You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When a client connects to a RabbitMQ server over AMQP1.0 using the 'Anonymous' SASL Profile, and then attempts to send messages to that server, RabbitMQ behaves as if it were receiving messages from the default user (in our case, we had not set a default user, so this was 'guest' as per the docs.)
Symptoms
When running the client script, the AMQP1.0 connection closes and RabbitMQ sends back an internal Erlang stacktrace over the wire to the client in the AMQP 'close' frame:
If the default user is allowed all permissions on the vhost, then the connection succeeds and messages can be successfully sent; the Management UI shows this connection as being from the default user.
Switching the SASL Profile to Plain results in the connection succeeding, and messages are sent from the correct user:
Diags
Server logs can be found in RabbitMQLogs.zip. Packet captures for each of the three cases (failure, success as guest user and success as correct user) can be found in Archive.zip.
Repro Script
using System;using System.Threading;using Amqp;using Amqp.Sasl;using Amqp.Framing;namespaceMyApp{classProgram{staticvoidMain(string[]args){Connectionconnection=null;Sessionsession=null;SenderLinksender=null;ReceiverLinkreceiver=null;try{connection=new Connection(new Address("amqp://test-user:test-password@127.0.0.1"),null,// set to SaslProfile.Anonymous to repronew Open(){ContainerId="client.1.2",HostName="vhost:test-vhost",MaxFrameSize=8*1024},(c,o)=>{});session=new Session(connection);sender=new SenderLink(session,"sender-link","q1-yolo1");receiver=new ReceiverLink(session,"receiver-link","q1-yolo1");Messagemessage=new Message("Hello AMQP");
sender.Send(message,null,null);message= receiver.Receive();
Console.WriteLine(message);// Thread.Sleep(15000);}finally{
connection.Close();
session.Close();
sender.Close();
receiver.Close();}}}}
Thanks @Connor-Rogers - what we need to do there is validate that the anonymous profile was used to in the connection frame and then investigate how to better handle the case where the internal amqp connection is denied due to invalid user credentials rather than crashing with the current error.
I also noticed that we have no actual tests that tests access to vhosts other than the default so that is also something to address.
michaelklishin
changed the title
RabbitMQ using incorrect user when SASL profile is ANONYMOUS
Connection falls back to default user when SASL profile is ANONYMOUS
May 1, 2019
Summary
When a client connects to a RabbitMQ server over AMQP1.0 using the 'Anonymous' SASL Profile, and then attempts to send messages to that server, RabbitMQ behaves as if it were receiving messages from the default user (in our case, we had not set a default user, so this was 'guest' as per the docs.)
Symptoms
When running the client script, the AMQP1.0 connection closes and RabbitMQ sends back an internal Erlang stacktrace over the wire to the client in the AMQP 'close' frame:
Workaround
If the default user is allowed all permissions on the vhost, then the connection succeeds and messages can be successfully sent; the Management UI shows this connection as being from the default user.
Switching the SASL Profile to Plain results in the connection succeeding, and messages are sent from the correct user:
Diags
Server logs can be found in RabbitMQLogs.zip. Packet captures for each of the three cases (failure, success as guest user and success as correct user) can be found in Archive.zip.
Repro Script
System Info
rabbitmqctl status
rabbitmqctl environment
The text was updated successfully, but these errors were encountered: