          ...\n"                                                                                                                                                                                                                                                                
Server private detail: none                                                                                                                                                                                                                                 
2017-12-23 19:42:23.468 [error] <0.2123.0> access to topic 'test' in exchange 'exchange' in vhost 'vhost' refused for user 'user', backend rabbit_auth_backend_http returned an error: {failed_connect,[{to_address,{"localhost",8000}},{inet,[i
net],econnrefused}]}                                                                                                                                                                                                                                                            2017-12-23 19:42:23.469 [error] <0.2123.0> Channel error on connection <0.2113.0> (172.18.0.1:52446 -> 172.18.0.4:15671, vhost: 'vhost', user: 'user'), channel 1:                                                                                   
operation queue.bind caused a channel exception access_refused: access to topic 'test' in exchange 'exchange' in vhost 'vhost' refused for user 'user', backend rabbit_auth_backend_http returned an error: {failed_connect,                    
                                                                                                                                                         [{to_address,                                                                                      
                                                                                                                                                           {"localhost",                                                                                    
                                                                                                                                                            8000}},                                                                                         
                                                                                                                                                          {inet,                                                                                            
                                                                                                                                                           [inet],                                                                                          
                                                                                                                                                           econnrefused}]}                                                                                  

I think that "localhost:8000" is from PROJECT_ENV which is defined in Makefile and can't be overwritten by the configuration file:

auth_backends.1 = internal
auth_backends.2 = http

auth_http.http_method   = post
auth_http.user_path     = http://some_url
auth_http.vhost_path    = http://some_url
auth_http.resource_path = http://some_url

Hi!
I encountered such a problem. I use Django for backend authentication using AUTH_USER_MODEL. So it turned out that I have my own user model and I use the "phone" field with USERNAME_FIELD. It would be nice to be able to specify in the settings field for username. This would be suitable for many development technologies.

rabbitmq/rabbitmq-server#1229 introduced a variableMap in the context argument of rabbit_authz_backend:check_topic_access/4 and the HTTP backend doesn't handle the conversion of a map into an HTTP parameter.

Looks like your example just allows access if vhosts or resources are accessed (after username / pass auth) (also just found this in docs). I am just writing a php plugin for auth based on this plugin, In comparison to MQTT topics can you explain the function of vhosts and resources.

While using http based authentication along with ssl certificate login, client is not able to connect to broker.
The broker throws:

** Reason for termination ==
** {function_clause,
[{amqp_gen_connection,terminate,[{
{case_clause,{badrpc,{'EXIT',{{badmatch,undefined},
[{rabbit_auth_backend_http,p,1,[{file,"src/rabbit_auth_backend_http.erl"},{line,150}]},
{rabbit_auth_backend_http,user_login_authentication,2,[{file,"src/rabbit_auth_backend_http.erl"},{line,42}]},
{rabbit_access_control,try_authenticate,3,[{file,"src/rabbit_access_control.erl"},{line,88}]},
{rabbit_access_control,'-check_user_login/2-fun-0-',4,[{file,"src/rabbit_access_control.erl"},{line,74}]},{lists,foldl,3,[{file,"lists.erl"},{line,1263}]},
{rabbit_direct,connect,5,[{file,"src/rabbit_direct.erl"},{line,101}]},{rpc,local_call,3,[{file,"rpc.erl"},{line,321}]},
{amqp_direct_connection,connect,4,[{file,"src/amqp_direct_connection.erl"},{line,151}]}]}}}},[{amqp_direct_connection,connect,4,[{file,"src/amqp_direct_connection.erl"},{line,151}]},{amqp_gen_connection,handle_call,3,[{file,"src/amqp_gen_connection.erl"},{line,171}]},{gen_server,try_handle_call,4,[{file,...},...]},...]},...],...},...]}

for the config file:

[{rabbit, 
  [{ssl_cert_login_from, common_name},
  {auth_mechanisms, ['EXTERNAL']},
  {tcp_listeners,    [5672]},
  {loopback_users, []},
  {ssl_options, [{cacertfile, "/opt/Root.crt"},
                                 {certfile,   "/opt/server.crt"},
                                 {keyfile,    "/opt/server.key"},
                                 {verify,     verify_peer},
                                 {fail_if_no_peer_cert, true}]},
								 {auth_backends, [rabbit_auth_backend_http]}
    
