Merge pull request #15811 from rabbitmq/mergify/bp/v4.2.x/pr-15810

michaelklishin · web-flow · commit 7b92385b1542 · 2026-03-23T15:50:11.000-07:00
Allow tagged (e.g. `encrypted:...`) values for more `rabbitmq.conf` keys (backport #15808) (backport #15810)
diff --git a/deps/rabbit/priv/schema/rabbit.schema b/deps/rabbit/priv/schema/rabbit.schema
@@ -2004,7 +2004,7 @@ end}.
     [{datatype, {enum, [true, false]}}]}.
 
 {mapping, "log.syslog.ssl_options.password", "syslog.protocol",
-    [{datatype, string}]}.
+    [{datatype, [tagged_binary, binary]}]}.
 
 {mapping, "log.syslog.ssl_options.psk_identity", "syslog.protocol",
     [{datatype, string}]}.
@@ -2999,7 +2999,7 @@ end}.
     [{datatype, {enum, [true, false]}}]}.
 
 {mapping, "amqp10_client.ssl_options.password", "amqp10_client.ssl_options.password",
-    [{datatype, string}]}.
+    [{datatype, [tagged_binary, binary]}]}.
 
 {mapping, "amqp10_client.ssl_options.psk_identity", "amqp10_client.ssl_options.psk_identity",
     [{datatype, string}]}.
@@ -3107,7 +3107,7 @@ end}.
     [{datatype, {enum, [true, false]}}]}.
 
 {mapping, "amqp_client.ssl_options.password", "amqp_client.ssl_options.password",
-    [{datatype, string}]}.
+    [{datatype, [tagged_binary, binary]}]}.
 
