[rabbitmq-discuss] Creating an auth plugin (Kerberos)

Tim Watson tim at rabbitmq.com
Tue Dec 11 20:30:24 GMT 2012


Hey Simon

On 11 Dec 2012, at 19:38, Simon Lundström wrote:
> 
> =INFO REPORT==== 11-Dec-2012::20:09:32 ===  Management agent started.
> 
> =ERROR REPORT==== 11-Dec-2012::20:09:32 ===
> WAT: {error,upgrade,"Upgrade not supported by this NIF library."}
> 
> 
> =ERROR REPORT==== 11-Dec-2012::20:09:49 ===
> closing AMQP connection <0.287.0> (130.237.168.221:48918 -> 77.238.35.76:5671):
> {channel0_error,starting,
>                {error,undef,'connection.start_ok',
>                       [{kinit,kinit,[<<"simlu">>,<<"not_my_password">>]},
>                        {rabbit_auth_backend_kerberos,check_user_login,2},
>                        {rabbit_access_control,'-check_user_login/2-fun-0-',4},
>                        {lists,foldl,3},
>                        {rabbit_reader,auth_phase,2},
>                        {rabbit_reader,handle_method0,3},
>                        {rabbit_reader,handle_input,3},
>                        {rabbit_reader,recvloop,2}]}}
> 
> when using AMQP login and this when I make an API call:
> 

I'm not sure why that is, but it looks like the NIF module isn't loaded properly for some reason.

> How bad are those upgrade errors?
> AFAIK, I could just add an empty function in kinit.c and use them as
> load, reload, upgrade and unload when doing ERL_NIF_INIT since I don't
> really need to keep any "state"(?).
> 

Yeah so if you don't want all that noise in your logs, just export empty definitions for them.

>> Anyway, if you put the NIF part into another module, you *should* be able to test it outside of rabbit my doing something like:
>> 
>> $ erl -sname foo
>> banner. .....
>> % ok = application:start(rabbit_auth_backend_kerberos).
>> ok
>> % X = kinit:kinit("auser", "password").
>> << a term >>
>> % io:format("~p~n", [X]).
> 
> I couldn't get that to work = / I'm probably doing it wrong, but here's what I did:
> 
> $ erl -sname `hostname -s`
> Erlang R15B02 (erts-5.9.2) [source] [64-bit] [smp:4:4] [async-threads:0] [hipe] [kernel-poll:false] [dtrace]
> 
> Eshell V5.9.2  (abort with ^G)
> (kaka at kaka)1> ok = application:start(rabbitmq_auth_backend_kerberos).
> ** exception error: no match of right hand side value {error,{not_started,inets}}

Ok well that's just complaining that your .app resource file states that inets is required by your application and you've not started it first is all. Nothing to worry about there, as rabbit deals with that kind of thing *BUT* why are you depending on inets? Is your application doing erlang network related stuff? 

> (kaka at kaka)2> kinit:kinit("auser", "password").
> WAT: ok
> true
> 
> This doesn't really test the whole thing since rabbitmq isn't really
> involved or even loaded. Kind of feels like cheating = )
> 

It's not cheating, it's isolating where the problem is. :)

> I have had this NIF-code to work outside of RabbitMQ, that's how I wrote
> it originally.
> 
> 

Yeah so that was what I wanted to check.

>> Then if it *still* doesn't work when you're running it inside rabbit we might need to consider other things that could be going wrong (such as the NIF init magic). 
> 
> I have no idea, but this seems more and more likely.
> 

Hmn seems so. It's getting on a bit now, but I'll poke around in the broker code tomorrow and see if anything stands out. The really interesting point is that the kinit:kinit call (which is oddly named IMHO btw) works *regardless* of whether or not the application is loaded, so it's unlikely to be that which is at fault afaict.


More information about the rabbitmq-discuss mailing list