]},
{rabbitmq_auth_backend_http, [
      {http_method,          post },
	  {user_path,     "http://localhost:8080/auth/user"},
	{vhost_path,    "http://localhost:8080/auth/vhost"},
	{resource_path, "http://localhost:8080/auth/resource"},
      {topic_path, "https://localhost:8080/auth/topic"}
      ]},
 {rabbitmq_mqtt, [{vhost,            "/"},
                  {exchange,         "amq.topic"},
                  {subscription_ttl, 1800000},
                  {prefetch,         10},
                  %%{ssl_listeners,    []},
                  %% Default MQTT with TLS port is 8883
                  {ssl_listeners,    [8443]},
                  {tcp_listeners,    [1883]},{ssl_cert_login, true},
                  {tcp_listen_options, [{backlog,   128},
                                        {nodelay,   true}]}]}].

The configured urls are from the example bundled in the project.

I see client IPs within the rabbit logs once clients connect, but I haven't discovered anything in the HTTP headers during auth/requests. Is it possible to pass those through/retrieve them?

Thanks a lot

Not sure if this is caused by using HTTP 1.0 but without a host header we cannot reach a single server with multiple vhosts (where one of them is our auth server)

Hello

Raising this issue regarding below discussion thread in rabbitmq-users group
Http auth backend for multi vhost environments

Problem statement :

We are using rabbitmq auth backend http to authenticate rabbit users. In multi tenant(vhost) environments, We have different dedicated servers to authenticate different vhost`s users.
Like vhost01 auth requests should be authenticated by server01 and vhost2 auth requests should be authenticated by server02.

In rabbitmq config file we define a proxy url to send auth http requests. In our proxy currently, we read the http get request params to route the request to correct backend servers(server01, server02)
Like when vhost param value is "vhost01", route the request to "server01" backend server. when vhost param value is "vhost02" route the request to "server02" backend server.

This according to our architects is not a safe approach and when using ssl we need to offload such ssl requests at our proxy server which takes up computation cycle.
Can we have a mechanism so that we can have vhost value in our http request url itself. So that we our able to route requests using url path to appropriate backend servers(server01, server02).

Would it be possible to have this plugin use HTTP keepalive? It would be nice to have for performance in general and also reduce connection churning leading to a potentially high number of TIME_WAIT connections.

We currently assume HTTP:
https://github.com/rabbitmq/rabbitmq-auth-backend-http/blob/master/src/rabbit_auth_backend_http.erl#L92.

This plugin is meant to be used in a trusted environment but some attempt using it over HTTPS on the public Internet. So I guess it's worth adding.

Hi Simon,

I'm trying to set up the module on 3.4.4. I've built and configured without issues but I'm getting the following error upon connection:

=ERROR REPORT==== 6-Mar-2015::17:47:16 ===
** Generic server <0.518.0> terminating
** Last message in was connect
** When Server state == {<0.517.0>,
                         {amqp_params_direct,<<"guest">>,<<"guest">>,<<"/">>,
                             rabbit@e4,
                             {amqp_adapter_info,
                                 {0,0,0,0,0,0,0,1},
                                 1883,
                                 {0,0,0,0,0,0,0,1},
                                 51104,<<"[::1]:51104 -> [::1]:1883">>,
                                 {'MQTT',"3.1.0"},
                                 [{ssl,false}]},
                             []}}
** Reason for termination ==
** {function_clause,
       [{amqp_gen_connection,terminate,
            [{{case_clause,
                  {badrpc,
                      {'EXIT',
                          {undef,
                              [{rabbit_auth_backend_http,check_user_login,
                                   [<<"guest">>,[{password,<<"guest">>}]],
                                   []},
                               {rabbit_access_control,try_login,3,
                                   [{file,"src/rabbit_access_control.erl"},
                                    {line,82}]},
                               {lists,foldl,3,
                                   [{file,"lists.erl"},{line,1197}]},
                               {rabbit_access_control,check_user_login,2,
                                   [{file,"src/rabbit_access_control.erl"},
                                    {line,57}]},
                               {rabbit_direct,connect0,5,
                                   [{file,"src/rabbit_direct.erl"},{line,85}]},
                               {rpc,local_call,3,
                                   [{file,"rpc.erl"},{line,327}]},
                               {amqp_direct_connection,connect,4,
                                   [{file,"src/amqp_direct_connection.erl"},
                                    {line,133}]},
                               {amqp_gen_connection,handle_call,3,
                                   [{file,"src/amqp_gen_connection.erl"},
                                    {line,171}]}]}}}},
              [{amqp_direct_connection,connect,4,
                   [{file,"src/amqp_direct_connection.erl"},{line,133}]},
               {amqp_gen_connection,handle_call,3,
                   [{file,"src/amqp_gen_connection.erl"},{line,171}]},
               {gen_server,handle_msg,5,[{file,"gen_server.erl"},{line,588}]},
               {proc_lib,init_p_do_apply,3,
                   [{file,"proc_lib.erl"},{line,227}]}]},
             {<0.517.0>,
              {amqp_params_direct,<<"guest">>,<<"guest">>,<<"/">>,rabbit@e4,
                  {amqp_adapter_info,
                      {0,0,0,0,0,0,0,1},
                      1883,
                      {0,0,0,0,0,0,0,1},
                      51104,<<"[::1]:51104 -> [::1]:1883">>,
                      {'MQTT',"3.1.0"},
                      [{ssl,false}]},
                  []}}],
            [{file,"src/amqp_gen_connection.erl"},{line,230}]},
        {gen_server,terminate,6,[{file,"gen_server.erl"},{line,722}]},
        {proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,227}]}]}

