[Keycloak] Access Refused when creating queues

verhyppo commented 1 year ago

Hello,

I'm trying to use the administrator rabbit_admin provided within this repo to create a new queue from management ui.

Unfortunately I'm having an error:

2023-02-05 19:58:20.818952+00:00 [warning] <0.908.0> Declare queue error: access to queue 'asd' in vhost '/' refused for user '4cf4d6b5-09e5-453f-bf22-c8efdc2dd1dc'
2023-02-05T19:58:38.955123324Z 2023-02-05 19:58:38.954168+00:00 [warning] <0.939.0> Declare queue error: access to queue 'asd' in vhost '/' refused for user '4cf4d6b5-09e5-453f-bf22-c8efdc2dd1dc'

Under the tab "user" under, in fact that user is not listed, but I expect that as that account managed via Keycloak. Am I correct?

Following the access token:

eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJHbmwyWmxiUmgzckFyNld5bWM5ODhfNWNZN1Q1R3VlUGQ1ZHBKbFhESlVrIn0.eyJleHAiOjE2NzU2Mjc1NTYsImlhdCI6MTY3NTYyNzI1NiwiYXV0aF90aW1lIjoxNjc1NjI3MDkzLCJqdGkiOiIwZmEzYmYzNS0wYjdiLTRmMDItOWM1My1jMzE3ODVmODZiZWMiLCJpc3MiOiJodHRwOi8va2V5Y2xvYWs6ODA4MC9yZWFsbXMvdGVzdCIsImF1ZCI6WyJyYWJiaXRtcSIsImFjY291bnQiXSwic3ViIjoiNGNmNGQ2YjUtMDllNS00NTNmLWJmMjItYzhlZmRjMmRkMWRjIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoicmFiYml0bXEtY2xpZW50LWNvZGUiLCJzZXNzaW9uX3N0YXRlIjoiY2U4MTIxZWQtNGNhMC00N2Y2LTg1OGUtNTI3MmU1M2ExMDJkIiwiYWNyIjoiMCIsImFsbG93ZWQtb3JpZ2lucyI6WyJodHRwOi8vbG9jYWxob3N0OjE1NjcyIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLXRlc3QiLCJyYWJiaXRtcS50YWc6YWRtaW5pc3RyYXRvciIsIm9mZmxpbmVfYWNjZXNzIiwicmFiYml0bXEudGFnOm1hbmFnZW1lbnQiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoib3BlbmlkIHByb2ZpbGUgZW1haWwgcmFiYml0bXEudGFnOmFkbWluaXN0cmF0b3IiLCJzaWQiOiJjZTgxMjFlZC00Y2EwLTQ3ZjYtODU4ZS01MjcyZTUzYTEwMmQiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInVzZXJfbmFtZSI6InJhYmJpdF9hZG1pbiIsInNjb3BlIjpbImRlZmF1bHQtcm9sZXMtdGVzdCIsInJhYmJpdG1xLnRhZzphZG1pbmlzdHJhdG9yIiwib2ZmbGluZV9hY2Nlc3MiLCJyYWJiaXRtcS50YWc6bWFuYWdlbWVudCIsInVtYV9hdXRob3JpemF0aW9uIl0sInByZWZlcnJlZF91c2VybmFtZSI6InJhYmJpdF9hZG1pbiJ9.KlcYr_eTzjViVTRRrYv0Zokkxeu9Vu0XqrNPmpVkNIZCwu0r9gGqhOE8sCSkfDJQQfMW7giaYVzLHuiyyGR8DrAe7DZ6uj-WJgzEthwIr7FQIArh6xVMdsy8JVkLDiwOVL4RyLaYQXn5KqiMg-Rj1wMsMUG_SK8DW9QbHd23hvtkNufr5ZkePWOeH-qhWJWdk8UzZVEnp6Oj6KZcnp9fAZMTUi_elYbSSOVNXsxVb_y5EKRyh3HM530VAHM3EZK_FAd2Lhr3OrzWAQ4es6IGiH2L4gv8tw_F3nShOE9yo45rP0zzb28gdn5GYSNAhDVEYaKEsUsMDjLye8CG8x_5hw

