Distributed Tracing: ACCESS ERROR (amqp:unauthorized-access)

badr

Hi,

I'm testing the new dsitributed tracing feature, so I deployed a local stack with Docker:

• solace/solace-pubsub-standard:10.2.1.32
• otel/opentelemetry-collector-contrib:0.67.0
• jaegertracing/all-in-one

I setup the telemetry over the UI and are using the "Try me" to send message, i find them in my Queue and also in the tracing queue.

but I have an error message on OpenTelemetry-collector :

2022-12-21T15:05:54.103Z	debug	solacereceiver@v0.67.0/messaging_service.go:125	Dialing AMQP	{"kind": "receiver", "name": "solace", "pipeline": "traces", "addr": "amqp://solace:5672"}
2022-12-21T15:05:54.110Z	debug	solacereceiver@v0.67.0/messaging_service.go:131	Creating new AMQP Session	{"kind": "receiver", "name": "solace", "pipeline": "traces"}
2022-12-21T15:05:54.111Z	debug	solacereceiver@v0.67.0/messaging_service.go:137	Creating new AMQP Receive Link	{"kind": "receiver", "name": "solace", "pipeline": "traces", "source": "queue://#telemetry-tracing"}
2022-12-21T15:05:54.113Z	debug	solacereceiver@v0.67.0/messaging_service.go:144	Create AMQP Receiver Link failure	{"kind": "receiver", "name": "solace", "pipeline": "traces", "error": "*Error{Condition: amqp:unauthorized-access, Description: SMF AD bind response error, Info: map[solace.response_code:403 solace.response_text:Permission Not Allowed]}"}
2022-12-21T15:05:54.113Z	debug	solacereceiver@v0.67.0/receiver.go:155	Encountered error while connecting messaging service	{"kind": "receiver", "name": "solace", "pipeline": "traces", "error": "*Error{Condition: amqp:unauthorized-access, Description: SMF AD bind response error, Info: map[solace.response_code:403 solace.response_text:Permission Not Allowed]}"}
2022-12-21T15:05:54.113Z	debug	solacereceiver@v0.67.0/messaging_service.go:159	Closing AMQP Session	{"kind": "receiver", "name": "solace", "pipeline": "traces"}
2022-12-21T15:05:54.113Z	debug	solacereceiver@v0.67.0/messaging_service.go:166	Closing AMQP Client	{"kind": "receiver", "name": "solace", "pipeline": "traces"}

I created a new client_username and gave it client_profile and ACL which are already created with UI.

I think the problem comes from the configuration of the queue, it has no owner and also Non-Owner Permission contains "No Access"

Any idea please ?

Thanks in advance. Kind regards,

Badr.

Tamimi

Hey @badr - A couple of things that you can look into:

• Can you please confirm if the telemetry profile enabled? You can check this by going to the Settings tab in your tracing_profile profile and making sure that both Trace and Receiver are enabled
• In your created telemetry profile (tracing_profile) under the Receiver Connect ACLs tab, make sure that the Client Connect Default Action is set to Allow
• Under Access Control --> Client Username, make sure you have a client username and a password that matches what you have in your otel config file (otel-collector-config.yaml) in the solace receiver section

solace:
    broker: [solbroker:5672]
    max_unacknowledged: 500
    auth:
      sasl_plain:
        username: <username>
        password: <password>
    queue: queue://#telemetry-trace
    tls:
      insecure: true
      insecure_skip_verify: true

• Make sure that profile that you created is Enabled. If you click on the created username, make sure the Enabled section is toggled on
• Make sure the client_profile and adn the acl_profile of that username is set to #telemetry-tracing_profile

Note that the No Access just simply means that anyone who is not the queue owner cannot interact with the queue (e.g. bind, add subscriptions, SMF delete). You can read more about it under the Configuring Queue section in the docs

Let me know if you still face the same issue after checking all these and we can look into it

Also, I have edited your question to reformat the code block of your logs ;)

badr

Hi @Tamimi,

Thanks for your response, Here are my answers to your questions :

• Can you please confirm if the telemetry profile enabled? You can check this by going to the Settings tab in your tracing_profile profile and making sure that both Trace and Receiver are enabled ? YES, i confirms that telemetry profile is activated 
• In your created telemetry profile (tracing_profile) under the Receiver Connect ACLs tab, make sure that the Client Connect Default Action is set to Allow ? YES,I set the value to ALLOW
• Under Access Control --> Client Username, make sure you have a client username and a password that matches what you have in your otel config file (otel-collector-config.yaml) in the solace receiver section? YES, I put the right client_username with the right password on the OTEL configuration
• Make sure that profile that you created is Enabled. If you click on the created username, make sure the Enabled section is toggled on? the profile is created when I activated the telemetry, on my side I created a new client_username and I gave him the PROFILE and ACL generated by telemetry 
• Make sure the client_profile and adn the acl_profile of that username is set to #telemetry-tracing_profile? i confirme.

I still have the authorization error.

Best Regards.

Badr.

mcardy

Hey @badr!

It looks like the receiver is trying to connect to the wrong queue. From the logs, the Solace Receiver on the OpenTelemetry Collector is trying to connect to the queue #telemetry-tracing whereas in your screenshots the queue name is actually #telemetry-tracing_profile . Can you try changing the queue name in the OpenTelemetry config to match the queue name #telemetry-tracing_profile?

badr

Hi @mcardy,

when I changed the Queue name it works.

thanks a lot.