I think this means that the Erlang process is terminating. Application stays up and running. Any suggestions much appreciated.

Thanks

I am using webstomp with this module for custom authentication. I am not getting custom-header in the auth url request. Is this suported?

stomp code
var headers = {
login: 'username',
passcode: 'password',
// additional header
'custom-header': 'myclientid'
};
stompClient.connect(headers, STOMPAPI.on_connect, STOMPAPI.on_error);

rabbit config
[
{rabbit, [{auth_backends, [rabbit_auth_backend_http]}]},
{rabbitmq_auth_backend_http,
[{user_path, "http://localhost/apirabbit"},
{vhost_path, "http://localhost/apirabbit"},
{resource_path, "http://localhost/apirabbit"}]
}].

I am writing a web app that integrates with rabbitmq-auth-backend-http and provides authentication given some permission rules.
In my specific case I would like to restrict the access of a topic containing a wildcard only to the topics the user is allowed to access to.

Example:
Topics are structured as follow:

'application..feature'

The user A is able to access applications with id 1, but not application with id 2, thus the user when subscribing to 'application.*.feature' should be allowed and listen only to messages in the topic 'application.1.feature'.
This has to be extended to a situation were the user could potentially listen for messages coming from more than one topic.

The issue is that I am not able to provide a response to the plugin rabbitmq-auth-backend-http stating that the user is allowed but restricted to only certain topics. Is my request beyond rabbitmq protocol permission or is this plugin that has not implemented this yet?

README.md seems a little confusing for beginners like me.

I tried to install RabbitMQ on Mac via brew and I tried enabling this plugin. I keep running:

$ rabbitmq-plugins enable rabbit_auth_backend_http

But apparently (upon running rabbitmq-plugins list) it should be:

$ rabbitmq-plugins enable rabbitmq_auth_backend_http

It is not enabled by default so I settled to do that command.

Just ignore this if I'm just misunderstanding the README.md. Thanks.

I found that this topic_path has never been called.
I think it should be called when exchange has routingkey binding,but when binding routingkey did not be called.
Can you help me? I can't find the problem.

We currently have no test coverage. A small Cowboy REST app started on a local node would suffice.

I'm trying to run RabbitMQ 3.7.0 with auth_http.http_method = post config setting, but I'm getting the following error:

Config file generation failed 13:19:51.969 [error] You've tried to set auth_http.http_method, but there is no setting with that name.
13:19:51.969 [error]   Did you mean one of these?
13:19:51.989 [error]     auth_http.topic_path
13:19:51.989 [error]     auth_http.user_path
13:19:51.989 [error]     auth_http.vhost_path
13:19:51.989 [error] Error generating configuration in phase transform_datatypes
13:19:51.989 [error] Conf file attempted to set unknown variable: auth_http.http_method

Is this configuration option is deprecated or renamed?

Can you add some example, if it possible ?

This plugin depends on mochiweb because of a single function: mochiweb_util:quote_plus/1. In 3.7.0 we are moving away from Webmachine/Mochiweb so this extra dependency is unnecessary and should be removed.

Hello, Simon.