I also tried to add the explicit roles to the user, but I had no luck

rabbitmq.configure:*/*
rabbitmq.read:*/*
rabbitmq.write:*/*

Following the JWT token

eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJHbmwyWmxiUmgzckFyNld5bWM5ODhfNWNZN1Q1R3VlUGQ1ZHBKbFhESlVrIn0.eyJleHAiOjE2NzU2Mjc4MzYsImlhdCI6MTY3NTYyNzUzNiwiYXV0aF90aW1lIjoxNjc1NjI3NTM2LCJqdGkiOiI1OGNkNGRjNS02MTQyLTRkODUtOTcyOC0xMGIwNjQ2ODMyMjUiLCJpc3MiOiJodHRwOi8va2V5Y2xvYWs6ODA4MC9yZWFsbXMvdGVzdCIsImF1ZCI6WyJyYWJiaXRtcSIsImFjY291bnQiXSwic3ViIjoiNGNmNGQ2YjUtMDllNS00NTNmLWJmMjItYzhlZmRjMmRkMWRjIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoicmFiYml0bXEtY2xpZW50LWNvZGUiLCJzZXNzaW9uX3N0YXRlIjoiODYxYTJlNzktYWU5NS00YjFmLTk5ZWItYmM2Y2YwZDFlN2IxIiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6WyJodHRwOi8vbG9jYWxob3N0OjE1NjcyIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJyYWJiaXRtcS5yZWFkOiovKiIsInJhYmJpdG1xLndyaXRlOiovKiIsImRlZmF1bHQtcm9sZXMtdGVzdCIsInJhYmJpdG1xLnRhZzphZG1pbmlzdHJhdG9yIiwib2ZmbGluZV9hY2Nlc3MiLCJyYWJiaXRtcS50YWc6bWFuYWdlbWVudCIsInVtYV9hdXRob3JpemF0aW9uIiwicmFiYml0bXEuY29uZmlndXJlOiovKiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoib3BlbmlkIHByb2ZpbGUgZW1haWwgcmFiYml0bXEudGFnOmFkbWluaXN0cmF0b3IiLCJzaWQiOiI4NjFhMmU3OS1hZTk1LTRiMWYtOTllYi1iYzZjZjBkMWU3YjEiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInVzZXJfbmFtZSI6InJhYmJpdF9hZG1pbiIsInNjb3BlIjpbInJhYmJpdG1xLnJlYWQ6Ki8qIiwicmFiYml0bXEud3JpdGU6Ki8qIiwiZGVmYXVsdC1yb2xlcy10ZXN0IiwicmFiYml0bXEudGFnOmFkbWluaXN0cmF0b3IiLCJvZmZsaW5lX2FjY2VzcyIsInJhYmJpdG1xLnRhZzptYW5hZ2VtZW50IiwidW1hX2F1dGhvcml6YXRpb24iLCJyYWJiaXRtcS5jb25maWd1cmU6Ki8qIl0sInByZWZlcnJlZF91c2VybmFtZSI6InJhYmJpdF9hZG1pbiJ9.ItIvMk0YDMyQ3Oj96d-MioQuFJC67YDbvFopWgvQ5sjKDLm8pG4SkMCG6R2I_VLzkMKeTu9dUqb_DvQLM17ARqFLFhz6hGHJlfe42JFbO0XDCfvrjQtFq31OW4a3IWku213mXjRAb8lpE-2fJE_7RlT_o6LwnIActNI540cMba-f3FLahkMhhcodDNvT8W3LMogj5CIJtfK84Z95XUWH9QbnTcgUGTZSUXw1EgkUKBLNX_HIgueasUHbJcfkWSkqXtzpk7XiDitDpX5TQEe_hZvWSvoEkmnQhheAR_PBhZPIUP6WtYIBzG0A5VcwhOY9MpAlIovld4wUlNY8fIJECw

Are you able to reproduce this error?

Many thanks, Veronica

MarcialRosales commented 1 year ago

Hi @verhyppo . First of all, thanks for your PR !

I am investigating it. I am able to reproduce the issue you are experiencing after I create the 3 respective roles (rabbitmq.configure:*/* rabbitmq.read:*/* rabbitmq.write:*/*) and grant them to rabbit_admin user . This user was only meant to be an administrator user without no permissions to configure, read or write amqp resources. However, as soon as I grant those permissions, I should be able to create queue via the management ui.

MarcialRosales commented 1 year ago

@verhyppo The issue is that the access_token emitted by Keycloak carries two scope claims. The first one has the value openid profile email rabbitmq.tag:administrator and the second one has a list of all the scopes that we granted to the user via roles mapping. When RabbitMq parses the token, it takes the first scope and ignores the second one. It is wrong to have 2 claims with the same name though.

