search

ibm-messaging / mq-container

Container images for IBM® MQ
Apache License 2.0
247 stars 186 forks source link

User "app" can't be authorized although being in HTPASSWD #549

Closed Miayl closed 9 months ago

Miayl commented 9 months ago

Hi,

Similar to https://github.com/ibm-messaging/mq-container/issues/543 I'm getting the following error messages on EKS:

2023-12-21T10:15:56.231Z mqhtpass: mqhtpass_authenticate_user without CSP user set.  effectiveuid=app      env=3, callertype=1, type=0, accttoken=2031537276 applidentitydata=2031537308
2023-12-21T10:15:56.231Z mqhtpass: User authentication failed user=app effuser=app applname=amqpcsea cspuser=app      cc=1 reason=0

They appear when the container is starting, even without using a client to connect to the Queue, although MQ_CONNAUTH_USE_HTP is set to true, the app user is listed in etc/mqm/mq.htpasswd and set with MQ_USER_NAME. The same happens when setting MQ_USER_NAME to admin.

Interestingly, when running on minikube these messages do not appear, they only appear when trying to deploy it on EKS with the IBM MQ Helm chart in https://github.com/ibm-messaging/mq-helm.

On minikube our deploy file looks like this:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: ibm-mq-deployment
  labels:
    app: ibm-mq
spec:
  replicas: 1
  selector:
    matchLabels:
      app: ibm-mq
  template:
    metadata:
      labels:
        app: ibm-mq
    spec:
      containers:
        - name: ibm-mq
          image: ibm-mqadvanced-server-dev:9.3.3.1-arm64
          imagePullPolicy: Never
          ports:
            - containerPort: 1414
              name: mq
            - containerPort: 9443
              name: web
          env:
            - name: LICENSE
              value: "accept"
            - name: MQ_QMGR_NAME
              value: "QM1"
---
apiVersion: v1
kind: Service
metadata:
  name: ibm-mq
  labels:
    app: ibm-mq
spec:
  ports:
    - port: 1414
      name: mq
    - port: 9443
      name: web
  selector:
    app: ibm-mq
  internalTrafficPolicy: Local

Edit: The minikube version is only for short local tests but for the actual EKS deployment we want to make use of persisting data.

arthurbarr commented 9 months ago

For MQ 9.3.3 and earlier, the default password for the "app" user is blank - you set the password with the MQ_APP_PASSWORD environment variable. From MQ 9.3.4, you don't get a blank password, and the user doesn't exist if the variable is not set. So I'd recommend setting the environment variable, and adding the password in your application, in the MQ CSP structure.

Miayl commented 9 months ago

Thanks for the quick reply! Setting MQ_APP_PASSWORD as you said resolved those log messages.