Rabbitmq permissions - rabbitmq

I'm working with rabbitmq permissions with python. The application has multiple clients and one service provider. I want to limit clients to specific queues while service provider should be capable to read all queues and not write to any. I try to set permissions as follow:
For service provider account I have set the following
rabbitmqctl set_permissions -p vhost service_provider ".*-client-queues" "" ".*-client-queues"
For clients I did
rabbitmqctl set_permissions -p vhost client1 "client1-client-queues" "client1-client-queues" ""
And the message is never delivered to service provider. However, if I set
rabbitmqctl set_permissions -p vhost client1 ".*" ".*" ".*"
it works. But I need to limit the clients to specific queues.
Does anyone of you try to achieve such thing? Any hints will be appreciated. Thanks.

service_provider and client1 must be the users that the respective components use instead of the default (guest) to connect to the RabbitMQ broker.
You need to create the users and set their passwords with rabbitmqctl add_user ..., then let the respective components use them.
Also note that the exchanges that you use to publish messages to, must match the write permission that you specify. See here for details.
I suggest you add the permissions one-by-one, so you see rapidly what you are doing wrong.

What I'm missing is the exchange name while I set the permissions. I've solved my problem with the following permissions: (I'm using default exchange)
For clients:
rabbitmqctl set_permissions -p vhost client1 "client1-client-queues|amq\.default" "client1-client-queues|amq\.default" "amq\.default"
For service provider:
set_permissions -p vhost service_provider ".*-client-queues|amq\.default" "amq\.default" ".*-client-queues|amq\.default"

Related

RabbitMq On Ubuntu:Cannot acess RabbitMq Web management console

I have installed rabbitmq-server on ubuntu , post installation I have checked if its running properly on the ports or not using netstat -lntu. Its running, plugins are enabled and same has been verified too. Even port 15672 is also open. What can be the reason that I am not able to acces web management console from the remote rabbitmq-server.
P.S : I have already created the admin user.
I have already tried allowing the port 15672 as mentioned in this question : How do I find my firewall is blocking mysql? | Ask Ubuntu. and also followed this one : Can't access RabbitMQ web management interface after fresh install | Stack Overflow and many more.
and lastly tried to edit rabbitmq-env.conf as suggested here : Web dispatch plugin | RabbitMQ.
By default, RabbitMQ creates a user named "guest" with password "guest”. You can also create your own administrator account on RabbitMQ server using following commands. Change password to your own password.
Step 1: Set the username and password by running the following commands
sudo rabbitmqctl add_user admin password
sudo rabbitmqctl set_user_tags admin administrator
sudo rabbitmqctl set_permissions -p / admin ".*" ".*" ".*"
Step 2: Enable and use the RabbitMQ management console
sudo rabbitmq-plugins enable rabbitmq_management
sudo chown -R rabbitmq:rabbitmq /var/lib/rabbitmq/
Next, you need to setup an administrator user account for accessing the RabbitMQ server management console. In the following commands, "mqadmin" is the administrator's username, "mqadminpassword" is the password. Remember to replace them with your own.
Step 3:: Add user and give the permission
sudo rabbitmqctl add_user mqadmin mqadminpassword
sudo rabbitmqctl set_user_tags mqadmin administrator
sudo rabbitmqctl set_permissions -p / mqadmin ".*" ".*" ".*"
Now open the http://[rabbitMQ-server-IP]:15672/ and You are Done 🎉🍾
For rabbitmq setup only need to do following things
1.install rabbitmq-server
sudo apt-get install rabbitmq-server
2.enable gui plugin
sudo rabbitmq-plugins enable rabbitmq_management
3.start rabbidmq-server
sudo rabbitmq-server start
4.see gui on browser(bellow information is given by default rabbitmq configuration)
http://localhost:15672/
username:guest
password:guest

want to purge queue in remote machine rabbitmq

I am having rabbitmq up and running in another machine with ip address 10.8.11.12 on port 15672 and in that i am having a queue named "hello". I want to purge hello queue from my machine using CLI (command line interface)
I have tried following to purge queue in localhost
rabbitmqctl purge_queue
it is working fine
and i am trying the same like this
rabbitmqctl purge_queue -p 10.8.11.12 hello
here i am considering 10.8.11.12 as vhost. is it correct?
what actually vhost means in rabbitmq?
Even a simple link will help.
you have to use -n parameter as:
rabbitmqctl -n rabbit#your_other_machine purge_queue hello
here is an example:
./rabbitmqctl -n rabbit#srv-rabbit-cent01 purge_queue my_queue_1
where rabbit#srv-rabbit-cent01 is the rabbitmq node name. ( srv-rabbit-cent01 is the hostname )
about the vhost please read here: https://www.rabbitmq.com/uri-spec.html
2.4. Vhost
The vhost component is used as the basis for the virtual-host field of
the connection.open AMQP 0-9-1 method. Any percent-encoded octets in
the vhost should be decoded before the it is passed to the server.