I do not think there is anything wrong with keycloak per-se but the way I assign scopes to the rabbit_admin user. If you look at the Role Mapping tab, you will see that I created a mapper that maps roles to a claim whose name is scope. I think this is the issue. I believe Keycloak emits one scope claim derived from the rabbitmq-client-code client used by management ui to authorize the user. And additionally, it adds another scope claim from the user's role mapping.

I am far from an expert in Keycloak. If you know a better way of assigning scopes to a user, please feel free to suggest one. :) In the meantime, I keep investigating how to do it.

verhyppo commented 1 year ago

Hi @MarcialRosales, thanks for taking the time to have a look at this.

In the tokens I sent above there is just one scope claim In my token that contains a multivalued scope with all the scopes derived by both elements: roles assigned to the user and the client scopes assigned to the client, but still there is just one scope claim. I don't get where this second one you are referring to comes from. The one below sounds correct? Can you please provide me a token payload as it is expected by rabbitmq so that I have a closer look to the Keycloak configuration?

Moreover, since rabbitmq-client-code is used just for rabbitmq management dashboard, can we assume that we can just propagate the groups or realm roles assigned to the user as scopes? So remove all mappers from rabbitmq-client-code except username and aud mapping? Thanks.

Below the "scope" claim I've in the token above. I didn't find another one as you mentioned.

"scope": [
    "rabbitmq.read:*/*",
    "rabbitmq.write:*/*",
    "default-roles-test",
    "rabbitmq.tag:administrator",
    "offline_access",
    "rabbitmq.tag:management",
    "uma_authorization",
    "rabbitmq.configure:*/*"
  ],

MarcialRosales commented 1 year ago

Hi @verhyppo , could you try the following steps?

Inspect the token stored in the session storage. In my case, it renders a scope field which has just a few scopes but none of them are rabbitmq.read:*/*. or rabbitmq.write:*/* or rabbitmq.configure:*/*
Copy the access_token stored in the session_storage and paste it into jwt.io, you will see that the scopes have exactly the scopes we expect.

How could that be? Because jwt.io renders the last scope field whereas the oidc-client library (embedded into the management ui) takes the first scope field. And RabbitMQ internally also picks the first scope field.

What do you use to parse the token?

verhyppo commented 1 year ago

Hi @MarcialRosales, I used jwt.io too. In the access token in the first message do you see the same behaviour you are reporting?

However, no worries, later today I’ll try again and see how it works. Moreover, I’d like to try fixing the mapping so that we can craft the correct cinfiguration. thanks for the support so far. I’ll keep you posted.

MarcialRosales commented 1 year ago

Hi @verhyppo , finally I resolved the issue. You can check out the changes done in the last commit in the main branch.

This is what I did:

Create user roles for the read, write and configure scopes
Assign those roles to the user rabbit_admin
Modify the realm roles mapper to map roles to extra_scope claim rather than to the existing scope claim.
Configure rabbitmq to read scopes also from extra_scope claim
Configure rabbitmq with jwks_url. See that I use keycloak:8080 without any problems. However, i use 0.0.0.0:8080 in the oauth_provider_url because this is what gets delivered to the browser

Please rebase your PR and submit your changes around upgrading to keycloak 20.0 and import definitions rather than using a binary database.

verhyppo commented 1 year ago

Hi @MarcialRosales, thanks for the update.

I just pushed a new reviewed version of my original PR, but there is something else happening.

I created a queue and a vhost successfully 💯 However, there is something still not working:

whenever I click on an exchange I get 500 error (see details below)
whenever I bind a queue (from the queue management ui) to an exchange I get 401.

There is any chance you have some time left to have a look at it or do you prefer me to open a separate issue, closing this one?

Thanks, Veronica.