 {mapping, "amqp_client.ssl_options.psk_identity", "amqp_client.ssl_options.psk_identity",
     [{datatype, string}]}.
diff --git a/deps/rabbit/test/config_schema_SUITE_data/certs/ca_certificate.pem b/deps/rabbit/test/config_schema_SUITE_data/certs/ca_certificate.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDhDCCAmygAwIBAgIUfEM6fv9A+IzNCfjV/aJtTyh16BgwDQYJKoZIhvcNAQEL
+BQAwSzE6MDgGA1UEAwwxVExTR2VuU2VsZlNpZ25lZFJvb3RDQSAyMDI1LTEyLTA0
+VDE1OjA1OjIwLjEyMjA2ODENMAsGA1UEBwwEJCQkJDAeFw0yNTEyMDQyMzA1MjBa
+Fw0zNTEyMDIyMzA1MjBaMEsxOjA4BgNVBAMMMVRMU0dlblNlbGZTaWduZWRSb290
+Q0EgMjAyNS0xMi0wNFQxNTowNToyMC4xMjIwNjgxDTALBgNVBAcMBCQkJCQwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDGxxlb5vnDOG6pw8n3QGHLZ2LN
+Ewo6PUO3LqvCb0JBfGYUSBEC/ICt8xJrYgobnuH+/3j5IkzJKxxN2vpNtQoD1/vO
+VjfmFvQCrfEO2p3IBcEiC7T/bKtK0iT42u3cqRdj+DRREpI+hVT/JhUcL8axj3Le
+XlOPTqwxuGMtlgdtRZynVuQ8n1oZQga05g3RCum68qNzwxMz4V0tfvQfBnMSeGk+
+Qs+pxRICz/Nn741FA6QUfw8QIDhnQTfg1Smp9YH88tRe++R7DV3Zu79HA2Vmc8LY
+x929lBbh6tk6TyexQ2NX5fVX1yRMYnX7c5eDtyJ46rFNr0iL8+lleHm4EdT7AgMB
+AAGjYDBeMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBTG
+XQWR1ynJd3W5OdXJbx6YkELzGzAfBgNVHSMEGDAWgBTGXQWR1ynJd3W5OdXJbx6Y
+kELzGzANBgkqhkiG9w0BAQsFAAOCAQEALk5UCQc5k0HKyc1R33fcePDMuD9RsM2/
+1BWG8GMhA4kAOBnChmAtEyoAFsmWj3CyoP2Jx7+/JpKl9280qpwYcYIgeYLztTD3
+H5Jtdg46nuN+iP1dDZyM2RImwjpSlN2n8WMdZpjXlfV3e1BQT5zFPX8/WVti55LU
+zQNfyPKbljV4tWJuD49m0SwpdvInFvRaLIv+Ni4QLLvX8nV9UAfDzyKwCWRdUOIX
+M3i9k6/nTucawYwM8Kism79dGL3LPJ0IzwATqYtZ5tIPBUvqShwtICjX4h90LWkq
+CkuhiC1niGBR5zp4U57MTV78527JT66YhskQ/K+tyIKR2woo9IVPiw==
+-----END CERTIFICATE-----
diff --git a/deps/rabbit/test/config_schema_SUITE_data/certs/server_certificate.pem b/deps/rabbit/test/config_schema_SUITE_data/certs/server_certificate.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDwTCCAqmgAwIBAgIBATANBgkqhkiG9w0BAQsFADBLMTowOAYDVQQDDDFUTFNH
+ZW5TZWxmU2lnbmVkUm9vdENBIDIwMjUtMTItMDRUMTU6MDU6MjAuMTIyMDY4MQ0w
+CwYDVQQHDAQkJCQkMB4XDTI1MTIwNDIzMDUyMFoXDTM1MTIwMjIzMDUyMFowJTES
+MBAGA1UEAwwJbG9jYWxob3N0MQ8wDQYDVQQKDAZzZXJ2ZXIwggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQClzAFmpTOQFJy+R1mybjlE6K3O7YPpL7W1kFYN
+4fXOt6QgDGXsJ+eHQBcNd2O4t+24syiEc+HQgM83XYNLatRmedYLWHL+AmMDRndF
+rNRKag6W0+xlAuy95q4wwWLcU5KkrHZu2DKvfzmTAcuNC+VgDDdk1W1CipjZInQn
+0VmHuTeUmePLw13kXoiV+k9MjWi9zU8GBOHn19RN13+Np5wA3oTaJ4K+2/f/mru2
+bTCbDEAiHmXZ6M4BW3dg3NyERT1mhLNkijPpGRmgULggXwG240vJ1YV6QH3voTxb
+Q2uGoJBOZ2pjjCv7ORsuyyt+TwYJnrs0qcSwWh2bWvEd/cv1AgMBAAGjgdUwgdIw
+CQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwMAYD
+VR0RBCkwJ4IJbG9jYWxob3N0gg9TRUEtM0xHNUhWSlVXSkuCCWxvY2FsaG9zdDAd
+BgNVHQ4EFgQU2zObX89sXUACpKmBqwI7Ri1Qx/kwHwYDVR0jBBgwFoAUxl0Fkdcp
+yXd1uTnVyW8emJBC8xswMQYDVR0fBCowKDAmoCSgIoYgaHR0cDovL2NybC1zZXJ2
+ZXI6ODAwMC9iYXNpYy5jcmwwDQYJKoZIhvcNAQELBQADggEBAA38RwebMkjnebaG
+kHMqH3Skayr/gmD9futx9zGDBx2h848j8y5+RuQj0e4v1U6MM07qniqj5oaNbHHM
+7rbv96NPoYrP7aiDJRtr28yCKZ4NWwoEOJnRq/FlUcx3ybthhYK8VXisJj/BYr1l
+I2jWi86/mUFmfC+f38eeot0t7nPJ+BG4gpQ76mb2t14QHBzr0n4edpHteqX3zrAk
+8nBExGDBfjauYYRKKmxVogRck+KXZsI/9xbseZ1WmbDpBmQgkpt9hrlgqkvA83pT
+mwP8vA/OYnN2RNfQ4pLnuMs7musauU7ef/ZRD0CB9kRLyvnFJ8udCipO/Q3AKn2R
+Oc6FM20=
+-----END CERTIFICATE-----
diff --git a/deps/rabbit/test/config_schema_SUITE_data/certs/server_key.pem b/deps/rabbit/test/config_schema_SUITE_data/certs/server_key.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQClzAFmpTOQFJy+
+R1mybjlE6K3O7YPpL7W1kFYN4fXOt6QgDGXsJ+eHQBcNd2O4t+24syiEc+HQgM83
+XYNLatRmedYLWHL+AmMDRndFrNRKag6W0+xlAuy95q4wwWLcU5KkrHZu2DKvfzmT
+AcuNC+VgDDdk1W1CipjZInQn0VmHuTeUmePLw13kXoiV+k9MjWi9zU8GBOHn19RN
+13+Np5wA3oTaJ4K+2/f/mru2bTCbDEAiHmXZ6M4BW3dg3NyERT1mhLNkijPpGRmg
+ULggXwG240vJ1YV6QH3voTxbQ2uGoJBOZ2pjjCv7ORsuyyt+TwYJnrs0qcSwWh2b
+WvEd/cv1AgMBAAECggEAAisLsYBoDxuvnKFCc2ul8W820BbU/fUPqIOlA+A/MyF0
+cq5qQPGGyowbQ1rIqJlrcRoS+BsG2A+lc8kmPZOiUTl3KG7AyMnxs5oVskkY6y4P
+8tnHICichpg5bSTeRf1n8A+2mA/ZFPrNnzGQNX2qFaE2smBo2NWrhGRDIYgHJnNh
+wnkPDA3Mn0qqZKxY7tyIhJw/y4s1spcvZCiK7qV3x4PxRPPFx+8owjXYa5pedvY/
+qcGfT2Jma9YNYEgnSMnkuU+bLn6iQrQCfFTDJn9UBMwvZSu6bK+1F+JdhC/XBBIy
+ZuFfTp2HJYEKOk1IT149T5ONx39GsRi8DLzDv1Dq4QKBgQDYAUBNWXpyC6dwCYz7
+fQKiogPD61fTOJSuKARUJyCJ/W0qK1Zb0RXySa7831lGljeAOw8M85lwT2ap81QB
+8Wah8i/R61X5lVaZERVFJbT+DCoPEjL54Qqn+NbQzJDGTkVvG7k5WYpHBT95zrjI
+T6IxiyPrNe34a+L7u35StW19VQKBgQDEft5H7aRjshivUyn9wOpn43c8ajRZ/FS5
+gkhntthGqj7R+M7y5H0n1XeTGG3LC/1TSkh51GvHlEO0Hp1Tx4xinkaLkODKtsNw
+GokbZxQn9urkeNPbN8sasSFfaY1Xw9nn1ZsHeDbmbyPRLCiFqLPGWZZpOcOwa1cY
+Y2k3iL4UIQKBgQDAN9zQ+F9OPbCyss0SvxwpPaO8JSHyhNdKY7H2cRszsKIEdKxU
+6KtvAMMHpHn9po+dPPEXxW810nK5qh+H2xpJ4wtK8vF/OLXnYJxc/EEkEg8bekaC
+txCUiYwgIupyjhSb2z/pGRVEPhdOffdRygu7quY72bH674b+HMs9LtZQQQKBgEHG
+fj3xrN+6lEzMN/g7hbv1BsrweknND8dxdy9Qo6E0CAddlFj2Z3bYHEjfGpGnl8sz
+yIMPumx6kxdOUDflSncQqGi7vKPe/hkeqNrFbJfcLdEBKVnumUx8EsHPoYLJir3y
+YQzlDuugNIsmjwH+8P7qqlDbB0idBfCiBmySl55BAoGBAL+WzTUS6JaRszpTHh2M
+MQpRYNGBxvJTafPBwy+uOxKUZph5aGt8yuniC4530QdxrAovi++ek8+NJeMOSTCo
+Mc+xkBuxCy505l8gKrnj97jtLxbzOiFp2ArFRqMm/9x70ZkO5HIX16AAgUABuP56
+IXyt2dPxMIunzSDmAdcLGhFd
+-----END PRIVATE KEY-----
diff --git a/deps/rabbit/test/config_schema_SUITE_data/rabbit.snippets b/deps/rabbit/test/config_schema_SUITE_data/rabbit.snippets
@@ -1399,7 +1399,7 @@ credential_validator.regexp = ^abc\\d+",
       [{cacertfile,"test/config_schema_SUITE_data/certs/ca_certificate.pem"},
        {certfile,"test/config_schema_SUITE_data/certs/server_certificate.pem"},
        {keyfile,"test/config_schema_SUITE_data/certs/server_key.pem"},
-       {password,"t0p$3kRe7"}]}]}],
+       {password,<<"t0p$3kRe7">>}]}]}],
   []},
  {amqp_client_ssl_options_tls_versions,
   "amqp_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/ca_certificate.pem
@@ -1504,7 +1504,7 @@ credential_validator.regexp = ^abc\\d+",
       [{cacertfile,"test/config_schema_SUITE_data/certs/ca_certificate.pem"},
        {certfile,"test/config_schema_SUITE_data/certs/server_certificate.pem"},
        {keyfile,"test/config_schema_SUITE_data/certs/server_key.pem"},
-       {password,"t0p$3kRe7"}]}]}],
+       {password,<<"t0p$3kRe7">>}]}]}],
   []},
  {amqp10_client_ssl_options_tls_versions,
   "amqp10_client.ssl_options.cacertfile = test/config_schema_SUITE_data/certs/ca_certificate.pem
diff --git a/deps/rabbit/test/unit_config_value_encryption_SUITE.erl b/deps/rabbit/test/unit_config_value_encryption_SUITE.erl
@@ -30,6 +30,7 @@ groups() ->
           decrypt_start_app_undefined,
           decrypt_start_app_wrong_passphrase,
           decrypt_config,
+          decrypt_config_map,
           rabbitmqctl_encode
         ]}
     ].
@@ -105,6 +106,33 @@ do_decrypt_config(Algo = {C, H, I, P}) ->
     ok = application:unload(rabbit),
     ok.
 
