RabbitMQ user authorization to read queues but prevent purge access - rabbitmq

I added a user in RabbitMQ and edited the permissions to read ".*" in the RabbitMQ admin console.
The output of the command list_permissions shows that the user "readman" only has read permissions.
$ rabbitmqctl list_permissions --vhost /
Listing permissions for vhost "/" ...
user configure write read
admin .* .* .*
guest .* .* .*
readman .*
However, I can still purge messages from the queue when logged in as "readman". Is this expected? How can I enable an user to view the queues and messages, but not to purge the queues's messages?

Yes this is expected , since as per the permission table the amqp ( 0-9-1 ) operation for queue.purge requires only READ permission on the queue , so any user who has a read permission on a queue will be able to purge that queue as well.

Related

Not able to persist ACL users in ACL file in Redis

I am facing a peculiar issue.
In my redis.conf file, at first I enable a password authentication by setting:
requirepass admin
When I connect to Redis via CLI, I am required to authenticate myself before continuing any operation, so all good so far:
127.0.0.1:6379> get name
(error) NOAUTH Authentication required.
127.0.0.1:6379> auth admin
OK
127.0.0.1:6379> get name
"sahay"
Now, I try to create a ACL user by running:
127.0.0.1:6379> acl setuser nonadminuser on >generalpassword +#all -#dangerous ~*
OK
So far so good, now I want to persist this new user to a ACL file, so I run:
127.0.0.1:6379> acl save
(error) ERR This Redis instance is not configured to use an ACL file. You may want to specify users via the ACL SETUSER command and then issue a CONFIG REWRITE (assuming you have a Redis configuration file set) in order to store users in the Redis configuration.
This is also OK, since I have not set any configuration of aclfile in my redis.conf.
So, I stop my redis server and add this line in my redis.conf file:
aclfile /Ankit/redis_installation/redis-stable/acl_users.acl
I also create a acl_users.acl file in the above mentioned directory, because without it Redis throws an error that no such file exists.
Now comes the peculiar part. When I start redis, and connect to it via CLI, it doesn't ask me to authenticate! Even though
requirepass admin
is set in the redis.conf file. In fact, it throws error when I try to run a password.
127.0.0.1:6379> get name
"sahay"
127.0.0.1:6379> auth admin
(error) ERR AUTH <password> called without any password configured for the default user. Are you sure your configuration is correct?
Also, when I do an ACL save now (after creating the new user), that new user is created and persisted in acl file but the strange thing is default user is stored with "nopass"
Why is default user configured as nopass even when config file has a requirepass clause?
requirepass is not compatible with ACL feature. If you config with ACL rules, requirepass is ignored. That's why you can operate Redis as the default user without sending auth command.
With ACL feature, you need to explicitly set a rule for default user.
user default on +#all ~* >password

Multiple federation policies in RabbitMQ

I have a number of RabbitMQ servers arranged effectively in a star topology. I need to federate a different exchange bi-directionally between the central hub server and each of the outer servers. Configuration of the outer servers isn't problematic, but although the exchanges are different the hub doesn't want to accept more than one federation policy.
Defining multiple upstreams and upstream sets works as expected:
$ rabbitmqctl list_parameters
Listing runtime parameters ...
federation-upstream-set leaf1 [{"upstream":"leaf1-1"}]
federation-upstream-set leaf2 [{"upstream":"leaf2-1"}]
federation-upstream leaf2-1 {"uri":"--snipped--","expires":3600000}
federation-upstream leaf1-1 {"uri":"--snipped--","expires":3600000}
...done.
The first federation policy applies as expected:
$ rabbitmqctl set_policy --apply-to exchanges federate-me "^leaf1$" '{"federation-upstream-set":"leaf1"}'
Setting policy "federate-me" for pattern "^leaf1$" to "{\"federation-upstream-set\":\"leaf1\"}" with priority "0" ...
...done.
$ rabbitmqctl list_policies
Listing policies ...
/ federate-me exchanges ^leaf1$ {"federation-upstream-set":"leaf1"} 0
...done.
But as soon as I try to specify a second federation policy, it simply replaces the first one:
$ rabbitmqctl set_policy --apply-to exchanges federate-me "^leaf2$" '{"federation-upstream-set":"leaf2"}'
Setting policy "federate-me" for pattern "^leaf2$" to "{\"federation-upstream-set\":\"leaf2\"}" with priority "0" ...
...done.
$ rabbitmqctl list_policies
Listing policies ...
/ federate-me exchanges ^leaf2$ {"federation-upstream-set":"leaf2"} 0
...done.
It doesn't matter if I specify different priorities for the two policies, either; whatever I do, only the single most recently entered federation policy is listed. I know that only a single policy can apply to each exchange, but the exchange specification for each policy here is different, and moreover the documentation suggests that the policy with the highest priority should win in the event that there are multiple matching policies.
Can anyone help?
You have to specify unique name for each policy you want to add. Setting different policy with existent name will just override existent policy with that name.