Plugin receiving "allow *" from web-server, but authorization is not successful.
In log written:
closing AMQP connection <0.304.0> (127.0.0.1:34028 -> 127.0.0.1:5672):
{handshake_error,opening,0,
{amqp_error,access_refused,
"access to vhost 'vhost_name' refused for user 'user_name'",
'connection.open'}}

Plugin sending HTTP-request to user_path URI only.

I have this problem only in Debian 7, but in Debian 6 all OK.

How can i authencation client subcribe to topic with spring security?

Hello everybody,

I'm trying to setup rabbitmq (and its MQTT plugin) to allow AA via http with this module, but it keeps failing. It crashes when connecting via MQTT and also via the builtin management portal.

This is my very simple docker file:

FROM rabbitmq:3.6.10

RUN rabbitmq-plugins enable --offline rabbitmq_management
RUN rabbitmq-plugins enable --offline rabbitmq_mqtt

EXPOSE 15672
EXPOSE 1883

My env vars:

 - RABBITMQ_NODENAME=rabbit-mqtt-1@localhost
  - RABBITMQ_DEFAULT_USER=guest
  - RABBITMQ_DEFAULT_PASS=hidden
  - RABBITMQ_CONFIG_FILE=/etc/rabbitmq/rabbitmq2

and my rabbitmq2.conf file:

[
  {rabbit, [
	%% {default_user,     <<"admin">>},
	%% {default_pass,     <<"pRqEdtyFrX7h9BEfPQLYRmYbKcUVBv">>},
	{auth_backends, [rabbit_auth_backend_http]},
	{log_levels, [{connection, debug}, {channel, debug}]}
	  ]
  },
  { 
    rabbitmq_management, [
      { listener, [
          { port, 15672 },
          { ssl, false }
    	] 
	  } 
	]},
  {
	rabbitmq_mqtt, [
	  {log_levels, [{connection, debug}, {channel, debug}]},
      {auth_backends, [rabbit_auth_backend_http]},
	  %% {default_user,     <<"guest">>},
	  %% {default_pass,     <<"guest">>},
	  %% {allow_anonymous,  false},
	  {vhost,            <<"/">>},
	  {exchange,         <<"amq.topic">>},
	  {subscription_ttl, 1800000},
	  {prefetch,         10},
	  {ssl_listeners,    []},
	  %% Default MQTT with TLS port is 8883
	  %% {ssl_listeners,    [8883]}
	  {tcp_listeners,    [1883]},
	  {tcp_listen_options, [
        {backlog,   128},
        {nodelay,   true}]}
    ]},
  %% See HTTP backend docs for details
  { rabbitmq_auth_backend_http,
  [
    {http_method,   post},
    { user_path,     "http://192.168.1.70:8000/auth/user" },
    { vhost_path,    "http://192.168.1.70:8000/auth/vhost" },
    { resource_path, "http://192.168.1.70:8000/auth/resource" }
  ]
  }
].

The problem: rabbitmq never communicates with my web server.

When connecting via MQTT: https://pastebin.com/J9pQJpBH

When connecting via builtin management portal: https://pastebin.com/JWFQsDPe

Any help ?

Thank you in advance.

There arenot rabbitmq-auth-backend-http-3.7.x?And when i build this plugin follows the order of the site,but it call lager has no makefile and need to update make for GUN MAKE 4.what's more,i tried to use the plugin which is 3.6.x in the rabbitmq-sevice-3.6.6 and rabbitmq-service-3.6.3,it's load success,but cann't to connection throught the websit.(also load the rabbitmq-management,and configure as the http site which i can access)
Thanks.

Hello,

We are using the auth-backend-http along with mqtt plugin, everything is working fine, but we realized one thing. Whenever we sent an MQTT "Subscribe" or "Publish" the auth-backend-http is sending request to /auth/topic endpoint twice with same contents. Is there a specific reason why its doing this ?

You can find a wireshark capture from the machine, and a screenshot attached.

duplicate-msgs-pcap.zip

Thanks is advance

I've tried setting up this plugin on RabbitMQ 3.6.6, however it seems to be failing with unknown error. HTTP Server logs indicate that request was never received, so it's probably failing before that.

Setup:

• Freshly installed RabbitMQ 3.6.6 on Ubuntu 16.04.1
• Server is visible from RabbitMQ node, e.g. curl -X POST http://192.168.1.101/auth/user returns valid response.
• Plugin downloaded from bintray, though I have tried version built from sources, unfortunately to the same result.