+decrypt_config_map(_Config) ->
+    Hashes = rabbit_pbe:supported_hashes() -- ?SKIPPED_HASHES,
+    Ciphers = rabbit_pbe:supported_ciphers() -- ?SKIPPED_CIPHERS,
+    Iterations = [1, 100, 1000],
+    _ = [begin
+        PassPhrase = crypto:strong_rand_bytes(16),
+        do_decrypt_config_map({C, H, I, PassPhrase})
+    end || H <- Hashes, C <- Ciphers, I <- Iterations],
+    ok.
+
+%% Verifies that encrypted values nested inside maps are decrypted,
+%% as required by e.g. rabbitmq_management.oauth_resource_servers.
+do_decrypt_config_map({C, H, I, P} = Algo) ->
+    case application:load(rabbit) of
+        ok -> ok;
+        {error, {already_loaded, rabbit}} -> ok
+    end,
+    Secret = <<"test_oauth_secret">>,
+    {encrypted, EncSecret} = rabbit_pbe:encrypt_term(C, H, I, P, Secret),
+    application:set_env(rabbit, test_map_decrypt,
+        #{<<"server">> => [{oauth_client_secret, {encrypted, EncSecret}}]}),
+    rabbit_prelaunch_conf:decrypt_config([rabbit], Algo),
+    {ok, Decrypted} = application:get_env(rabbit, test_map_decrypt),
+    Secret = proplists:get_value(oauth_client_secret, maps:get(<<"server">>, Decrypted)),
+    application:unset_env(rabbit, test_map_decrypt),
+    ok.
+
 encrypt_value(Key, {C, H, I, P}) ->
     {ok, Value} = application:get_env(rabbit, Key),
     {encrypted, EncValue} = rabbit_pbe:encrypt_term(C, H, I, P, Value),
diff --git a/deps/rabbitmq_auth_backend_ldap/priv/schema/rabbitmq_auth_backend_ldap.schema b/deps/rabbitmq_auth_backend_ldap/priv/schema/rabbitmq_auth_backend_ldap.schema
@@ -290,7 +290,7 @@ end}.
     [{datatype, {enum, [true, false]}}]}.
 
