[rabbitmq-discuss] Pluggable Authentication back ends?

Wed Jun 16 17:23:39 BST 2010

Scott,

On 16/06/10 16:49, Scott Brooks wrote:
> First off congratulations on 1.8.0.
>
> Secondly I was looking through the source trying to find a way to
> extend the authentication code and it looks like there isn't really
> any way to do it as a plugin.
>
> Ideally such a system would operate something like this.
> 1: Authenticate against rabbits built in user list.
> 2: If the user is not found, map over a configurable list of
> gen_server names calling into it with a standard set of messages the
> gen_server would have to accept.
> 3: In that users state store which backend authorized them so it can
> return to that when needing to check permissions, etc.
>
> Then I could write a plugin that would create an auth exchange that it
> could send auth requests to and the equivalent application bound do
> that exchange replying with auth ok, fail, etc.
>
> That would let me lookup and auth against my users database without
> having to either share a public username and password, or try and sync
> the two databases.
>
> Thoughts?

Ben Hood at LShift (cc'ed) has been looking into something very much 
like this for a client project. I don't think that project has started 
yet, but he may be able to share his thoughts on this subject with you. 
I reckon the changes required to the rabbit core would be very small. So 
patches are welcome.

Caveat: I wouldn't go anywhere near permission checks just yet; things 
get very complicated very quickly if you do, so I'd just focus on 
authentication and leave authorisation as is. Also, I'd start with just 
being able to specify a single authentication module - that's how all 
the other pluggable things work, i.e. one tells rabbit which module to 
use for a certain piece of functionality.

Matthias.