Configuration:

[
 {rabbit, [{auth_backends, [rabbitmq_auth_backend_http]}]},
 {rabbitmq_auth_backend_http,
  [{http_method,   post},
   {user_path,     "http://192.168.1.101/auth/user"},
   {vhost_path,    "http://192.168.1.101/auth/vhost"},
   {resource_path, "http://192.168.1.101/auth/resource"}]}
].

Server is configured to always return allow and allow administrator for user path.

Logs:

Starting RabbitMQ 3.6.6 on Erlang 18.3
Copyright (C) 2007-2016 Pivotal Software, Inc.
Licensed under the MPL.  See http://www.rabbitmq.com/

*** snip

=INFO REPORT==== 11-Dec-2016::11:58:28 ===
Server startup complete; 8 plugins started.
 * rabbitmq_management
 * rabbitmq_management_agent
 * rabbitmq_web_dispatch
 * rabbitmq_mqtt
 * rabbitmq_auth_backend_http
 * webmachine
 * mochiweb
 * amqp_client

*** snip


=ERROR REPORT==== 11-Dec-2016::11:58:29 ===
webmachine error: path="/api/whoami"
{error,undef,
       [{rabbitmq_auth_backend_http,user_login_authentication,
                                    [<<"123">>,[{password,<<"123">>}]],
                                    []},
        {rabbit_access_control,try_authenticate,3,
                               [{file,"src/rabbit_access_control.erl"},
                                {line,88}]},
        {rabbit_access_control,'-check_user_login/2-fun-0-',4,
                               [{file,"src/rabbit_access_control.erl"},
                                {line,74}]},
        {lists,foldl,3,[{file,"lists.erl"},{line,1262}]},
        {rabbit_mgmt_util,is_authorized,6,
                          [{file,"src/rabbit_mgmt_util.erl"},{line,134}]},
        {webmachine_resource,resource_call,3,
                             [{file,"src/webmachine_resource.erl"},
                              {line,186}]},
        {webmachine_resource,do,3,
                             [{file,"src/webmachine_resource.erl"},
                              {line,142}]},
        {webmachine_decision_core,resource_call,1,
                                  [{file,"src/webmachine_decision_core.erl"},
                                   {line,48}]}]}

Any ideas what might be an issue here?

Thanks.

EDIT:

Resolution: First line of configuration should say {rabbit, [{auth_backends, [rabbit_auth_backend_http]}]}, instead of {rabbit, [{auth_backends, [rabbitmq_auth_backend_http]}]},

According to the documentation https://www.rabbitmq.com/access-control.html#topic-authorisation the client_id can be used in topic authorisation.

Is the client_id currently provided to the web server?
If not I think it makes sense to add this information to at least user_path and topic_path requests.

Internal (default) authorisation backend supports variable expansion in permission patterns. Three variables are supported: username, vhost, and client_id. Note that client_id only applies to MQTT. For example, if tonyg is the connected user, the permission ^{username}-.* is expanded to ^tonyg-.*

First, thanks for this great plugin. I don't know erlang and trying to figure this out:
How to add the client IP address to the request and for resources, is it possible to get the routing key?

I want to restrict access by routing key and I'd like to capture the client ip as well. Thanks.

Currently resource_path takes:

• username - the name of the user
• vhost - the name of the virtual host containing the resource
• resource - the type of resource (exchange, queue)
• name - the name of the resource
• permission - the access level to the resource (configure, write, read)

However, it is not clear what operation is being attempted. For instance, queue.bind and queue.unbind are both 'write' operations on the queue.

Also, there is no routing key. Can it be added (perhaps as a generic bag of attributes associated with an operation)? I understand that standard Rabbit authorization model does not go so deep so to consider routing keys, but since you give us control of the authorization repository, we would like to restrict to which topics (routing keys) the consumers may bind.

Thanks!

I started the following discussion in the google groups:

https://groups.google.com/forum/#!topic/rabbitmq-users/O7ORCQXvVT8

as its easier to find I decided to add it here also, sorry for the duplication.

My idea is to pass the tags which are retrieved in the user_path to the other paths:

vhost_path
resource_path
topic_path

This would make it possible to use the tags which are retrieved in the user_path to be used as roles for authorization.

I might be able to create a PR.

Hi,

It would be great to change GET requests to POST, because GET requests expose passwords in access logs of web server serving the app for rabbitmq auth backend.