 {mapping, "auth_ldap.ssl_options.password", "rabbitmq_auth_backend_ldap.ssl_options.password",
-    [{datatype, string}]}.
+    [{datatype, [tagged_binary, binary]}]}.
 
 {mapping, "auth_ldap.ssl_options.psk_identity", "rabbitmq_auth_backend_ldap.ssl_options.psk_identity",
     [{datatype, string}]}.
diff --git a/deps/rabbitmq_auth_backend_ldap/test/config_schema_SUITE_data/rabbitmq_auth_backend_ldap.snippets b/deps/rabbitmq_auth_backend_ldap/test/config_schema_SUITE_data/rabbitmq_auth_backend_ldap.snippets
@@ -199,7 +199,7 @@
             [{cacertfile,"test/config_schema_SUITE_data/certs/cacert.pem"},
              {certfile,"test/config_schema_SUITE_data/certs/cert.pem"},
              {keyfile,"test/config_schema_SUITE_data/certs/key.pem"},
-             {password,"t0p$3kRe7"}]}]}],
+             {password,<<"t0p$3kRe7">>}]}]}],
   []},
  {ssl_options_tls_versions,
   "auth_ldap.use_ssl = true
diff --git a/deps/rabbitmq_management/priv/schema/rabbitmq_management.schema b/deps/rabbitmq_management/priv/schema/rabbitmq_management.schema
@@ -466,7 +466,7 @@ end}.
 {mapping, "management.oauth_client_id", "rabbitmq_management.oauth_client_id",
       [{datatype, string}]}.
 {mapping, "management.oauth_client_secret", "rabbitmq_management.oauth_client_secret",
-      [{datatype, string}]}.
+      [{datatype, [tagged_binary, binary]}]}.
 
