How do I configure autentication properly for locally hosted docker container

wraldpyk
wraldpyk Member Posts: 6

I've downloaded the docker container and have it running locally, with Postman I managed to send messages to localhost:9000 just fine as well.

But now, through Access Control I enabled basic authentication with the internal database, created a user in User Mgmt, gave that user a password, but with that user I can't POST messages, using Postman, like I could before I enabled authentication. What am I missing here?

Best Answer

  • amackenzie
    amackenzie Member, Employee Posts: 268 Solace Employee
    #2 Answer ✓

    Ari is correct. In your screenshot of activating the Internal Database 2 posts ago, notice the "Client Usernames" tab. This is where you would add your user for messaging access and assign a password.

Answers

  • arih
    arih Member, Employee Posts: 125 Solace Employee

    Hi @wraldpyk

    What's the error you're seeing?

    Also, after you enabled basic auth, why don't you try with the default user first. This is how I do it in my Postman.

    And also, creating client users is done by adding "client usernames" via the Access Control menu as well, be careful not to mistake it with the Administrator users management from the bottom of the left menu.

  • wraldpyk
    wraldpyk Member Posts: 6

    With both my new user and the default user I get the following response:

    <solace-error-response>
        <code>403</code>
        <reason>
            <![CDATA[Unauthorized]]>
        </reason>
        <detail>
            <![CDATA[
    SMF ClientCtrl response error
    ]]>
        </detail>
        <internal-use>2:13398</internal-use>
    </solace-error-response>
    

    I have enabled basic authentication in Postman, while sending a POST.

    My curl export from Postman is:

    curl --location --request POST 'localhost:9000/amazing/message' \
    --header 'Authorization: Basic ZGVmYXVsdDpkZWZhdWx0' \
    --header 'Content-Type: text/plain' \
    --header 'Cookie: TSID=44606607e086e888' \
    --data-raw 'awesome 2'
    

    With auth disabled on the server this same request works (without basic auth obviously)

  • arih
    arih Member, Employee Posts: 125 Solace Employee

    Can you try using --user "user:pass" instead of --header 'Auth..'

  • wraldpyk
    wraldpyk Member Posts: 6

    @arih said:
    Can you try using --user "user:pass" instead of --header 'Auth..'

    This gave me the same error. Maybe my configuration is incorrect?

  • amackenzie
    amackenzie Member, Employee Posts: 268 Solace Employee
    edited December 2021 #7

    Can you post a screenshot of your postman? It's difficult to know if you entered the correct fields with just the base64 value for username:password (blur the password is fine).

    Also, can you show your list of Client Usernames from Broker Manager gui?

  • wraldpyk
    wraldpyk Member Posts: 6

    Both are attached below. I gave the user full permission to just try it out.


  • arih
    arih Member, Employee Posts: 125 Solace Employee

    Hmm this looks like admin or management users and not application or client users.

    You should use the client usernames menu from Access Control menu on the left for apps user.

    Or, just use default:default for testing as the default user has most access open.

  • wraldpyk
    wraldpyk Member Posts: 6

    Ok interesting, I assumed it would take usernames from the User Mgmt (bottom section in the sidebar). I have found the "default" user, but it doesn't work for me with the API calls that worked before I enabled basic auth.

    Also with clients I can't specify a password, is that correct?

  • amackenzie
    amackenzie Member, Employee Posts: 268 Solace Employee
    #11 Answer ✓

    Ari is correct. In your screenshot of activating the Internal Database 2 posts ago, notice the "Client Usernames" tab. This is where you would add your user for messaging access and assign a password.

  • wraldpyk
    wraldpyk Member Posts: 6

    Yep that did the trick, I've been on different pages. Also, the default user didn't have password 'default', so when I changed it it worked also. Thanks a lot!

  • amackenzie
    amackenzie Member, Employee Posts: 268 Solace Employee

    Glad that helped.

    Management users and messaging users are completely separate in PubSub+. This is for security reasons where a management user cannot view potentially sensitive message payloads and messaging users cannot change broker configuration, etc.