Distributed Tracing: ACCESS ERROR (amqp:unauthorized-access)

Options
badr
badr Member Posts: 3
edited December 2022 in General Discussions #1

Hi,

I'm testing the new dsitributed tracing feature, so I deployed a local stack with Docker:

  • solace/solace-pubsub-standard:10.2.1.32
  • otel/opentelemetry-collector-contrib:0.67.0
  • jaegertracing/all-in-one

I setup the telemetry over the UI and are using the "Try me" to send message, i find them in my Queue and also in the tracing queue.


but I have an error message on OpenTelemetry-collector :

2022-12-21T15:05:54.103Z	debug	solacereceiver@v0.67.0/messaging_service.go:125	Dialing AMQP	{"kind": "receiver", "name": "solace", "pipeline": "traces", "addr": "amqp://solace:5672"}
2022-12-21T15:05:54.110Z	debug	solacereceiver@v0.67.0/messaging_service.go:131	Creating new AMQP Session	{"kind": "receiver", "name": "solace", "pipeline": "traces"}
2022-12-21T15:05:54.111Z	debug	solacereceiver@v0.67.0/messaging_service.go:137	Creating new AMQP Receive Link	{"kind": "receiver", "name": "solace", "pipeline": "traces", "source": "queue://#telemetry-tracing"}
2022-12-21T15:05:54.113Z	debug	solacereceiver@v0.67.0/messaging_service.go:144	Create AMQP Receiver Link failure	{"kind": "receiver", "name": "solace", "pipeline": "traces", "error": "*Error{Condition: amqp:unauthorized-access, Description: SMF AD bind response error, Info: map[solace.response_code:403 solace.response_text:Permission Not Allowed]}"}
2022-12-21T15:05:54.113Z	debug	solacereceiver@v0.67.0/receiver.go:155	Encountered error while connecting messaging service	{"kind": "receiver", "name": "solace", "pipeline": "traces", "error": "*Error{Condition: amqp:unauthorized-access, Description: SMF AD bind response error, Info: map[solace.response_code:403 solace.response_text:Permission Not Allowed]}"}
2022-12-21T15:05:54.113Z	debug	solacereceiver@v0.67.0/messaging_service.go:159	Closing AMQP Session	{"kind": "receiver", "name": "solace", "pipeline": "traces"}
2022-12-21T15:05:54.113Z	debug	solacereceiver@v0.67.0/messaging_service.go:166	Closing AMQP Client	{"kind": "receiver", "name": "solace", "pipeline": "traces"}


I created a new client_username and gave it client_profile and ACL which are already created with UI.



I think the problem comes from the configuration of the queue, it has no owner and also Non-Owner Permission contains "No Access"

Any idea please ?

Thanks in advance. Kind regards,

Badr.

Comments

  • Tamimi
    Tamimi Member, Administrator, Employee Posts: 500 admin
    Options

    Hey @badr - A couple of things that you can look into:

    • Can you please confirm if the telemetry profile enabled? You can check this by going to the Settings tab in your tracing_profile profile and making sure that both Trace and Receiver are enabled
    • In your created telemetry profile (tracing_profile) under the Receiver Connect ACLs tab, make sure that the Client Connect Default Action is set to Allow
    • Under Access Control --> Client Username, make sure you have a client username and a password that matches what you have in your otel config file (otel-collector-config.yaml) in the solace receiver section
    solace:
        broker: [solbroker:5672]
        max_unacknowledged: 500
        auth:
          sasl_plain:
            username: <username>
            password: <password>
        queue: queue://#telemetry-trace
        tls:
          insecure: true
          insecure_skip_verify: true
    
    • Make sure that profile that you created is Enabled. If you click on the created username, make sure the Enabled section is toggled on
    • Make sure the client_profile and adn the acl_profile of that username is set to #telemetry-tracing_profile

    Note that the No Access just simply means that anyone who is not the queue owner cannot interact with the queue (e.g. bind, add subscriptions, SMF delete). You can read more about it under the Configuring Queue section in the docs

    Let me know if you still face the same issue after checking all these and we can look into it

    Also, I have edited your question to reformat the code block of your logs ;)

  • badr
    badr Member Posts: 3
    Options

    Hi @Tamimi,


    Thanks for your response, Here are my answers to your questions :

    • Can you please confirm if the telemetry profile enabled? You can check this by going to the Settings tab in your tracing_profile profile and making sure that both Trace and Receiver are enabled ? YES, i confirms that telemetry profile is activated 
    • In your created telemetry profile (tracing_profile) under the Receiver Connect ACLs tab, make sure that the Client Connect Default Action is set to Allow ? YES,I set the value to ALLOW
    • Under Access Control --> Client Username, make sure you have a client username and a password that matches what you have in your otel config file (otel-collector-config.yaml) in the solace receiver section? YES, I put the right client_username with the right password on the OTEL configuration
    • Make sure that profile that you created is Enabled. If you click on the created username, make sure the Enabled section is toggled on? the profile is created when I activated the telemetry, on my side I created a new client_username and I gave him the PROFILE and ACL generated by telemetry 
    • Make sure the client_profile and adn the acl_profile of that username is set to #telemetry-tracing_profile? i confirme.

    I still have the authorization error.

    Best Regards.

    Badr.

  • mcardy
    mcardy Member, Employee Posts: 12 Solace Employee
    Options

    Hey @badr!

    It looks like the receiver is trying to connect to the wrong queue. From the logs, the Solace Receiver on the OpenTelemetry Collector is trying to connect to the queue #telemetry-tracing whereas in your screenshots the queue name is actually #telemetry-tracing_profile . Can you try changing the queue name in the OpenTelemetry config to match the queue name #telemetry-tracing_profile?

  • badr
    badr Member Posts: 3
    Options

    Hi @mcardy,


    when I changed the Queue name it works.

    thanks a lot.