Closed lukebakken closed 11 months ago
Hm, even with RabbitMQ 3.11.9
I can see that the password is not passed to the auth backend for an AMQP 1.0 connection:
INFO <QueryDict: {'username': ['admin']}>
INFO "GET /auth/user?username=admin HTTP/1.1" 200 4
This is what I see when I run rabbitmqctl authenticate_user admin foobar
:
INFO <QueryDict: {'username': ['admin'], 'password': ['foobar']}>
INFO "GET /auth/user?username=admin&password=foobar HTTP/1.1" 200 19
...and this is what I see with a regular AMQP 0.9.1 connection via this test program:
INFO <QueryDict: {'username': ['admin'], 'password': ['foobar']}>
INFO "GET /auth/user?username=admin&password=foobar HTTP/1.1" 200 19
INFO <QueryDict: {'username': ['admin'], 'vhost': ['/'], 'ip': ['::ffff:127.0.0.1'], 'tags': ['administrator']}>
INFO "GET /auth/vhost?username=admin&vhost=%2F&ip=%3A%3Affff%3A127.0.0.1&tags=administrator HTTP/1.1" 200 5
Continuing to investigate...
cc @michaelklishin
@motmot80 well, testing with the RabbitMQ 3.10.x branch still fails. It appears that the AMQP 1.0 plugin hasn't sent the supplied password to the HTTP auth backend for quite a while now:
INFO <QueryDict: {'username': ['admin']}>
INFO "GET /auth/user?username=admin HTTP/1.1" 200 4
In your environment, does your HTTP auth server bother to look at the password supplied or is it just the username?
I'm moving on to just fixing this issue rather than trying to understand when it broke, or if it ever worked 😹
It looks like PR #6931 is what broke the combination of the AMQP 1.0 plugin and multiple auth backends. cc @MarcialRosales @michaelklishin
Addressed in #9045.
@motmot80 would you be able to test #9045 with an OCI (Docker) image or do you need a specific package (e.g. Debian or Windows)?
@MarcialRosales @lukebakken is this not applicable to main
and v3.12.x
?
@michaelklishin yes, it should be applied to main
and v3.12.x
. Let me know if there are any conflicts. If there is any conflict around the seleniun tests, just do not merge those changes.
In any case, I am putting together a PR with main
as base with the fix plus some other fixes around the test scripts. I am tagging it with backport to v3.12.x
. I will make sure there are no conflicts.
Re-opening since #9045 is not the correct fix.
@motmot80 would you be able to test #9045 with an OCI (Docker) image or do you need a specific package (e.g. Debian or Windows)?
@michaelklishin We retested https://github.com/rabbitmq/rabbitmq-server-binaries-dev/releases/tag/v3.11.21-alpha.16 fix in one of our dev reference environments (RHEL 8, Erlang 25.3.2.3).
Works like a charm!
Thanks for the quick support.
Best regards Thomas
@lukebakken After upgraded to 3.12.13-debian-12-r2 the problem occurs again.
Hi @motmot80 - could you please do the following:
Thanks
Hi @motmot80 , I am not able to reproduce this issue in 3.12.13 (docker image). Could you please provide rabbitmq logs with debug level enabled and also the token you are using? Thanks
Discussed in https://github.com/rabbitmq/rabbitmq-server/discussions/9031
RabbitMQ stack trace
``` 2023-08-09 09:32:15.505849-07:00 [info] <0.822.0> accepting AMQP connection <0.822.0> (127.0.0.1:39236 -> 127.0.0.1:5672) 2023-08-09 09:32:15.513829-07:00 [debug] <0.822.0> User 'admin' failed authentication by backend rabbit_auth_backend_internal 2023-08-09 09:32:15.513994-07:00 [debug] <0.822.0> auth_backend_http: GET http://localhost:8000/auth/user?username=admin&password=foobar 2023-08-09 09:32:15.514031-07:00 [debug] <0.822.0> auth_backend_http: request timeout: 15000, connection timeout: 15000 2023-08-09 09:32:15.516584-07:00 [debug] <0.822.0> auth_backend_http: response code is 200, body: "allow administrator" 2023-08-09 09:32:15.516672-07:00 [debug] <0.822.0> User 'admin' authenticated successfully by backend rabbit_auth_backend_http 2023-08-09 09:32:15.516725-07:00 [info] <0.822.0> AMQP 1.0 connection <0.822.0>: user 'admin' authenticated 2023-08-09 09:32:15.525831-07:00 [debug] <0.822.0> AMQP 1.0 connection.open frame: hostname = localhost, extracted vhost = /, idle_timeout = 60000 2023-08-09 09:32:15.531141-07:00 [warning] <0.830.0> AMQP 0-9-1 client call timeout was 70000 ms, is updated to a safe effective value of 130000 ms 2023-08-09 09:32:15.537525-07:00 [debug] <0.834.0> User 'admin' authentication failed with exit:{unknown_auth_props,<<"admin">>, 2023-08-09 09:32:15.537525-07:00 [debug] <0.834.0> [{rabbit_auth_backend_http, 2023-08-09 09:32:15.537525-07:00 [debug] <0.834.0> #Fun