[rabbitmq-discuss] Shoveling & Security

Thu Feb 4 14:09:43 GMT 2010

Hi Lionel,

On Thu, Feb 04, 2010 at 02:53:58PM +0100, Lionel Cons wrote:
> The recently announced RabbitMQ-shovel plugin
> (http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/2010-February/006113.html)
> brings interesting security questions.
> 
> The current RabbitMQ security model
> (http://www.rabbitmq.com/admin-guide.html#access-control) requires
> the user identity to be known by the broker so that it can then
> enforce ACLs.
> 
> If you shovel from Broker1 to Broker2, with messages ending up in a
> resource protected by ACLs, what should Broker2 use to perform
> security checks: the identity of the shovel source (i.e. Broker1) or
> the identity of the real user who connected to Broker1?

The shovel is nothing more than a (slightly fancy) client. Thus the
shovel must authenticate to both brokers just like a normal client
would. Thus each broker is still its own administrative domain, and is
responsible for validating clients.

> It would make sense to use the identity of the real user but in this
> case the shovel must be a special connection, allowing the source to
> tag messages with the identity of the user who produced the messages,
> i.e. JMSXUserID in the JMS world.

Messages that are received by a client have no information in them by
default as to who sent them or what user credentials were used when the
publisher connected to the broker.

> Reading the RabbitMQ-shovel documentation, it seems that the plugin
> does not need to run on one end of the link. So maybe you could shovel
> from Broker1 to Broker2 but run the plugin on Broker3. A kind of
> man-in-the middle attack...

Yes, you can definitely do that. However, it's not a MitM attack on the
grounds that the shovel can't steal messages from Broker1 any more
easily than any other client can.

Matthew