RabbitMQ set_permissions syntax

I've installed rabbitmq and it's running.
I've successfully add_user as well as add_vhost. But in the next step of the documentation it says to set_permissions and I'm failing.
I get Error: could not recognise command when I enter the following:
$ sudo rabbitmqctl set_permissions -p myvhost myuser ".*" ".*" ".*"
(this is copy and pasted verbatim from the documentation so it seems a bit ridiculous that it doesn't work.. And 'recognise' being misspelled in the error msg isn't helping)
My question is what does ".*" ".*" ".*" mean/stand for?
From the documentation
set_permissions [-p vhostpath] {user} {conf} {write} {read}
vhostpath - The name of the virtual host to which to grant the user
access, defaulting to /.
user - The name of the user to grant access to the specified virtual
host.
conf - A regular expression matching resource names for which the
user is granted configure permissions.
write - A regular expression matching resource names for which the
user is granted write permissions.
read - A regular expression matching
resource names for which the user is granted read permissions.
To answer your question specifically, ".*" ".*" ".*" is a set of three regular expressions (applying to configure, write, and read) which will match all the permissions available (. will match any character, * will match any number of the preceding character)
.* means you have full permissions
^$ means you don't have any permissons

RabbitMQ 3.3.1 can not login with guest/guest

I have installed the latest version of RabbitMQ on a VPS Debian Linux box. Tried to get login through guest/guest but returned with the message login failed. I did a little research and found that for security reason its prohibited to get login via guest/guest remotely.
I also have tried enabling guest uses on this version to get logged in remotely by creating a rabbitmq.config file manually (because the installation didn't create one) and placing the following entry only
[{rabbit, [{loopback_users, []}]}].
after restart the rabbitmq with the following command.
invoke-rc.d rabbitmq-server stop -- to stop
invoke-rc.d rabbitmq-server start -- to start
It still doesn't logged me in with guest/guest. I also have tried installing RabbitMQ on Windows VPS and tried to get log in via guest/guest through localhost but again i get the same message login failed.
Also provide me a source where I could try installing the old version of RabbitMQ that does support logging remotely via guest/guest.
I had the same Problem..
I installed RabbitMQ and Enabled Web Interface also but still couldn't sign in with any user i newly created, this is because you need to be administrator to access this.
Do not create any config file and mess with it..
This is what i did then,
Add a new/fresh user, say user test and password test:
rabbitmqctl add_user test test
Give administrative access to the new user:
rabbitmqctl set_user_tags test administrator
Set permission to newly created user:
rabbitmqctl set_permissions -p / test ".*" ".*" ".*"
That's it, enjoy :)
I tried on Debian the same configuration with the following steps:
Installed RabbitMQ.
Enabled the web-management plug-in (not necessary).
When I tried to login I had the same error:
So I created a rabbitmq.config file (classic configuration file) inside the /etc/rabbitmq directory with the following content (notice the final dot):
[{rabbit, [{loopback_users, []}]}].
Alternatively, one can create instead a rabbitmq.conf file (new configuration file) inside the same directory with the following content:
loopback_users = none
Then I executed the invoke-rc.d rabbitmq-server start command and both the console and the Java client were able to connect using the guest/guest credentials:
So I think you have some other problem if this procedure doesn't work. For example your RabbitMQ might be unable to read the configuration file if for some reason you have changed the RABBITMQ_CONFIG_FILE environment variable.
This is a new features since the version 3.3.0. You can only login using guest/guest on localhost. For logging from other machines or on ip you'll have to create users and assign the permissions. This can be done as follows:
rabbitmqctl add_user test test
rabbitmqctl set_user_tags test administrator
rabbitmqctl set_permissions -p / test ".*" ".*" ".*"
Adding the below line in the config file and restarting the server worked for me. Kindly try in your setup.
loopback_users.guest = false
I got this line from the example RabbitMQ config file from Github as linked here.
notice: check your PORT is 15672 ! (version > 3.3 ) if 5672 not works
First of all, check the "choosen answer above":
rabbitmqctl add_user test test
rabbitmqctl set_user_tags test administrator
rabbitmqctl set_permissions -p / test ".*" ".*" ".*"
and if still can't make connection work, check if your port is correct!
for me, this command works:
$ rabbitmqadmin -H 10.140.0.2 -P 15672 -u test -p test list vhosts
+------+----------+
| name | messages |
+------+----------+
| / | |
+------+----------+
for the completed ports , check this:
What ports does RabbitMQ use?
to verify your rabbit mq server, check this: Verify version of rabbitmq
p.s.
For me, after I created the "test" user and run set_user_tags, set_permissions , I can't connect to rabbitmq via port 5672. but I can connect via 15672.
However, port 15672 always gives me a "blank response". and my code stop working.
so about 5 minutes later, I switched to 5672, everything worked!
Very wired problem. I have no time to dig deeper. so I wrote it down here for someone meeting the same problems.
for other guys which use Ansible for RabbitMQ provisioning, what I missed for rabbitmq_user module was tags: administrator
here is my working Ansible configuration to recreate "guest" user (for development environment purpose, don't do that in production environment):
- name: Create RabbitMQ user "guest"
become: yes
rabbitmq_user:
user: guest
password: guest
vhost: /
configure_priv: .*
read_priv: .*
write_priv: .*
tags: administrator
force: yes # recreate existing user
state: present
and I also had to setup a file /etc/rabbitmq/rabbitmq.config containing the following:
[{rabbit, [{loopback_users, []}]}].
in order to be able to log using "guest"/"guest" from outside of localhost
#Create rabbitmq.conf file with
rabbitmq.conf
loopback_users = none
Dockerfile:
FROM rabbitmq:3.7-management
#Rabbitmq config
COPY rabbitmq.conf /etc/rabbitmq/rabbitmq.conf
#Install vim (edit file)
RUN ["apt-get", "update"]
RUN ["apt-get", "-y", "install", "vim"]
#Enable plugins rabbitmq
RUN rabbitmq-plugins enable --offline rabbitmq_mqtt rabbitmq_federation_management rabbitmq_stomp
Run:
$ docker build -t my-rabbitmq-image .
$ docker run -d --hostname my-rabbit --name some-rabbit -p 8080:15672 my-rabbitmq-image
Check that the rabbitmq.conf file has been copied correctly.
$ docker exec -it my_container_id /bin/bash
$ vim /etc/rabbitmq/rabbitmq.conf
I had the same problem. I tried what was suggested by Gas and ran "invoke-rc.d rabbitmq-server start" it didn't start. I tried to reboot the server and the webui worked with the guest user. Maybe after adding the rabbitmq.config file, something else also needed to started.
I used rabbitmq version 3.5.3.
One more thing to note: if you're using AWS instance then you need to open inbound port 15672. (The port for RabbitMQ versions prior to 3.0 is 55672.).
Students and I stared at this problem for an hour. Be sure you've named your files correctly. In the /etc/rabbitmq directory, there are two distinct files. There is an /etc/rabbitmq/rabbitmq.config file which you should edit to get the loopback users as described, but there is another file called rabbitmq-env.conf file. Many folks were using tab completion and just adding "ig", which isn't the right file. Double check!
sometimes you don't need the comma , which is there in the configuration file by default , if nothing else is configured below rabbit tag , while starting broker
we will get a crash
like
{loopback_users, []} , I spend many times hours forgetting this and later removing the comma , it is applicable for all other configurations including SSL
Try restart your rabbitmq and login again, for me work.
For a slightly different use, but might be useful for anyone dealing with accessing the API for monitoring purposes:
I can confirm the answer given by #Oliboy50 works well, however make sure you enable it for each vhost you want the user to be able to monitor, such as:
permissions:
- vhost: "{{item.name}}"
configure_priv: .*
write_priv: .*
read_priv: .*
state: present
tags: management
with_items: "{{user_system_users}}"
With this loop I was able to get past the "401 Unauthorized" error when using the API for any vhost.
By default, the guest user is prohibited from connecting from remote hosts; it can only connect over a loopback interface (i.e. localhost). This applies to connections regardless of the protocol. Any other users will not (by default) be restricted in this way.
It is possible to allow the guest user to connect from a remote host
by setting the loopback_users configuration to none
# DANGER ZONE!
#
# allowing remote connections for default user is highly discouraged
# as it dramatically decreases the security of the system. Delete the user
# instead and create a new one with generated secure credentials.
loopback_users = none
Or, in the classic config file format (rabbitmq.config):
%% DANGER ZONE!
%%
%% Allowing remote connections for default user is highly discouraged
%% as it dramatically decreases the security of the system. Delete the user
%% instead and create a new one with generated secure credentials.
[{rabbit, [{loopback_users, []}]}].
See at "guest" user can only connect from localhost
TIP: It is advisable to delete the guest user or at least change its password to reasonably secure generated value that won't be known to the public.
If you will check the log file under info report you will get this.
`config file(s) : /etc/rabbitmq/rabbitmq.config (not found)`.
Change the config file permission using below command then login using guest , it will work
sudo chmod 777 /etc/rabbitmq/rabbitmq.config

