How to get the password of an user in rabbitmq? - rabbitmq

How to get the password of an existing user in Rabbitmq from CLI?
I got the name of the user by CLI command "sudo rabbitmqctl list_users" and the outupt is as follows:
Listing users ... guest [administrator] openstack []
I want to know the 'openstack' user password.

The user passwords are stored using a one-way hash so there is no way to retrieve their value. You should use the rabbitmqctl change_password command to change that user's password to a known value.
NOTE: the RabbitMQ team monitors the rabbitmq-users mailing list and only sometimes answers questions on StackOverflow.

If you used a deployment solution you might find the password in it's configuration. For example, when you deploy Openstack using kolla-ansible you find the password in /etc/kolla/passwords.yml.
user#deployhost:~$ grep -E ^rabbitmq_password: /etc/kolla/passwords.yml
rabbitmq_password: haH2ZPjVVKmiqoXdRPCYJcdQyzP2cqeU
It might be stored in some secure way, for example an vault if ansible is used for deployment, in this case you need to check the deployment framework on how to retrieve it.

Related

Set RabbitMQ user permissions to only write to amq.rabbitmq.reply-to.*

I use https://www.rabbitmq.com/direct-reply-to.html for communicating between my two components. Concerning user permissions, I want one of the components to only be able to write into such a reply-to pseudo-queue, so I wanted to setup a separate user and configure its permissions accordingly, but I didn't succeed so far.
How to use rabbitmqctl set_permissions or rabbitmqctl set_topic_permissions for a given user to only allow writing into reply-to pseudo-queues created by https://www.rabbitmq.com/direct-reply-to.html ?

Permissions that need to be assigned for a RabbitMQ monitoring user

What permissions do I need to assign to a software, which will monitor my RabbitMQ server? The software agent should monitor most of the metrics explained and recommended in this document.
I think I have to create a user, e.g. monitoring and then give this user access to all virtual hosts which contain ressources that should be monitored.
I think when creating the user I have to assign it the tag monitoring which is a predefined tag.
What I do not understand is, what RegEx I need to assign to configure, write and read. The documentation contains a table with the permissions on ressources.
I think a monitoring software should not be able to create or delete ressources (configure permission) nor should it be able to ADD messages to a queue or READ and ACK messages from a queue. But for example it should be able to read the number of messages waiting in a queue to alert if a queue has a number of growing messages which are not retrieved.
Could anybody explain, what permissions and settings are required for such a monitoring user?
Here is a quick guide from the beginning to the end while you are setting up RabbitMQ queues monitoring.
1) Create an account:
rabbitmqctl add_user monitoring password
2) Add monitoring tag (you can read more about RabbitMQ tags here https://www.rabbitmq.com/management.html)
rabbitmqctl set_user_tags monitoring monitoring
3) Now get the names of your virtual hosts:
rabbitmqctl list_vhosts
4) Add permission for monitoring user to virtual host:
rabbitmqctl set_permissions -p Some_Virtual_Host monitoring "" "" ""
5) Check if access is granted successfully:
curl -s -u monitoring:password http://localhost:15672/api/queues | jq
Look at the "messages" parameter
Optional) You can publish a fake message from the command line:
rabbitmqadmin publish --vhost=Some_Virtual_Host exchange=some_exchange routing_key=outgoing_routing_key payload="hello world"
Look at the "messages" again!
Tip: make sure to enable rabbitmq_management plugin in your RabbitMQ build to be able to execute these queries.
Figured that out myself with some testing. If someone is interested:
Create an account with monitoring tag
Add that account to EVERY vhost that should be monitored and add empty strings ("") to configure, write and read permissions.
With a nice bash script you can then for example get the numbers of messages in every queue:
curl -u username:password \
--silent \
http://<ServerOrIP>:15672/api/queues/<vhostname> | jq '.[] | .name, .messages'
What is jq? An explanation is missing from the answers provided above.
The jq command is in the EPEL repository.
https://www.cyberithub.com/how-to-install-jq-json-processor-on-rhel-centos-7-8/
# yum --enablerepo=epel install jq

