[rabbitmq-discuss] Custom authentication and authorization
Simon MacMullen
simon at rabbitmq.com
Tue Feb 15 10:25:19 GMT 2011
(We prefer to keep rabbitmq-discuss in the loop; this is of general
interest.)
Hi Benjamin. The idea of securing access to RabbitMQ resources based on
secret names is perfectly reasonable providing that:
* Any attacker can't use rabbitmqctl
* Furthermore, any attacker can't see the Erlang cookie
- This is in fact always true, possession of the cookie lets you do
anything, but I thought I should mention it.
* Any attacker can't use the management plugin
We go to some effort to ensure that server-generated names for queues
are unguessable; the intent is to allow exactly this sort of security model.
That said, would there be general interest in a hypothetical
rabbitmq-auth-backend-http plugin?
Cheers, Simon
On 15/02/11 01:05, Benjamin Renaud wrote:
> Simon,
>
> Thanks a lot for your response! These are very useful pointers and
> it's much appreciated.
>
> First a bit of background - we're all very experienced Java, C and
> Ruby developers, but we have no Erlang experience whatsoever.
> Securing something like Rabbit using a custom module represents a lot
> of work, and as I was looking into this some more, we came up with
> an idea of securing the whole system, and I was wondering if you
> could give me some feedback on it?
>
> The basic idea would be to make every exchange name a secret 256-bit
> key that could only be obtained using a regular (authenticated and
> authorized) REST call to our usual REST server.
>
> It would require that a client (attacker) not be able to list all
> active exchanges, and to run all traffic over HTTPS. Does that sound
> like a workable solution?
>
> Thanks!
>
> Benjamin
>
>
> On 14/02/11 07:23, Benjamin Renaud wrote:
>> / I've started reading on Rabbit MQ's plugin's and the custom
>> auth, but I
> />/ wanted to check with the list before I launched into
> implementing our />/ solution. />/ />/ We run RabbitMQ over the
> public Internet (.NET clients talking to an EC2 />/ cloud). On
> subscription, we'd like to run an />/ authentication/authorization
> process, which would query our user server />/ for auth/auth via
> REST. From what I gather, the right way to do this is />/ to write a
> plugin for Rabbit, perhaps starting from an existing plugin />/ as a
> starting point? / Yes.
>
> You would need to write an implementation of the rabbit_auth_backend
> behaviour. You should look at:
>
> rabbitmq-server/src/rabbit_auth_backend.erl - the behaviour itself
>
> rabbitmq-server/include/rabbit_auth_backend_spec.erl - the type
> signatures for the behaviour
>
> rabbitmq-server/src/rabbit_auth_backend_internal.erl - the
> implementation of the built in auth database. Note that you only need
> to look at the code before the comment "Manipulation of the user
> database".
>
> rabbitmq-auth-backend-ldap/src/rabbit_auth_backend_ldap.erl -
> alternate implementation using LDAP
>
> You'll need to configure RabbitMQ to use your plugin. Set the
> auth_backends variable for the rabbit application to a list of
> authentication plugins to try in order.
>
> And tell us of your experiences here :)
>
> Cheers, Simon
>
> -- Simon MacMullen Staff Engineer, RabbitMQ SpringSource, a division
> of VMware
>
--
Simon MacMullen
Staff Engineer, RabbitMQ
SpringSource, a division of VMware
More information about the rabbitmq-discuss
mailing list