2023-02-17 20:15:27.776993+00:00 [error] <0.780.0> ** Generic server <0.780.0> terminating
2023-02-17T20:15:27.778533072Z 2023-02-17 20:15:27.776993+00:00 [error] <0.780.0> ** Last message in was {submit,#Fun<rabbit_mgmt_db.21.88141441>,<0.951.0>,
2023-02-17T20:15:27.778547067Z 2023-02-17 20:15:27.776993+00:00 [error] <0.780.0>                                reuse}
2023-02-17T20:15:27.778551667Z 2023-02-17 20:15:27.776993+00:00 [error] <0.780.0> ** When Server state == {from,<0.951.0>,#Ref<0.4039360919.3377725441.227389>}
2023-02-17T20:15:27.778555918Z 2023-02-17 20:15:27.776993+00:00 [error] <0.780.0> ** Reason for termination ==
2023-02-17T20:15:27.778559800Z 2023-02-17 20:15:27.776993+00:00 [error] <0.780.0> ** {{badkey,{resource,<<"/">>,exchange,<<"mine">>}},
2023-02-17T20:15:27.778564445Z 2023-02-17 20:15:27.776993+00:00 [error] <0.780.0>     [{erlang,map_get,
2023-02-17T20:15:27.778568763Z 2023-02-17 20:15:27.776993+00:00 [error] <0.780.0>              [{resource,<<"/">>,exchange,<<"mine">>},#{}],
2023-02-17T20:15:27.778572868Z 2023-02-17 20:15:27.776993+00:00 [error] <0.780.0>              [{error_info,#{module => erl_erts_errors}}]},
2023-02-17T20:15:27.778576588Z 2023-02-17 20:15:27.776993+00:00 [error] <0.780.0>      {rabbit_mgmt_db,'-detail_exchange_stats/3-lc$^1/1-1-',4,
2023-02-17T20:15:27.778593714Z 2023-02-17 20:15:27.776993+00:00 [error] <0.780.0>                      [{file,"rabbit_mgmt_db.erl"},{line,548}]},
2023-02-17T20:15:27.778637074Z 2023-02-17 20:15:27.776993+00:00 [error] <0.780.0>      {worker_pool_worker,handle_call,3,
2023-02-17T20:15:27.778670721Z 2023-02-17 20:15:27.776993+00:00 [error] <0.780.0>                          [{file,"worker_pool_worker.erl"},{line,96}]},
2023-02-17T20:15:27.778679133Z 2023-02-17 20:15:27.776993+00:00 [error] <0.780.0>      {gen_server2,handle_msg,2,[{file,"gen_server2.erl"},{line,1046}]},
2023-02-17T20:15:27.778685109Z 2023-02-17 20:15:27.776993+00:00 [error] <0.780.0>      {proc_lib,wake_up,3,[{file,"proc_lib.erl"},{line,250}]}]}
2023-02-17T20:15:27.778691402Z 2023-02-17 20:15:27.776993+00:00 [error] <0.780.0> 
2023-02-17T20:15:27.781415922Z 2023-02-17 20:15:27.778157+00:00 [error] <0.780.0>   crasher:
2023-02-17T20:15:27.781482392Z 2023-02-17 20:15:27.778157+00:00 [error] <0.780.0>     initial call: worker_pool_worker:init/1
2023-02-17T20:15:27.781494153Z 2023-02-17 20:15:27.778157+00:00 [error] <0.780.0>     pid: <0.780.0>
2023-02-17T20:15:27.781497790Z 2023-02-17 20:15:27.778157+00:00 [error] <0.780.0>     registered_name: []
2023-02-17T20:15:27.781501175Z 2023-02-17 20:15:27.778157+00:00 [error] <0.780.0>     exception exit: {{badkey,{resource,<<"/">>,exchange,<<"mine">>}},
2023-02-17T20:15:27.781505016Z 2023-02-17 20:15:27.778157+00:00 [error] <0.780.0>                      [{erlang,map_get,
2023-02-17T20:15:27.781508269Z 2023-02-17 20:15:27.778157+00:00 [error] <0.780.0>                           [{resource,<<"/">>,exchange,<<"mine">>},#{}],
2023-02-17T20:15:27.781511875Z 2023-02-17 20:15:27.778157+00:00 [error] <0.780.0>                           [{error_info,#{module => erl_erts_errors}}]},
2023-02-17T20:15:27.781515214Z 2023-02-17 20:15:27.778157+00:00 [error] <0.780.0>                       {rabbit_mgmt_db,'-detail_exchange_stats/3-lc$^1/1-1-',
2023-02-17T20:15:27.781518506Z 2023-02-17 20:15:27.778157+00:00 [error] <0.780.0>                           4,
2023-02-17T20:15:27.781521653Z 2023-02-17 20:15:27.778157+00:00 [error] <0.780.0>                           [{file,"rabbit_mgmt_db.erl"},{line,548}]},
2023-02-17T20:15:27.781525072Z 2023-02-17 20:15:27.778157+00:00 [error] <0.780.0>                       {worker_pool_worker,handle_call,3,
2023-02-17T20:15:27.781528322Z 2023-02-17 20:15:27.778157+00:00 [error] <0.780.0>                           [{file,"worker_pool_worker.erl"},{line,96}]},
2023-02-17T20:15:27.781531636Z 2023-02-17 20:15:27.778157+00:00 [error] <0.780.0>                       {gen_server2,handle_msg,2,
2023-02-17T20:15:27.781534848Z 2023-02-17 20:15:27.778157+00:00 [error] <0.780.0>                           [{file,"gen_server2.erl"},{line,1046}]},
2023-02-17T20:15:27.781552623Z 2023-02-17 20:15:27.778157+00:00 [error] <0.780.0>                       {proc_lib,wake_up,3,
2023-02-17T20:15:27.781556249Z 2023-02-17 20:15:27.778157+00:00 [error] <0.780.0>                           [{file,"proc_lib.erl"},{line,250}]}]}
2023-02-17T20:15:27.781560667Z 2023-02-17 20:15:27.778157+00:00 [error] <0.780.0>       in function  gen_server2:terminate/3 (gen_server2.erl, line 1183)
2023-02-17T20:15:27.781563951Z 2023-02-17 20:15:27.778157+00:00 [error] <0.780.0>     ancestors: [management_worker_pool_sup,rabbit_mgmt_sup,