I need to return the text if I deny authorization, how can this be done?
For example:

• "The password is incorrect, you have 5 attempts left",
• "The password is incorrect, you have 4 attempts left"
  ...
• "The user is blocked"

I can see in my server logs that I'm getting (quite a few) calls to /user?username=&password= and "allow administrator management" is getting passed back. This is allowing me to gain access to the administrative web application.

When I attempt to create an exchange, I'm told that I don't have access to virtual host "/", and there's no call to vhost_path in my logs.

Nor is there ever a call to resource_path.

My assumption is that the security API in the 3.1.x release has changed, causing your plugin not to be called for vhost_path and resource_path operations.

What do you recommend that I do?

Hi,

I have downloaded the bin of the plugin " rabbitmq_auth_backend_http-3.5.x-fe9401c6.ez" and put it into the plugins folder.
and then enabled the plugin . It shown configuration changed .
But when i start my server it doesnt start with the authentication plugin.

Server startup complete; 6 plugins started.

• amqp_client
• mochiweb
• rabbitmq_management
• rabbitmq_management_agent
• rabbitmq_web_dispatch
• webmachine

and when i send message to server from client the error report contains
=ERROR REPORT==== 30-Jun-2015::10:51:29 ===
closing AMQP connection <0.332.0> (127.0.0.1:42348 -> 127.0.0.1:5672):
{handshake_error,starting,0,
{error,undef,'connection.start_ok',
[{rabbit_auth_backend_http,check_user_login,
[<<"guest">>,[{password,<<"guest">>}]],
[]},
{rabbit_access_control,'-check_user_login/2-fun-0-',4,
[{file,"src/rabbit_access_control.erl"},{line,56}]},
{lists,foldl,3,[{file,"lists.erl"},{line,1248}]},
{rabbit_reader,auth_phase,2,
[{file,"src/rabbit_reader.erl"},{line,987}]},
{rabbit_reader,handle_method0,3,
[{file,"src/rabbit_reader.erl"},{line,826}]},
{rabbit_reader,handle_input,3,
[{file,"src/rabbit_reader.erl"},{line,738}]},
{rabbit_reader,recvloop,2,
[{file,"src/rabbit_reader.erl"},{line,292}]},
{rabbit_reader,run,1,[{file,"src/rabbit_reader.erl"},{line,273}]}]}}

Thanks

I am trying to use this plugin with the example code present in the repo as the back end, basically sending back "allow" for all the calls. Everything is working as expected, except when I try and do an exchange to exchange binding. It errors out both from the code and management UI. Here is the error I get in the code while subscribing to exchange "SubTest" which is subscribing to the publisher exchange "PubTest" on topic "key"

_RabbitMQ.Client.Exceptions.OperationInterruptedException: The AMQP operation was interrupted: AMQP close-reason, initiated by Peer, code=403, text="ACCESS_REFUSED - access to topic 'key' in exchange 'SubTest' in vhost '/' refused for user 'admin', backend rabbit_auth_backend_http returned an error: {bad_scheme,
...", classId=50, methodId=20, cause=
at RabbitMQ.Client.Impl.SimpleBlockingRpcContinuation.GetReply(TimeSpan timeout)
at RabbitMQ.Client.Impl.ModelBase.ModelRpc(MethodBase method, ContentHeaderBase header, Byte[] body)
at RabbitMQ.Client.Framing.Impl.Model.Private_QueueBind(String queue, String exchange, String routingKey, Boolean nowait, IDictionary2 arguments) at RabbitMQ.Client.Impl.AutorecoveringModel.QueueBind(String queue, String exchange, String routingKey, IDictionary2 arguments)

And here is the error in the rabbit log corresponding to this

2019-05-02 15:16:50.004 [error] <0.929.0> access to topic 'key' in exchange 'SubTest.Sam' in vhost '/' refused for user 'admin', backend rabbit_auth_backend_http returned an error: {bad_scheme,"hhttp"}
2019-05-02 15:16:50.005 [error] <0.929.0> Channel error on connection <0.919.0> (127.0.0.1:12862 -> 127.0.0.1:5672, vhost: '/', user: 'admin'), channel 1:
operation queue.bind caused a channel exception access_refused: access to topic 'key' in exchange 'SubTest' in vhost '/' refused for user 'admin', backend rabbit_auth_backend_http returned an error: {bad_scheme,
"hhttp"}

Any help will be greatly appreciated.