Rabbitmq permissions

I'm working with rabbitmq permissions with python. The application has multiple clients and one service provider. I want to limit clients to specific queues while service provider should be capable to read all queues and not write to any. I try to set permissions as follow:
For service provider account I have set the following
rabbitmqctl set_permissions -p vhost service_provider ".*-client-queues" "" ".*-client-queues"
For clients I did
rabbitmqctl set_permissions -p vhost client1 "client1-client-queues" "client1-client-queues" ""
And the message is never delivered to service provider. However, if I set
rabbitmqctl set_permissions -p vhost client1 ".*" ".*" ".*"
it works. But I need to limit the clients to specific queues.
Does anyone of you try to achieve such thing? Any hints will be appreciated. Thanks.
service_provider and client1 must be the users that the respective components use instead of the default (guest) to connect to the RabbitMQ broker.
You need to create the users and set their passwords with rabbitmqctl add_user ..., then let the respective components use them.
Also note that the exchanges that you use to publish messages to, must match the write permission that you specify. See here for details.
I suggest you add the permissions one-by-one, so you see rapidly what you are doing wrong.
What I'm missing is the exchange name while I set the permissions. I've solved my problem with the following permissions: (I'm using default exchange)
For clients:
rabbitmqctl set_permissions -p vhost client1 "client1-client-queues|amq\.default" "client1-client-queues|amq\.default" "amq\.default"
For service provider:
set_permissions -p vhost service_provider ".*-client-queues|amq\.default" "amq\.default" ".*-client-queues|amq\.default"