How do I configure autentication properly for locally hosted docker container

wraldpyk

I've downloaded the docker container and have it running locally, with Postman I managed to send messages to localhost:9000 just fine as well.

But now, through Access Control I enabled basic authentication with the internal database, created a user in User Mgmt, gave that user a password, but with that user I can't POST messages, using Postman, like I could before I enabled authentication. What am I missing here?

amackenzie

Ari is correct. In your screenshot of activating the Internal Database 2 posts ago, notice the "Client Usernames" tab. This is where you would add your user for messaging access and assign a password.

arih

Hi @wraldpyk

What's the error you're seeing?

Also, after you enabled basic auth, why don't you try with the default user first. This is how I do it in my Postman.

And also, creating client users is done by adding "client usernames" via the Access Control menu as well, be careful not to mistake it with the Administrator users management from the bottom of the left menu.

wraldpyk

With both my new user and the default user I get the following response:

<solace-error-response>
    <code>403</code>
    <reason>
        <![CDATA[Unauthorized]]>
    </reason>
    <detail>
        <![CDATA[
SMF ClientCtrl response error
]]>
    </detail>
    <internal-use>2:13398</internal-use>
</solace-error-response>

I have enabled basic authentication in Postman, while sending a POST.

My curl export from Postman is:

curl --location --request POST 'localhost:9000/amazing/message' \
--header 'Authorization: Basic ZGVmYXVsdDpkZWZhdWx0' \
--header 'Content-Type: text/plain' \
--header 'Cookie: TSID=44606607e086e888' \
--data-raw 'awesome 2'

With auth disabled on the server this same request works (without basic auth obviously)

arih

Can you try using --user "user:pass" instead of --header 'Auth..'

wraldpyk

@arih said:
Can you try using --user "user:pass" instead of --header 'Auth..'

This gave me the same error. Maybe my configuration is incorrect?

amackenzie

Can you post a screenshot of your postman? It's difficult to know if you entered the correct fields with just the base64 value for username:password (blur the password is fine).

Also, can you show your list of Client Usernames from Broker Manager gui?

wraldpyk

Both are attached below. I gave the user full permission to just try it out.

arih

Hmm this looks like admin or management users and not application or client users.

You should use the client usernames menu from Access Control menu on the left for apps user.

Or, just use default:default for testing as the default user has most access open.

wraldpyk

Ok interesting, I assumed it would take usernames from the User Mgmt (bottom section in the sidebar). I have found the "default" user, but it doesn't work for me with the API calls that worked before I enabled basic auth.

Also with clients I can't specify a password, is that correct?

amackenzie

Ari is correct. In your screenshot of activating the Internal Database 2 posts ago, notice the "Client Usernames" tab. This is where you would add your user for messaging access and assign a password.

wraldpyk

Yep that did the trick, I've been on different pages. Also, the default user didn't have password 'default', so when I changed it it worked also. Thanks a lot!

amackenzie

Glad that helped.

Management users and messaging users are completely separate in PubSub+. This is for security reasons where a management user cannot view potentially sensitive message payloads and messaging users cannot change broker configuration, etc.