Settings in rabbitmq.config seem to be ignored

[Phatsuo]

Settings in rabbitmq.config seem to be ignored. For example, I have installed the plug-in, and edited my configuration like so:

{auth_backends, [{rabbit_auth_backend_internal, [rabbit_auth_backend_internal, rabbit_auth_backend_ip_range]}]},
{rabbitmq_auth_backend_ip_range, [{tag_masks, [{'ip-private', [<<"::FFFF:127.0.0.1/128">>]}]}, {default_masks, [<<"::0/0">>]}]}

Then I have tried sending a message as a user tagged with 'ip-private' from 127.0.0.1 to RabbitMQ. I see the following error message in the log file.

=WARNING REPORT==== 20-Oct-2015::15:26:32 ===
Address 127.0.0.1 not matching any of [ 192.168.0.0/16 ::FFFF:192.168.0.0/112 ]

Those IP ranges listed are the ones present in the rabbitmq_auth_backend_ip_range.app file within the plugin.

I also tried creating some tags other than "ip-private" - these seems to have no effect at all.

No matter what I do, it seems as if the plugin is using the IP range settings in the rabbitmq_auth_backend_ip_range.app file.

I have tried reinstalling the rabbit server to make sure the config is reloaded.

Any idea what is wrong?

[gotthardp]

Could you please double check that the rabbitmq.config you modified is the one that is used by RabbitMQ? The config file is indicated in log file (right below the logo) or in the Web management (Overview > Node).
The current implementation thinks that 192.168.0.0 and ::FFFF:192.168.0.0 are different addresses (I will probably fix that), but this is not the rootcase of your problem.

[Phatsuo]

Yes, I am quite certain I am editing the correct config file.

1. I have checked in the admin.
2. I have checked in the log file.
3. I can turn this plug in on or off by adding or removing rabbit_auth_backend_ip_range in the config.

[gotthardp]

I have troubles reproducing the problem. I suspect there is a typo in the config, but what you posted above works fine for me. In auth_backends the backend is called rabbit_auth_backend_ip_range, but its configuration section is rabbitmq_auth_backend_ip_range (with extra "mq"). Right?

Which RabbitMQ version are you using?

[Phatsuo]

Yes, rabbit_auth_backend_ip_range and rabbitmq_auth_backend_ip_range.

I am using RabbitMQ 3.5.6 on Windows 7 64-bit.

[Phatsuo]

Thinking it might be a Windows problem, I have tried on both Mac and Linux. I have been unable to get those working either - in fact I can't see to get it to reject any requests under those OSs. What OS are you testing with?

If there are way to trigger more logging by the plugin?

[gotthardp]

I confirm there is an issue with RabbitMQ 3.5.6-- the plugin is never consulted.

[Phatsuo]

Thanks! While you are in there fixing that, I see the plugin logs a line when a user does not match the IP range. It would be useful if it logged something either way - match or no match. This would be very helpful when debugging.

[gotthardp]

False hopes. I still did not reproduce the bug. However, I released v0.1.1 with some additional logging. Please install the updated plug-in and enable RabbitMQ debug logging in your rabbitmq.config as follows:

[{rabbit, [
    {log_levels, [{default, debug}]},
    ...
]}, ...]

With this your plugin should log both negative and positive matches. If it does not help I will do another release with even more logs.

[Phatsuo]

I have tried the new version. On Windows, the behavior is the same. Here's my entire config file:

[
{rabbit,
[
{log_levels, [{default, debug}]},
{auth_backends,
[
{rabbit_auth_backend_internal,
[rabbit_auth_backend_internal, rabbit_auth_backend_ip_range]
}
]}
,
{rabbitmq_auth_backend_ip_range,
[
{tag_masks,
[
{'tag999', [<<"192.168.0.100/32">>]}
]},
{default_masks, [<<"0.0.0.0/32">>]}
]}
]}
].

With a user tagged 'tag999' from an external IP address (should get denied):

=INFO REPORT==== 29-Oct-2015::14:26:13 ===
Address xxx.200.24.101 matching [ ::0/0 ]

With an untagged user from an external IP address (should get denied):

=INFO REPORT==== 29-Oct-2015::14:28:27 ===
Address xxx.200.24.101 matching [ ::0/0 ]

And with a user tagged 'ip-private' from an external IP address (should get denied but for a different reason):

=WARNING REPORT==== 29-Oct-2015::14:19:54 ===
Address xxx.200.24.101 not matching any of [ ::FFFF:192.168.0.0/112 ]

On Linux I still see nothing in indicate the plugin is logging anything.

=INFO REPORT==== 29-Oct-2015::15:25:55 ===
Server startup complete; 7 plugins started.

• rabbitmq_management
• rabbitmq_web_dispatch
• webmachine
• mochiweb
• rabbitmq_management_agent
• rabbitmq_auth_backend_ip_range
• amqp_client

=INFO REPORT==== 29-Oct-2015::15:27:25 ===
accepting AMQP connection <0.349.0> (192.168.0.74:43213 -> 192.168.0.75:5672)

=INFO REPORT==== 29-Oct-2015::15:27:27 ===
accepting AMQP connection <0.367.0> (192.168.0.74:43215 -> 192.168.0.75:5672)

=INFO REPORT==== 29-Oct-2015::15:27:27 ===
closing AMQP connection <0.367.0> (192.168.0.74:43215 -> 192.168.0.75:5672)

I know rabbit is loading and parsing my config correctly because when I purposely modify the file so it is invalid, rabbit report the error and does not start. So I am not sure what is going on here, but clearly the plugin is still using the settings with in the app file, and not the settings in my config file.

Perhaps the next debugging step would be for the plug in to echo the configuration to the log file, and maybe a line at start up that says it is running?

[gotthardp]

Hey, you have a typo in your rabbitmq.config! (Sorry that it took so long, I didn't realize this could be the issue.)

You have:

[
{rabbit,
[
{log_levels, [{default, debug}]},
...
,
{rabbitmq_auth_backend_ip_range,
[
...
{default_masks, [<<"0.0.0.0/32">>]}
]}
]}
].

But correct is:

[
{rabbit,
[
{log_levels, [{default, debug}]},
...
]},
{rabbitmq_auth_backend_ip_range,
[
...
{default_masks, [<<"0.0.0.0/32">>]}
]}
].

The ]} closing brackets are misplaced, so the entire rabbitmq_auth_backend_ip_range is inside the rabbit configuration, while it shall be a standalone block.

I will fix the documentation to clarify this aspect. Thanks for your patience and cooperation.