[rabbitmq-discuss] Client IP based user login permissions

[Oren Shomron]

Hi Simon,

My use case is something like this:

I'm working on a distributed system, which consists of externally facing 
HTTP servers that can kick off events through RabbitMQ, as well as 
internally facing components which need to react to those external events 
but also send internal privileged events to each other.

I am trying to protect against a situation where a compromised external HTTP 
server could send privileged events  to our internal components.

Right now I have created two users and two exchanges, one for internal and 
one external.

The external user can only post to the external exchange. I have an internal 
component bound to the external exchange which performs validation on those 
incoming events before forwarding them on to the internal exchange. The rest 
of the internal components only bind to the internal exchange and know that 
the events they receive have been validated.

I would like another line of defense - if the external machine were 
compromised and the internal rabbit user's credentials were stolen somehow, 
there's nothing stopping that external machine from using those internal 
credentials and compromising the whole system. The firewall allows that 
machine to talk to RabbitMQ, but no one is enforcing that only the correct, 
limited user can log in over that channel.

The only way I see of doing it right now would be to have completely 
separate RabbitMQ instances, and have that validation component talk to both 
instances and forward between them, but this would increase complexity.

Let me know if that makes any sense.

Thanks in advance!
  - Oren
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20110311/3456f98c/attachment.htm>