Issue using rabbitmq-auth-backend-http to authenticate MQTT and AMQP requests

0
votes

I set up a RabbitMQ node (RabbitMQ 3.6.10, Erlang 20.2.2) to enable connections using both AMQP and MQTT protocols. I also planned to use the rabbitmq-auth-backend-http plugin in order to authenticate / authorize all requests.

This is my RabbitMQ node configuration (/etc/rabbitmq/rabbitmq.conf):

loopback_users.guest = false
listeners.tcp.default = 5672
management.tcp.port = 15672
log.console.level = debug
mqtt.allow_anonymous = false
auth_backends.1 = http
auth_http.http_method   = post
auth_http.user_path     = http://localhost/authenticator/api/v1/user
auth_http.vhost_path    = http://localhost/authenticator/api/v1/vhost
auth_http.resource_path = http://localhost/authenticator/api/v1/resource
auth_http.topic_path    = http://localhost/authenticator/api/v1/topic

A REST API runs on the localhost and provides four endpoints for authentication / authorization. For instance, this is an example of usage:

  • Request: http://localhost/authenticator/api/v1/user?username=device_1&password=helloWorld
  • API Response: allow with OK 200

The plugins enabled on the RabbitMQ node are the following:

[E*] rabbitmq_amqp1_0           3.6.10
[E*] rabbitmq_auth_backend_http 20171215-3.6.x
[E*] rabbitmq_management        3.6.10
[E*] rabbitmq_mqtt              3.6.10

When attempting to connect with an MQTT client using the same credentials as above (username=device_1, password=helloWorld), the client prints CONNACK received with code 4. The RabbitMQ node log shows the following:

=INFO REPORT==== 7-May-2020::03:50:09 ===
MQTT vhost picked using plugin configuration or default

=ERROR REPORT==== 7-May-2020::03:50:09 ===
MQTT login failed for "device_1" auth_failure: Refused

When trying to connect using an AMQP client with the same credentials, it throws an exception ConnectionClosedByBroker: (403) 'ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.'.

The RabbitMQ logs show the following:

accepting AMQP connection <0.1878.0> (127.0.0.1:57994 -> 127.0.0.1:5672)

=ERROR REPORT==== 7-May-2020::03:53:14 ===
Error on AMQP connection <0.1878.0> (127.0.0.1:57994 -> 127.0.0.1:5672, state: starting):
PLAIN login refused: user 'device_1' - invalid credentials

=INFO REPORT==== 7-May-2020::03:53:14 ===
closing AMQP connection <0.1878.0> (127.0.0.1:57994 -> 127.0.0.1:5672)

In both cases, the REST API log does not show any connection attempt coming from the RabbitMQ node to authenticate both requests.

It's been few days that I'm reading the RabbitMQ documentation and trying different parameters. However, I could not get it right yet.

What am I missing here?

PS: The same issues occur with RabbitMQ 3.7.25 and 3.8

1
authenticationrabbitmqmqttamqp

1 Answers

0
votes

I am not sure if you got the solution for this but for others facing the same issue.

I faced the exact problem, the problem was with the request body. MQTT provides client_id with the request body, unlike amqp.

client_id should be added to all the endpoints request objects including user, vhost, resource, topic.

Like for vhost:

  • username
  • vhost
  • ip
  • client_id