Multiple federation policies in RabbitMQ

I have a number of RabbitMQ servers arranged effectively in a star topology. I need to federate a different exchange bi-directionally between the central hub server and each of the outer servers. Configuration of the outer servers isn't problematic, but although the exchanges are different the hub doesn't want to accept more than one federation policy.
Defining multiple upstreams and upstream sets works as expected:
$ rabbitmqctl list_parameters
Listing runtime parameters ...
federation-upstream-set leaf1 [{"upstream":"leaf1-1"}]
federation-upstream-set leaf2 [{"upstream":"leaf2-1"}]
federation-upstream leaf2-1 {"uri":"--snipped--","expires":3600000}
federation-upstream leaf1-1 {"uri":"--snipped--","expires":3600000}
...done.
The first federation policy applies as expected:
$ rabbitmqctl set_policy --apply-to exchanges federate-me "^leaf1$" '{"federation-upstream-set":"leaf1"}'
Setting policy "federate-me" for pattern "^leaf1$" to "{\"federation-upstream-set\":\"leaf1\"}" with priority "0" ...
...done.
$ rabbitmqctl list_policies
Listing policies ...
/ federate-me exchanges ^leaf1$ {"federation-upstream-set":"leaf1"} 0
...done.
But as soon as I try to specify a second federation policy, it simply replaces the first one:
$ rabbitmqctl set_policy --apply-to exchanges federate-me "^leaf2$" '{"federation-upstream-set":"leaf2"}'
Setting policy "federate-me" for pattern "^leaf2$" to "{\"federation-upstream-set\":\"leaf2\"}" with priority "0" ...
...done.
$ rabbitmqctl list_policies
Listing policies ...
/ federate-me exchanges ^leaf2$ {"federation-upstream-set":"leaf2"} 0
...done.
It doesn't matter if I specify different priorities for the two policies, either; whatever I do, only the single most recently entered federation policy is listed. I know that only a single policy can apply to each exchange, but the exchange specification for each policy here is different, and moreover the documentation suggests that the policy with the highest priority should win in the event that there are multiple matching policies.
Can anyone help?
You have to specify unique name for each policy you want to add. Setting different policy with existent name will just override existent policy with that name.