2023-02-17T20:15:27.781567474Z 2023-02-17 20:15:27.778157+00:00 [error] <0.780.0>                   rabbit_mgmt_sup_sup,<0.748.0>]
2023-02-17T20:15:27.781570804Z 2023-02-17 20:15:27.778157+00:00 [error] <0.780.0>     message_queue_len: 0
2023-02-17T20:15:27.781573964Z 2023-02-17 20:15:27.778157+00:00 [error] <0.780.0>     messages: []
2023-02-17T20:15:27.781577168Z 2023-02-17 20:15:27.778157+00:00 [error] <0.780.0>     links: [<0.777.0>]
2023-02-17T20:15:27.781580450Z 2023-02-17 20:15:27.778157+00:00 [error] <0.780.0>     dictionary: [{rand_seed,{#{jump => #Fun<rand.3.34006561>,
2023-02-17T20:15:27.781584655Z 2023-02-17 20:15:27.778157+00:00 [error] <0.780.0>                                 max => 288230376151711743,
2023-02-17T20:15:27.781588647Z 2023-02-17 20:15:27.778157+00:00 [error] <0.780.0>                                 next => #Fun<rand.5.34006561>,type => exsplus},
2023-02-17T20:15:27.781592324Z 2023-02-17 20:15:27.778157+00:00 [error] <0.780.0>                               [53255880786163144|18807281377592731]}},
2023-02-17T20:15:27.781595702Z 2023-02-17 20:15:27.778157+00:00 [error] <0.780.0>                   {worker_pool_name,management_worker_pool},
2023-02-17T20:15:27.781598879Z 2023-02-17 20:15:27.778157+00:00 [error] <0.780.0>                   {worker_pool_worker,true}]
2023-02-17T20:15:27.781602016Z 2023-02-17 20:15:27.778157+00:00 [error] <0.780.0>     trap_exit: false
2023-02-17T20:15:27.781605174Z 2023-02-17 20:15:27.778157+00:00 [error] <0.780.0>     status: running
2023-02-17T20:15:27.781608597Z 2023-02-17 20:15:27.778157+00:00 [error] <0.780.0>     heap_size: 6772
2023-02-17T20:15:27.781611685Z 2023-02-17 20:15:27.778157+00:00 [error] <0.780.0>     stack_size: 28
2023-02-17T20:15:27.781614861Z 2023-02-17 20:15:27.778157+00:00 [error] <0.780.0>     reductions: 12410
2023-02-17T20:15:27.781618170Z 2023-02-17 20:15:27.778157+00:00 [error] <0.780.0>   neighbours:
2023-02-17T20:15:27.781621391Z 2023-02-17 20:15:27.778157+00:00 [error] <0.780.0> 
2023-02-17T20:15:27.781902355Z 2023-02-17 20:15:27.780592+00:00 [error] <0.777.0>     supervisor: {local,management_worker_pool_sup}
2023-02-17T20:15:27.781920760Z 2023-02-17 20:15:27.780592+00:00 [error] <0.777.0>     errorContext: child_terminated
2023-02-17T20:15:27.781926796Z 2023-02-17 20:15:27.780592+00:00 [error] <0.777.0>     reason: {{badkey,{resource,<<"/">>,exchange,<<"mine">>}},
2023-02-17T20:15:27.781933383Z 2023-02-17 20:15:27.780592+00:00 [error] <0.777.0>              [{erlang,map_get,
2023-02-17T20:15:27.781936755Z 2023-02-17 20:15:27.780592+00:00 [error] <0.777.0>                       [{resource,<<"/">>,exchange,<<"mine">>},#{}],
2023-02-17T20:15:27.781940443Z 2023-02-17 20:15:27.780592+00:00 [error] <0.777.0>                       [{error_info,#{module => erl_erts_errors}}]},
2023-02-17T20:15:27.781943733Z 2023-02-17 20:15:27.780592+00:00 [error] <0.777.0>               {rabbit_mgmt_db,'-detail_exchange_stats/3-lc$^1/1-1-',4,
2023-02-17T20:15:27.781946895Z 2023-02-17 20:15:27.780592+00:00 [error] <0.777.0>                               [{file,"rabbit_mgmt_db.erl"},{line,548}]},
2023-02-17T20:15:27.781950279Z 2023-02-17 20:15:27.780592+00:00 [error] <0.777.0>               {worker_pool_worker,handle_call,3,
2023-02-17T20:15:27.781953649Z 2023-02-17 20:15:27.780592+00:00 [error] <0.777.0>                                   [{file,"worker_pool_worker.erl"},{line,96}]},
2023-02-17T20:15:27.781956985Z 2023-02-17 20:15:27.780592+00:00 [error] <0.777.0>               {gen_server2,handle_msg,2,
2023-02-17T20:15:27.781960133Z 2023-02-17 20:15:27.780592+00:00 [error] <0.777.0>                            [{file,"gen_server2.erl"},{line,1046}]},
2023-02-17T20:15:27.781964343Z 2023-02-17 20:15:27.780592+00:00 [error] <0.777.0>               {proc_lib,wake_up,3,[{file,"proc_lib.erl"},{line,250}]}]}
2023-02-17T20:15:27.781969546Z 2023-02-17 20:15:27.780592+00:00 [error] <0.777.0>     offender: [{pid,<0.780.0>},
2023-02-17T20:15:27.781975767Z 2023-02-17 20:15:27.780592+00:00 [error] <0.777.0>                {id,2},
2023-02-17T20:15:27.781978934Z 2023-02-17 20:15:27.780592+00:00 [error] <0.777.0>                {mfargs,
2023-02-17T20:15:27.781983594Z 2023-02-17 20:15:27.780592+00:00 [error] <0.777.0>                    {worker_pool_worker,start_link,[management_worker_pool]}},
2023-02-17T20:15:27.781989568Z 2023-02-17 20:15:27.780592+00:00 [error] <0.777.0>                {restart_type,transient},
2023-02-17T20:15:27.781993201Z 2023-02-17 20:15:27.780592+00:00 [error] <0.777.0>                {significant,false},
2023-02-17T20:15:27.782004615Z 2023-02-17 20:15:27.780592+00:00 [error] <0.777.0>                {shutdown,4294967295},
2023-02-17T20:15:27.782008417Z 2023-02-17 20:15:27.780592+00:00 [error] <0.777.0>                {child_type,worker}]