 %% Configure OAuth2 authorization flow (defaults to code)
 {mapping, "management.oauth_response_type", "rabbitmq_management.oauth_response_type",
@@ -544,7 +544,7 @@ end}.
 {mapping,
   "management.oauth_resource_servers.$name.oauth_client_secret",
   "rabbitmq_management.oauth_resource_servers",
-  [{datatype, string}]
+  [{datatype, [tagged_binary, binary]}]
 }.
 
 {mapping,
diff --git a/deps/rabbitmq_management/test/config_schema_SUITE_data/rabbitmq_management.snippets b/deps/rabbitmq_management/test/config_schema_SUITE_data/rabbitmq_management.snippets
@@ -674,7 +674,7 @@
                           {oauth_enabled, true},
                           {oauth_provider_url, "http://localhost:8080"},
                           {oauth_client_id, "rabbitmq_client_code"},
-                          {oauth_client_secret, "rabbitmq_client_secret"},
+                          {oauth_client_secret, <<"rabbitmq_client_secret">>},
                           {oauth_scopes, "openid profile rabbitmq.*"},
                           {oauth_initiated_logon_type, idp_initiated},
                           {oauth_token_endpoint_params, [
diff --git a/deps/rabbitmq_peer_discovery_aws/priv/schema/rabbitmq_peer_discovery_aws.schema b/deps/rabbitmq_peer_discovery_aws/priv/schema/rabbitmq_peer_discovery_aws.schema
@@ -50,7 +50,7 @@ end}.
 %% secret_key
 
 {mapping, "cluster_formation.aws.secret_key", "rabbit.cluster_formation.peer_discovery_aws.aws_secret_key", [
-    {datatype, string}
+    {datatype, [tagged_string, string]}
 ]}.
 
 {translation, "rabbit.cluster_formation.peer_discovery_aws.aws_secret_key",
diff --git a/deps/rabbitmq_peer_discovery_consul/priv/schema/rabbitmq_peer_discovery_consul.schema b/deps/rabbitmq_peer_discovery_consul/priv/schema/rabbitmq_peer_discovery_consul.schema
@@ -53,7 +53,7 @@ end}.
 %% ACL token
 
 {mapping, "cluster_formation.consul.acl_token", "rabbit.cluster_formation.peer_discovery_consul.consul_acl_token", [
-    {datatype, string}
+    {datatype, [tagged_string, string]}
 ]}.
 
 {translation, "rabbit.cluster_formation.peer_discovery_consul.consul_acl_token",
@@ -416,7 +416,7 @@ end}.
 [{datatype, {enum, [true, false]}}]}.
 
 {mapping, "cluster_formation.consul.ssl_options.password", "rabbit.cluster_formation.peer_discovery_consul.ssl_options.password",
-[{datatype, string}]}.
+[{datatype, [tagged_binary, binary]}]}.
 
 {mapping, "cluster_formation.consul.ssl_options.psk_identity", "rabbit.cluster_formation.peer_discovery_consul.ssl_options.psk_identity",
 [{datatype, string}]}.
diff --git a/deps/rabbitmq_peer_discovery_etcd/priv/schema/rabbitmq_peer_discovery_etcd.schema b/deps/rabbitmq_peer_discovery_etcd/priv/schema/rabbitmq_peer_discovery_etcd.schema
@@ -152,7 +152,7 @@ fun(Conf) ->
 end}.
 
 {mapping, "cluster_formation.etcd.password", "rabbit.cluster_formation.peer_discovery_etcd.etcd_password", [
-    {datatype, string}
+    {datatype, [tagged_binary, binary]}
 ]}.
 
 {translation, "rabbit.cluster_formation.peer_discovery_etcd.etcd_password",
@@ -226,7 +226,7 @@ end}.
     [{datatype, {enum, [true, false]}}]}.
 
 {mapping, "cluster_formation.etcd.ssl_options.password", "rabbit.cluster_formation.peer_discovery_etcd.ssl_options.password",
-    [{datatype, string}]}.
+    [{datatype, [tagged_binary, binary]}]}.
 
