search

rabbitmq / rabbitmq-server

Open source RabbitMQ: core server and tier 1 (built-in) plugins
https://www.rabbitmq.com/
Other
12.26k stars 3.91k forks source link

SASL PLAIN authentication fails if client includes non zero length authzid #2586

Open k-wall opened 4 years ago

k-wall commented 4 years ago

I am trying to connect software that uses Apache Qpid Proton to RabbitMQ. I wish to authenticate with user name and password. I notice that the SASL PLAIN authentication fails if the initial-response includes a non-zero authzid part.

Demonstrating the issue with Qpid Proton CPP example simple_connect (0.30.0) on Fedora release 31.

$ ./simple_connect -u guest -p guest -m PLAIN -i
[0x5d7b50]: SASL:FRAME:  -> SASL
[0x5d7b50]: SASL:FRAME:  <- SASL
[0x5d7b50]: AMQP:FRAME:0 <- @sasl-mechanisms(64) [sasl-server-mechanisms=@PN_SYMBOL[:ANONYMOUS, :PLAIN]]
[0x5d7b50]: AMQP:FRAME:0 -> @sasl-init(65) [mechanism=:PLAIN, initial-response=b"guest\x00guest\x00guest"]
[0x5d7b50]:   IO:FRAME:  -> EOS
proton:io: Connection reset by peer - disconnected 127.0.0.1:5672

On the RabbitMQ side, I see the following:

2020-05-10 09:04:18.778 [info] <0.2020.0> accepting AMQP connection <0.2020.0> (127.0.0.1:41106 -> 127.0.0.1:5672)
2020-05-10 09:04:21.814 [error] <0.2020.0> closing AMQP connection <0.2020.0> (127.0.0.1:41106 -> 127.0.0.1:5672):
{handshake_error,starting,0,{'v1_0.error',{symbol,<<"amqp:decode-error">>},{utf8,<<"response <<103,117,101,115,116,0,103,117,101,115,116,0,103,117,101,115,116>> invalid">>},undefined}}

I don't think RabbitMQ has the concept of one user assuming the identity of another, but if authzid == authcid (as is my case here), I think RabbitMQ ought to accept the authentication.

If I try with a client that does not send the authzid part I see no problem.

IDonut commented 4 years ago

I'm seeing the same thing in an Openshift cluster when using AMQ Interconnect Router (customised Qpid Dispatch Router) to connect to RabbitMQ. As far as I can tell there is no way to prevent the dispatch router from sending the authzid which means that a connection is never established. Is there any kind of workaround for this because I'm now at my wits end?

k-wall commented 4 years ago

@IDonut I ended up using TLS client auth for authentication to side step the problem.

IDonut commented 4 years ago

Brilliant, thanks @k-wall. I've done the same thing. It seems like an incredible over-complication for something that should be so simple but at least it works.