2023-02-17T20:15:27.782011645Z 2023-02-17 20:15:27.780592+00:00 [error] <0.777.0> 
2023-02-17T20:15:27.784139016Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>   crasher:
2023-02-17T20:15:27.784256515Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>     initial call: cowboy_stream_h:request_process/3
2023-02-17T20:15:27.784274737Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>     pid: <0.951.0>
2023-02-17T20:15:27.784281437Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>     registered_name: []
2023-02-17T20:15:27.784286928Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>     exception exit: {{{{badkey,{resource,<<"/">>,exchange,<<"mine">>}},
2023-02-17T20:15:27.784331008Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>                        [{erlang,map_get,
2023-02-17T20:15:27.784340161Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>                             [{resource,<<"/">>,exchange,<<"mine">>},#{}],
2023-02-17T20:15:27.784346451Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>                             [{error_info,#{module => erl_erts_errors}}]},
2023-02-17T20:15:27.784351777Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>                         {rabbit_mgmt_db,
2023-02-17T20:15:27.784356528Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>                             '-detail_exchange_stats/3-lc$^1/1-1-',4,
2023-02-17T20:15:27.784361775Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>                             [{file,"rabbit_mgmt_db.erl"},{line,548}]},
2023-02-17T20:15:27.784367457Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>                         {worker_pool_worker,handle_call,3,
2023-02-17T20:15:27.784372224Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>                             [{file,"worker_pool_worker.erl"},{line,96}]},
2023-02-17T20:15:27.784377171Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>                         {gen_server2,handle_msg,2,
2023-02-17T20:15:27.784381880Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>                             [{file,"gen_server2.erl"},{line,1046}]},
2023-02-17T20:15:27.784387065Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>                         {proc_lib,wake_up,3,
2023-02-17T20:15:27.784411238Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>                             [{file,"proc_lib.erl"},{line,250}]}]},
2023-02-17T20:15:27.784419633Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>                       {gen_server2,call,
2023-02-17T20:15:27.784424312Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>                           [<0.780.0>,
2023-02-17T20:15:27.784429691Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>                            {submit,#Fun<rabbit_mgmt_db.21.88141441>,
2023-02-17T20:15:27.784434424Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>                                <0.951.0>,reuse},
2023-02-17T20:15:27.784439356Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>                            infinity]}},
2023-02-17T20:15:27.784444113Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>                      [{gen_server2,call,3,
2023-02-17T20:15:27.784449287Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>                           [{file,"gen_server2.erl"},{line,346}]},
2023-02-17T20:15:27.784454490Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>                       {rabbit_mgmt_wm_exchange,to_json,2,
2023-02-17T20:15:27.784459398Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>                           [{file,"rabbit_mgmt_wm_exchange.erl"},{line,44}]},
2023-02-17T20:15:27.784465071Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>                       {cowboy_rest,call,3,
2023-02-17T20:15:27.784470039Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>                           [{file,"src/cowboy_rest.erl"},{line,1575}]},
2023-02-17T20:15:27.784475419Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>                       {cowboy_rest,set_resp_body,2,
2023-02-17T20:15:27.784481380Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>                           [{file,"src/cowboy_rest.erl"},{line,1464}]},
2023-02-17T20:15:27.784485617Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>                       {cowboy_rest,upgrade,4,
2023-02-17T20:15:27.784489339Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>                           [{file,"src/cowboy_rest.erl"},{line,284}]},
2023-02-17T20:15:27.784493984Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>                       {cowboy_stream_h,execute,3,
