Plugin rabbitmq-auth-backend-http receiving "allow *" from web-server, but authorization is not successful.

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Plugin rabbitmq-auth-backend-http receiving "allow *" from web-server, but authorization is not successful.

Alexander Napylov
Hello.

rabbitmq-auth-backend-http receiving "allow *" from web-server, but authorization is not successful.
 In log written:
 closing AMQP connection (127.0.0.1:34028 -> 127.0.0.1:5672):
 {handshake_error,opening,0,
 {amqp_error,access_refused,
 "access to vhost 'vhost_name' refused for user 'user_name'",
 'connection.open'}}

Plugin sending HTTP-request to user_path URI only.

I have this problem in Debian 7 only, but in Debian 6 all OK.

Server configuration:
Used "wheezy" x86_64 distribution of Debian GNU/Linux operation system. It's testing distribution.
On server with current stable distrubution "squeeze" I have not the problem.

/etc/rabbitmq/enabled-plugins file content
[rabbitmq_auth_backend_http,rabbitmq_management].

/etc/rabbitmq/rabbitmq.config file content
[
 {rabbit, [{auth_backends, [rabbit_auth_backend_http]}]},
 {rabbitmq_auth_backend_http,
 [{user_path, "http://127.0.0.1:84/auth/user.php"},
 {vhost_path, "http://127.0.0.1:84/auth/vhost.php"},
 {resource_path, "http://127.0.0.1:84/auth/resource.php"}]}
].


Used web-server nginx 1.2.1. Configuration of site:

server {
    listen   127.0.0.1:84; ## listen for ipv4
    server_name  localhost;
    access_log  /home/rabbitmq/log/access.log;
    error_log   /home/rabbitmq/log/error.log;
    charset off;
    chunked_transfer_encoding off;
    location ~ \.php$ {
    root   /home/rabbitmq/htdocs;
    include /etc/nginx/fastcgi_params;
    fastcgi_intercept_errors off;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_pass php_unix;
    }
    location / {
    root   /home/rabbitmq/htdocs;
    index  index.php;
    }
}

In nginx log written:
127.0.0.1 - - [07/Mar/2013:12:07:35 +0400] "GET /auth/user.php?username=user&password=pass HTTP/1.0" 200 7 "-" "-"

HTTP-response:
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 07 Mar 2013 08:07:35 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.4.4-13

allow *
Reply | Threaded
Open this post in threaded view
|

Re: Plugin rabbitmq-auth-backend-http receiving "allow *" from web-server, but authorization is not successful.

Simon MacMullen-2
My suspicion is that your web server is not giving the result you think
it is. What does
http://127.0.0.1:84/auth/vhost.php?username=user&vhost=%2f return?

Really rabbitmq-auth-backend-http needs a debug mode like
rabbitmq-auth-backend-ldap does. I will probably add one soon, now that
you've reminded me it is necessary. In the mean time, you could
uncomment line 92 of rabbit_auth_backend_http.erl to get it to display
(on standard output) the HTTP requests it is making.

Cheers, Simon

On 07/03/13 10:10, AlexanderN wrote:

> Hello.
>
> rabbitmq-auth-backend-http receiving "allow *" from web-server, but
> authorization is not successful.
>   In log written:
>   closing AMQP connection (127.0.0.1:34028 -> 127.0.0.1:5672):
>   {handshake_error,opening,0,
>   {amqp_error,access_refused,
>   "access to vhost 'vhost_name' refused for user 'user_name'",
>   'connection.open'}}
>
> Plugin sending HTTP-request to user_path URI only.
>
> I have this problem in Debian 7 only, but in Debian 6 all OK.
>
> Server configuration:
> Used "wheezy" x86_64 distribution of Debian GNU/Linux operation system. It's
> testing distribution.
> On server with current stable distrubution "squeeze" I have not the problem.
>
> /etc/rabbitmq/enabled-plugins file content
> [rabbitmq_auth_backend_http,rabbitmq_management].
>
> /etc/rabbitmq/rabbitmq.config file content
> [
>   {rabbit, [{auth_backends, [rabbit_auth_backend_http]}]},
>   {rabbitmq_auth_backend_http,
>   [{user_path, "http://127.0.0.1:84/auth/user.php"},
>   {vhost_path, "http://127.0.0.1:84/auth/vhost.php"},
>   {resource_path, "http://127.0.0.1:84/auth/resource.php"}]}
> ].
>
>
> Used web-server nginx 1.2.1. Configuration of site:
>
> server {
>      listen   127.0.0.1:84; ## listen for ipv4
>      server_name  localhost;
>      access_log  /home/rabbitmq/log/access.log;
>      error_log   /home/rabbitmq/log/error.log;
>      charset off;
>      chunked_transfer_encoding off;
>      location ~ \.php$ {
>      root   /home/rabbitmq/htdocs;
>      include /etc/nginx/fastcgi_params;
>      fastcgi_intercept_errors off;
>      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
>      fastcgi_pass php_unix;
>      }
>      location / {
>      root   /home/rabbitmq/htdocs;
>      index  index.php;
>      }
> }
>
> In nginx log written:
> 127.0.0.1 - - [07/Mar/2013:12:07:35 +0400] "GET
> /auth/user.php?username=user&password=pass HTTP/1.0" 200 7 "-" "-"
>
> HTTP-response:
> HTTP/1.1 200 OK
> Server: nginx
> Date: Thu, 07 Mar 2013 08:07:35 GMT
> Content-Type: text/html; charset=UTF-8
> Connection: close
> X-Powered-By: PHP/5.4.4-13
>
> allow *
>
>
>
> --
> View this message in context: http://rabbitmq.1065348.n5.nabble.com/Plugin-rabbitmq-auth-backend-http-receiving-allow-from-web-server-but-authorization-is-not-successfu-tp25308.html
> Sent from the RabbitMQ mailing list archive at Nabble.com.
> _______________________________________________
> rabbitmq-discuss mailing list
> [hidden email]
> https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
>


--
Simon MacMullen
RabbitMQ, VMware
_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: Plugin rabbitmq-auth-backend-http receiving "allow *" from web-server, but authorization is not successful.

Alexander Napylov
rabbitmq-auth-backend-http don't sending request to http://127.0.0.1:84/auth/vhost.php

For testing of script I use Wget for send request.
If user have access to vhost, vhost.php returning "allow", else it returning "deny".

I uncomment line 92 of rabbit_auth_backend_http.erl.
On output written
Q: "http://127.0.0.1:84/auth/user.php?username=user&password=pass"


Then I add logging to line 83.

78            case Code of
79                200 -> case parse_resp(Body) of
80                           {error, _} = E -> E;
81                           Resp           -> Resp
82                       end,
83                       error_logger:error_msg("200!", Code, Body);
84                _   -> {error, {Code, Body}}
85
86            end;

In RabbitMQ log was written:

=ERROR REPORT==== 11-Mar-2013::12:08:21 ===
closing AMQP connection <0.297.0> (127.0.0.1:34533 -> 127.0.0.1:5672):
{handshake_error,starting,0,
    {error,undef,'connection.start_ok',
        [{error_logger,error_msg,["200!",200,"allow *"],[]},
         {rabbit_auth_backend_http,check_user_login,2,
             [{file,"src/rabbit_auth_backend_http.erl"},{line,37}]},
         {rabbit_access_control,'-check_user_login/2-fun-0-',4,[]},
         {lists,foldl,3,[{file,"lists.erl"},{line,1197}]},
         {rabbit_reader,auth_phase,2,[]},
         {rabbit_reader,handle_method0,3,[]},
         {rabbit_reader,handle_input,3,[]},
         {rabbit_reader,recvloop,2,[]}]}}
Reply | Threaded
Open this post in threaded view
|

Re: Plugin rabbitmq-auth-backend-http receiving "allow *" from web-server, but authorization is not successful.

Tim Watson-6
Alexander,

On 11 Mar 2013, at 08:58, AlexanderN wrote:
> Then I add logging to line 83.
> 83                       error_logger:error_msg("200!", Code, Body);

error_logger:error_msg takes 2 arguments, not 3. Try this instead: `error_logger:error_msg("Response ~p: ~p~n", [Code, Body]);'

_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: Plugin rabbitmq-auth-backend-http receiving "allow *" from web-server, but authorization is not successful.

Alexander Napylov
Thanks, Tim.

I never used the Erlang.