 {mapping, "cluster_formation.etcd.ssl_options.psk_identity", "rabbit.cluster_formation.peer_discovery_etcd.ssl_options.psk_identity",
     [{datatype, string}]}.
diff --git a/deps/rabbitmq_peer_discovery_etcd/test/config_schema_SUITE_data/rabbitmq_peer_discovery_etcd.snippets b/deps/rabbitmq_peer_discovery_etcd/test/config_schema_SUITE_data/rabbitmq_peer_discovery_etcd.snippets
@@ -72,7 +72,7 @@
             {rabbit, [
                 {cluster_formation, [
                     {peer_discovery_etcd, [
-                        {etcd_password, "rabbitmq"}
+                        {etcd_password, <<"rabbitmq">>}
                     ]}
                 ]}
             ]}
diff --git a/deps/rabbitmq_prelaunch/src/rabbit_prelaunch_conf.erl b/deps/rabbitmq_prelaunch/src/rabbit_prelaunch_conf.erl
@@ -528,6 +528,11 @@ decrypt({encrypted, _} = EncValue,
     decrypt(EncValue, Algo);
 decrypt(List, Algo) when is_list(List) ->
     decrypt_list(List, Algo, []);
+decrypt(Map, Algo) when is_map(Map) ->
+    maps:fold(fun(Key, Value, {AccMap, AccAlgo}) ->
+        {NewValue, NewAlgo} = decrypt(Value, AccAlgo),
+        {maps:put(Key, NewValue, AccMap), NewAlgo}
+    end, {#{}, Algo}, Map);
 decrypt(Value, Algo) ->
     {Value, Algo}.
 
diff --git a/deps/rabbitmq_stomp/priv/schema/rabbitmq_stomp.schema b/deps/rabbitmq_stomp/priv/schema/rabbitmq_stomp.schema
@@ -189,7 +189,7 @@ end}.
 ]}.
 
 {mapping, "stomp.default_pass", "rabbitmq_stomp.default_user.passcode", [
-    {datatype, string}
+    {datatype, [tagged_binary, binary]}
 ]}.
 
 {mapping, "stomp.default_topic_exchange", "rabbitmq_stomp.default_topic_exchange", [
diff --git a/deps/rabbitmq_stomp/test/config_schema_SUITE_data/rabbitmq_stomp.snippets b/deps/rabbitmq_stomp/test/config_schema_SUITE_data/rabbitmq_stomp.snippets
@@ -66,7 +66,7 @@
    stomp.default_pass = guest
    stomp.proxy_protocol = false
    stomp.hide_server_info = false",
-  [{rabbitmq_stomp,[{default_user,[{login,"guest"},{passcode,"guest"}]},
+  [{rabbitmq_stomp,[{default_user,[{login,"guest"},{passcode,<<"guest">>}]},
                     {proxy_protocol,false},{hide_server_info,false}]}],
   [rabbitmq_stomp]},
  {ssl_cert_login,
@@ -78,7 +78,7 @@
    stomp.default_pass = guest
    stomp.implicit_connect = true
    stomp.proxy_protocol = true",
-  [{rabbitmq_stomp,[{default_user,[{login,"guest"},{passcode,"guest"}]},
+  [{rabbitmq_stomp,[{default_user,[{login,"guest"},{passcode,<<"guest">>}]},
                     {implicit_connect,true},
                     {proxy_protocol,true}]}],
   [rabbitmq_stomp]},
diff --git a/deps/rabbitmq_tracing/priv/schema/rabbitmq_tracing.schema b/deps/rabbitmq_tracing/priv/schema/rabbitmq_tracing.schema
@@ -14,5 +14,5 @@
 ]}.
 
 {mapping, "tracing.password", "rabbitmq_tracing.password", [
-    {datatype, string}
+    {datatype, [tagged_binary, binary]}
 ]}.
diff --git a/deps/rabbitmq_tracing/test/config_schema_SUITE_data/rabbitmq_tracing.snippets b/deps/rabbitmq_tracing/test/config_schema_SUITE_data/rabbitmq_tracing.snippets
@@ -9,7 +9,7 @@
     {tracing_password,
         "tracing.password = 6bc258e9eac005659a84afcc41be61d93da9f621",
         [{rabbitmq_tracing, [
-            {password, "6bc258e9eac005659a84afcc41be61d93da9f621"}
+            {password, <<"6bc258e9eac005659a84afcc41be61d93da9f621">>}
         ]}],
         [rabbitmq_tracing]}
 ].