2023-02-17T20:15:27.784499670Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>                           [{file,"src/cowboy_stream_h.erl"},{line,300}]},
2023-02-17T20:15:27.784504933Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>                       {cowboy_stream_h,request_process,3,
2023-02-17T20:15:27.784520228Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>                           [{file,"src/cowboy_stream_h.erl"},{line,291}]},
2023-02-17T20:15:27.784524004Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>                       {proc_lib,init_p_do_apply,3,
2023-02-17T20:15:27.784527283Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>                           [{file,"proc_lib.erl"},{line,240}]}]}
2023-02-17T20:15:27.784530957Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>       in function  gen_server2:call/3 (gen_server2.erl, line 346)
2023-02-17T20:15:27.784534230Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>       in call from rabbit_mgmt_wm_exchange:to_json/2 (rabbit_mgmt_wm_exchange.erl, line 44)
2023-02-17T20:15:27.784537387Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>       in call from cowboy_rest:call/3 (src/cowboy_rest.erl, line 1575)
2023-02-17T20:15:27.784540495Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>       in call from cowboy_rest:set_resp_body/2 (src/cowboy_rest.erl, line 1464)
2023-02-17T20:15:27.784543837Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>       in call from cowboy_rest:upgrade/4 (src/cowboy_rest.erl, line 284)
2023-02-17T20:15:27.784547098Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>       in call from cowboy_stream_h:execute/3 (src/cowboy_stream_h.erl, line 300)
2023-02-17T20:15:27.784550389Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>       in call from cowboy_stream_h:request_process/3 (src/cowboy_stream_h.erl, line 291)
2023-02-17T20:15:27.784553646Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>     ancestors: [<0.786.0>,<0.754.0>,<0.752.0>,<0.751.0>,<0.749.0>,
2023-02-17T20:15:27.784557068Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>                   rabbit_web_dispatch_sup,<0.738.0>]
2023-02-17T20:15:27.784560335Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>     message_queue_len: 0
2023-02-17T20:15:27.784563583Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>     messages: []
2023-02-17T20:15:27.784567144Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>     links: [<0.786.0>]
2023-02-17T20:15:27.784570329Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>     dictionary: [{{xtype_to_module,topic},rabbit_exchange_type_topic}]
2023-02-17T20:15:27.784573870Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>     trap_exit: false
2023-02-17T20:15:27.784604482Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>     status: running
2023-02-17T20:15:27.784612820Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>     heap_size: 6772
2023-02-17T20:15:27.784631484Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>     stack_size: 28
2023-02-17T20:15:27.784643304Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>     reductions: 16973
2023-02-17T20:15:27.784647567Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0>   neighbours:
2023-02-17T20:15:27.784650999Z 2023-02-17 20:15:27.780662+00:00 [error] <0.951.0> 
2023-02-17T20:15:27.786396523Z 2023-02-17 20:15:27.783902+00:00 [error] <0.786.0> Ranch listener {acceptor,{0,0,0,0,0,0,0,0},15672}, connection process <0.786.0>, stream 69 had its request process <0.951.0> exit with reason {{{badkey,{resource,<<"/">>,exchange,<<"mine">>}},[{erlang,map_get,[{resource,<<"/">>,exchange,<<"mine">>},#{}],[{error_info,#{module => erl_erts_errors}}]},{rabbit_mgmt_db,'-detail_exchange_stats/3-lc$^1/1-1-',4,[{file,"rabbit_mgmt_db.erl"},{line,548}]},{worker_pool_worker,handle_call,3,[{file,"worker_pool_worker.erl"},{line,96}]},{gen_server2,handle_msg,2,[{file,"gen_server2.erl"},{line,1046}]},{proc_lib,wake_up,3,[{file,"proc_lib.erl"},{line,250}]}]},{gen_server2,call,[<0.780.0>,{submit,#Fun<rabbit_mgmt_db.21.88141441>,<0.951.0>,reuse},infinity]}} and stacktrace [{gen_server2,call,3,[{file,"gen_server2.erl"},{line,346}]},{rabbit_mgmt_wm_exchange,to_json,2,[{file,"rabbit_mgmt_wm_exchange.erl"},{line,44}]},{cowboy_rest,call,3,[{file,"src/cowboy_rest.erl"},{line,1575}]},{cowboy_rest,set_resp_body,2,[{file,"src/cowboy_rest.erl"},{line,1464}]},{cowboy_rest,upgrade,4,[{file,"src/cowboy_rest.erl"},{line,284}]},{cowboy_stream_h,execute,3,[{file,"src/cowboy_stream_h.erl"},{line,300}]},{cowboy_stream_h,request_process,3,[{file,"src/cowboy_stream_h.erl"},{line,291}]},{proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,240}]}]
2023-02-17T20:15:27.786514490Z 2023-02-17 20:15:27.783902+00:00 [error] <0.786.0>

MarcialRosales commented 1 year ago

@verhyppo I have pushed a minor change which addresses the issue you are having. I was able to reproduce it too. Thanks for reporting it. I was not able to reproduce the issue when binding the queue but when viewing an exchange.

alexandernajafi commented 1 year ago

@MarcialRosales I just tried with the latest commit but I am still failing to create a binding of type topic. These are the steps to reproduce

Start Keycloak using make start-keycloak
Start RabbitMQ using export MODE=keycloak and make start-rabbitmq
Open management UI on http://localhost:15672
Create a queue (set a name and leave all other settings as default)
Create an exchange of type topic (important to select topic to reproduce issue, set a name and leave all other settings as default)
Click the newly created exchange and create a binding for the topic you created in step 4

When the binding is created I get an error message saying Access Refused (same as Fredrik above)

MarcialRosales commented 1 year ago

Hi @alexandernajafi , I have updated this section of the docs to make it clearer that to operate a topic exchanges we need to have the appropriate scopes/permissions. More specifically, to bind a queue to an exchange we need the write permission on the routing key, e.g, rabbitmq.write:*/*/* and read permission on the exchange, rabbitmq.read:*/*/*.

I am going to create a section to the tutorial to talk about Topic exchanges because many people are having this same issue.

Thanks for reporting this issue !

MarcialRosales commented 1 year ago

@alexandernajafi I have updated the official RabbitMq docs ( on a PR atm) but also this tutorial (https://github.com/rabbitmq/rabbitmq-oauth2-tutorial#messaging-on-topic-exchanges) to make it clearer what scopes are needed to operate on topic exchanges.

MarcialRosales commented 1 year ago

Hi @verhyppo, can we close this issue?

rabbitmq / rabbitmq-oauth2-tutorial

[Keycloak] Access Refused when creating queues #15