Can't create bucket without authentication

We updated our Couchbase from 4.6 Community edition to 5.0.0-2873 Enterprise Edition for testing purposes and our software using the java-client started throwing InvalidPasswordException when trying to open a bucket.
As I've found, every newly created bucket has authType='sasl' and a randomly generated saslPassword.
I've tried creating a bucket using the CLI instead of the GUI:
couchbase-cli bucket-create -c localhost:8091 -u Administrator -p password --bucket=general --bucket-ramsize=1300 --bucket-type=couchbase --bucket-password=
I got the following error:
ERROR: unrecognized arguments: --bucket-password=password
I also tried the bucket-edit function with the same result.
According to the documentation the argument should be valid.
I also tried using the REST API to change bucket authentication (and similarly password), but even though this didn't throw any erros, the authType and the password remained the same.
curl -X POST -u Administrator:password -d 'authType=none' http://<host>:8091/pools/default/buckets/general
Again, according to the documentation this should work.
If I query the bucket information for the sasl password and provide that for the openBucket function then the connection works, however we really don't want to use this feature in our system.
So, any other ideas how it would be possible to remove the bucket authentication in our 5.0EE Couchbase setup?
In Couchbase 5.0 we no longer support bucket passwords and have moved to using role based access control when connecting to buckets. This means that in 5.0 the standard (pre-production) way to connect to a bucket is by using the Administrator user and password that you created when setting up the cluster. In case you're unsure what the Administrator user is, it is the user you create when you first go through the Couchbase setup wizard or the it is the username and password you specify on the command line when running the couchbase-cli cluster-init command.
One thing to note is that using the Administrator user/password is the standard pre-production workflow. I would recommend that when you go into production you create separate users for your application which only have access to cluster resources they need to access in the cluster. You can do this by going to the Users tab in the Administration Console and creating a new user and giving them the Full Bucket Access role which is the standard role that applications should have.
You might now be saying to yourself that this all sounds great, but when I use the Administrator user/password I still am having issues. If this is the case the reason is because you have Couchbase 5.0, but your SDK is not new enough to handle the new RBAC authentication mechanism in 5.0. The workaround for this is to create a user in the Users tab with the same name as the bucket and give that user the Full Bucket Access role. You can then use this user to authenticate.
One last thing to mention is that during an upgrade from a pre-5.0 cluster to a 5.0 cluster Couchbase will automatically create a user for each bucket. The each user will have the same name as one of the buckets and the password for that user will correspond to the bucket password. This is done mainly to ensure that there is no application downtime during an upgrade. After upgrading the cluster the next step should ideally be to upgrade the Couchbase client library to have it start using RBAC authentication.
If you need to stay with old approach and no password you can use cochbase-cli with --rbac-username and --rbac-password "", but you need to specify password as "", e.g.
./couchbase-cli user-manage -c localhost:8091 -u Admin -p password --set --rbac-username <UserForBucket> --roles bucket_full_access[<BucketName>] --rbac-password "" --auth-domain local

LDAP users are not getting listed under WebSphere manage user?

I am doing LDAP with websphere setup. I did all the priamary setps in the DN am using OU=Users, O= O=IN.
for the federated repository in websphere for PersonAccount i gave the same DN name and in filters i used (objectclass=user). But in the manage user, no user is getting listed.
Turn on the following trace: com.ibm.ws.wim.*=all.
Restart your server. Go to admin console and click Manage Users.
Look in the logs for "JNDI_CALL search"
You will see the filter being used, eg. (&(objectClass=inetorgperson)(uid=*)) and the baseDn being searched on. Verify these are correct by comparing to your ldif of a user you expect to see or by using the ldapsearch utility. It is probably not correct, so take action to fix the filter.

opendj's ldappasswordmodify command is not taking into account user password history or validation requirements

I am on a Solaris 10 machine with opendj 2.4.5 installed. I am attempting to set a user's password with the ldappasswordmodify command. In my application I want to be able to set their password without requiring the previous password. I still need the password to obey the history and validation requirements though. I have this working on a similar machine that I set up a while ago and am not sure how I did it.
This is how I am calling the command:
ldappasswordmodify -D cn=mgr -w mgrpw -a uid=user,ou=people,o=systems,dc=program -n newpassword
No matter what password I give it the command works and sets the password.
If I use the command and supply the old password like this:
ldappasswordmodify -D cn=mgr -w mgrpw -a uid=user,ou=people,o=systems,dc=program -c oldpassword -n newpassword
The history and validation requirements are enforced properly.
Does anyone have any idea how to do this or perhaps what to check on the working system to see how I did it before? I'm at a complete loss.
Don't use the manager account. Don't use it for anything actually. Use a user account. The manager account is for slapd itself. It bypasses a lot of security and overlays.
I think this was an issue in OpenDJ 2.4 and it has been resolved in later versions.
You might want to try with OpenDJ 3.0 which is the later release available.