RabbitMQ 3.3.1 can not login with guest/guest

I have installed the latest version of RabbitMQ on a VPS Debian Linux box. Tried to get login through guest/guest but returned with the message login failed. I did a little research and found that for security reason its prohibited to get login via guest/guest remotely.
I also have tried enabling guest uses on this version to get logged in remotely by creating a rabbitmq.config file manually (because the installation didn't create one) and placing the following entry only
[{rabbit, [{loopback_users, []}]}].
after restart the rabbitmq with the following command.
invoke-rc.d rabbitmq-server stop -- to stop
invoke-rc.d rabbitmq-server start -- to start
It still doesn't logged me in with guest/guest. I also have tried installing RabbitMQ on Windows VPS and tried to get log in via guest/guest through localhost but again i get the same message login failed.
Also provide me a source where I could try installing the old version of RabbitMQ that does support logging remotely via guest/guest.
I had the same Problem..
I installed RabbitMQ and Enabled Web Interface also but still couldn't sign in with any user i newly created, this is because you need to be administrator to access this.
Do not create any config file and mess with it..
This is what i did then,
Add a new/fresh user, say user test and password test:
rabbitmqctl add_user test test
Give administrative access to the new user:
rabbitmqctl set_user_tags test administrator
Set permission to newly created user:
rabbitmqctl set_permissions -p / test ".*" ".*" ".*"
That's it, enjoy :)
I tried on Debian the same configuration with the following steps:
Installed RabbitMQ.
Enabled the web-management plug-in (not necessary).
When I tried to login I had the same error:
So I created a rabbitmq.config file (classic configuration file) inside the /etc/rabbitmq directory with the following content (notice the final dot):
[{rabbit, [{loopback_users, []}]}].
Alternatively, one can create instead a rabbitmq.conf file (new configuration file) inside the same directory with the following content:
loopback_users = none
Then I executed the invoke-rc.d rabbitmq-server start command and both the console and the Java client were able to connect using the guest/guest credentials:
So I think you have some other problem if this procedure doesn't work. For example your RabbitMQ might be unable to read the configuration file if for some reason you have changed the RABBITMQ_CONFIG_FILE environment variable.
This is a new features since the version 3.3.0. You can only login using guest/guest on localhost. For logging from other machines or on ip you'll have to create users and assign the permissions. This can be done as follows:
rabbitmqctl add_user test test
rabbitmqctl set_user_tags test administrator
rabbitmqctl set_permissions -p / test ".*" ".*" ".*"
Adding the below line in the config file and restarting the server worked for me. Kindly try in your setup.
loopback_users.guest = false
I got this line from the example RabbitMQ config file from Github as linked here.
notice: check your PORT is 15672 ! (version > 3.3 ) if 5672 not works
First of all, check the "choosen answer above":
rabbitmqctl add_user test test
rabbitmqctl set_user_tags test administrator
rabbitmqctl set_permissions -p / test ".*" ".*" ".*"
and if still can't make connection work, check if your port is correct!
for me, this command works:
$ rabbitmqadmin -H 10.140.0.2 -P 15672 -u test -p test list vhosts
+------+----------+
| name | messages |
+------+----------+
| / | |
+------+----------+
for the completed ports , check this:
What ports does RabbitMQ use?
to verify your rabbit mq server, check this: Verify version of rabbitmq
p.s.
For me, after I created the "test" user and run set_user_tags, set_permissions , I can't connect to rabbitmq via port 5672. but I can connect via 15672.
However, port 15672 always gives me a "blank response". and my code stop working.
so about 5 minutes later, I switched to 5672, everything worked!
Very wired problem. I have no time to dig deeper. so I wrote it down here for someone meeting the same problems.
for other guys which use Ansible for RabbitMQ provisioning, what I missed for rabbitmq_user module was tags: administrator
here is my working Ansible configuration to recreate "guest" user (for development environment purpose, don't do that in production environment):
- name: Create RabbitMQ user "guest"
become: yes
rabbitmq_user:
user: guest
password: guest
vhost: /
configure_priv: .*
read_priv: .*
write_priv: .*
tags: administrator
force: yes # recreate existing user
state: present
and I also had to setup a file /etc/rabbitmq/rabbitmq.config containing the following:
[{rabbit, [{loopback_users, []}]}].
in order to be able to log using "guest"/"guest" from outside of localhost
#Create rabbitmq.conf file with
rabbitmq.conf
loopback_users = none
Dockerfile:
FROM rabbitmq:3.7-management
#Rabbitmq config
COPY rabbitmq.conf /etc/rabbitmq/rabbitmq.conf
#Install vim (edit file)
RUN ["apt-get", "update"]
RUN ["apt-get", "-y", "install", "vim"]
#Enable plugins rabbitmq
RUN rabbitmq-plugins enable --offline rabbitmq_mqtt rabbitmq_federation_management rabbitmq_stomp
Run:
$ docker build -t my-rabbitmq-image .
$ docker run -d --hostname my-rabbit --name some-rabbit -p 8080:15672 my-rabbitmq-image
Check that the rabbitmq.conf file has been copied correctly.
$ docker exec -it my_container_id /bin/bash
$ vim /etc/rabbitmq/rabbitmq.conf
I had the same problem. I tried what was suggested by Gas and ran "invoke-rc.d rabbitmq-server start" it didn't start. I tried to reboot the server and the webui worked with the guest user. Maybe after adding the rabbitmq.config file, something else also needed to started.
I used rabbitmq version 3.5.3.
One more thing to note: if you're using AWS instance then you need to open inbound port 15672. (The port for RabbitMQ versions prior to 3.0 is 55672.).
Students and I stared at this problem for an hour. Be sure you've named your files correctly. In the /etc/rabbitmq directory, there are two distinct files. There is an /etc/rabbitmq/rabbitmq.config file which you should edit to get the loopback users as described, but there is another file called rabbitmq-env.conf file. Many folks were using tab completion and just adding "ig", which isn't the right file. Double check!
sometimes you don't need the comma , which is there in the configuration file by default , if nothing else is configured below rabbit tag , while starting broker
we will get a crash
like
{loopback_users, []} , I spend many times hours forgetting this and later removing the comma , it is applicable for all other configurations including SSL
Try restart your rabbitmq and login again, for me work.
For a slightly different use, but might be useful for anyone dealing with accessing the API for monitoring purposes:
I can confirm the answer given by #Oliboy50 works well, however make sure you enable it for each vhost you want the user to be able to monitor, such as:
permissions:
- vhost: "{{item.name}}"
configure_priv: .*
write_priv: .*
read_priv: .*
state: present
tags: management
with_items: "{{user_system_users}}"
With this loop I was able to get past the "401 Unauthorized" error when using the API for any vhost.
By default, the guest user is prohibited from connecting from remote hosts; it can only connect over a loopback interface (i.e. localhost). This applies to connections regardless of the protocol. Any other users will not (by default) be restricted in this way.
It is possible to allow the guest user to connect from a remote host
by setting the loopback_users configuration to none
# DANGER ZONE!
#
# allowing remote connections for default user is highly discouraged
# as it dramatically decreases the security of the system. Delete the user
# instead and create a new one with generated secure credentials.
loopback_users = none
Or, in the classic config file format (rabbitmq.config):
%% DANGER ZONE!
%%
%% Allowing remote connections for default user is highly discouraged
%% as it dramatically decreases the security of the system. Delete the user
%% instead and create a new one with generated secure credentials.
[{rabbit, [{loopback_users, []}]}].
See at "guest" user can only connect from localhost
TIP: It is advisable to delete the guest user or at least change its password to reasonably secure generated value that won't be known to the public.
If you will check the log file under info report you will get this.
`config file(s) : /etc/rabbitmq/rabbitmq.config (not found)`.
Change the config file permission using below command then login using guest , it will work
sudo chmod 777 /etc/rabbitmq/rabbitmq.config

