Menu
The beloved RabbitMQ Management Plugin has a HTTP API to manage the RabbitMQ through plain HTTP requests.
We need to create users programatically, and the HTTP API was the chosen way to go. The documentation is scarce, but the API it's pretty simple and intuitive.
Concerned about the security, we don't want to pass the user password in plain text, and the API offers a field to send the password hash instead. Quote from there:
[ GET | PUT | DELETE ] /api/users/name
An individual user. To PUT a user, you will need a body looking something like this:
{"password":"secret","tags":"administrator"}or:
{"password_hash":"2lmoth8l4H0DViLaK9Fxi6l9ds8=", "tags":"administrator"}The tags key is mandatory. Either
passwordorpassword_hashmust be set.
So far, so good, the problem is: how to correctly generate the password_hash?
The password hashing algorithm is configured in RabbitMQ's configuration file, and our is configured as the default SHA256.
I'm using C#, and the following code to generate the hash:
var cr = new SHA256Managed();
var simplestPassword = "1";
var bytes = cr.ComputeHash(Encoding.UTF8.GetBytes(simplestPassword));
var sb = new StringBuilder();
foreach (var b in bytes) sb.Append(b.ToString("x2"));
var hash = sb.ToString();
This doesn't work. Testing in some online tools for SHA256 encryption, the code is generating the expected output. However, if we go to the management page and set the user password manually to "1" then it works like a charm.
This answer led me to export the configurations and take a look at the hashes RabbitMQ are generating, and I realized a few things:
password_hash the RabbitMQ stores it without changesI'm accepting suggestions in another programming languages as well, not just C#.
742
The password hashing algorithmis configured in RabbitMQ's configuration file, and our is configured as the default SHA256. I'm using C#, and the following code to generate the hash:
The beloved RabbitMQ Management Plugin has a HTTP API to manage the RabbitMQ through plain HTTP requests. We need to create users programatically, and the HTTP API was the chosen way to go. The Stack Overflow About Products For Teams Stack OverflowPublic questions & answers
In order to create a passwordless user, create one with any password that passes validation and clear the password using rabbitmqctl 's clear_password command:
rabbitmqadmin is a Python command line tool that interacts with the HTTP API. It can be downloaded from any RabbitMQ node that has the management plugin enabled at http:// {node-hostname} :15672/cli/. For HTTP API clients in several languages, see Developer Tools. Some API endpoints return a lot of information.
And for the fun the bash version !
#!/bin/bash
function encode_password()
{
SALT=$(od -A n -t x -N 4 /dev/urandom)
PASS=$SALT$(echo -n $1 | xxd -ps | tr -d '\n' | tr -d ' ')
PASS=$(echo -n $PASS | xxd -r -p | sha256sum | head -c 128)
PASS=$(echo -n $SALT$PASS | xxd -r -p | base64 | tr -d '\n')
echo $PASS
}
encode_password "some-password"
From: http://rabbitmq.1065348.n5.nabble.com/Password-Hashing-td276.html
However, the algorithm is quite simple if you want to implement it yourself. Here's a worked example:
Generate a random 32 bit salt:
CA D5 08 9B
Concatenate that with the UTF-8 representation of the password (in this case "simon"):
CA D5 08 9B 73 69 6D 6F 6E
Take the MD5 hash:
CB 37 02 72 AC 5D 08 E9 B6 99 4A 17 2B 5F 57 12
Concatenate the salt again:
CA D5 08 9B CB 37 02 72 AC 5D 08 E9 B6 99 4A 17 2B 5F 57 12
And convert to base64 encoding:
ytUIm8s3AnKsXQjptplKFytfVxI=
you should be able to modify your code to follow this process
29
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