How to reset user for rabbitmq management

Using rabbitmq, we can install management plugin. Then we access via browser using http://localhost:55672/ using guest:guest.
The problem is, I can not login anymore because i changed password and entered blank for role.
Is there any way to reset user for rabbitmq management?
You can access the user-management with rabbitmqctl and use the command:
add_user {username} {password}
or more preferably maybe edit an existing user, or set the permissions for the new user with:
set_permissions [-p vhostpath] {user} {conf} {write} {read}
For example use the following commands: (it is important to perform these three steps even when creating a new user, if you want to be able to login to the UI console and for your programs to work without facing any permission issues)
rabbitmqctl add_user newadmin s0m3p4ssw0rd
rabbitmqctl set_user_tags newadmin administrator
rabbitmqctl set_permissions -p / newadmin ".*" ".*" ".*"
...to create a new administrator user with full access to the default / vhost.
You can find all this on the RabbitMQ homepage, and more specifically on this page
The simplest way I found is to use this command to reset the password for any user in RabbitMQ
rabbitmqctl change_password <USERNAME> <NEWPASSWORD>
This is specifically for aliveness test, but could apply to other apis as well
rabbitmqctl add_vhost statuscheckvhost
rabbitmqctl add_user heartbeat alive
rabbitmqctl set_permissions -p statuscheckvhost heartbeat ".*" ".*" ".*"
rabbitmqctl set_user_tags heartbeat management
curl -i -u heartbeat:alive http://127.0.0.1:55672/api/aliveness-test/statuscheckvhost
HTTP/1.1 200 OK
Server: MochiWeb/1.1 WebMachine/1.9.0 (someone had painted it blue)
Date: Thu, 21 Feb 2013 22:20:10 GMT
Content-Type: application/json
Content-Length: 15
Cache-Control: no-cache
{"status":"ok"}
If you have RabbitMQ on a docker container, you can first
docker exec -it <YOUR_CONTAINER> /bin/bash
Then you can do
rabbitmqctl change_password <USERNAME> <NEWPASSWORD>
such as #samtoddler pointed out
I was able to reset after this post. Thanks a lot.
rabbitmqctl add_user test password
rabbitmqctl set_user_tags test administrator
Then I went to browser console and login with this test account.
And from there I was able to reset pwd of admin account & guest account.