[rabbitmq-discuss] Creating an auth plugin (Kerberos)

Tim Watson watson.timothy at gmail.com
Fri Dec 14 19:28:24 GMT 2012


Sorry I haven't managed to look at this yet. I will take a look at some point soon and see if I can debug the problem though.

On 12 Dec 2012, at 09:31, Simon Lundström <simlu at su.se> wrote:

> On Tue, 2012-12-11 at 20:30:24 +0000, Tim Watson wrote:
>> On 11 Dec 2012, at 19:38, Simon Lundström wrote:
>>> 
>>> =INFO REPORT==== 11-Dec-2012::20:09:32 ===  Management agent started.
>>> 
>>> =ERROR REPORT==== 11-Dec-2012::20:09:32 ===
>>> WAT: {error,upgrade,"Upgrade not supported by this NIF library."}
>>> 
>>> 
>>> =ERROR REPORT==== 11-Dec-2012::20:09:49 ===
>>> closing AMQP connection <0.287.0> (130.237.168.221:48918 -> 77.238.35.76:5671):
>>> {channel0_error,starting,
>>>               {error,undef,'connection.start_ok',
>>>                      [{kinit,kinit,[<<"simlu">>,<<"not_my_password">>]},
>>>                       {rabbit_auth_backend_kerberos,check_user_login,2},
>>>                       {rabbit_access_control,'-check_user_login/2-fun-0-',4},
>>>                       {lists,foldl,3},
>>>                       {rabbit_reader,auth_phase,2},
>>>                       {rabbit_reader,handle_method0,3},
>>>                       {rabbit_reader,handle_input,3},
>>>                       {rabbit_reader,recvloop,2}]}}
>>> 
>>> when using AMQP login and this when I make an API call:
>>> 
>> 
>> I'm not sure why that is, but it looks like the NIF module isn't loaded properly for some reason.
> 
> That is what it looks like, yes.
> 
>>> How bad are those upgrade errors?
>>> AFAIK, I could just add an empty function in kinit.c and use them as
>>> load, reload, upgrade and unload when doing ERL_NIF_INIT since I don't
>>> really need to keep any "state"(?).
>> Yeah so if you don't want all that noise in your logs, just export empty definitions for them.
> 
> I did that, error/warning went away but it's still not working.
> 
>>>> Anyway, if you put the NIF part into another module, you *should* be able to test it outside of rabbit my doing something like:
>>>> 
>>>> $ erl -sname foo
>>>> banner. .....
>>>> % ok = application:start(rabbit_auth_backend_kerberos).
>>>> ok
>>>> % X = kinit:kinit("auser", "password").
>>>> << a term >>
>>>> % io:format("~p~n", [X]).
>>> 
>>> I couldn't get that to work = / I'm probably doing it wrong, but here's what I did:
>>> 
>>> $ erl -sname `hostname -s`
>>> Erlang R15B02 (erts-5.9.2) [source] [64-bit] [smp:4:4] [async-threads:0] [hipe] [kernel-poll:false] [dtrace]
>>> 
>>> Eshell V5.9.2  (abort with ^G)
>>> (kaka at kaka)1> ok = application:start(rabbitmq_auth_backend_kerberos).
>>> ** exception error: no match of right hand side value {error,{not_started,inets}}
>> 
>> Ok well that's just complaining that your .app resource file states that inets is required by your application and you've not started it first is all. Nothing to worry about there, as rabbit deals with that kind of thing *BUT* why are you depending on inets? Is your application doing erlang network related stuff?
> 
> Not at all, I removed it, thanks.
> 
>>>> Then if it *still* doesn't work when you're running it inside rabbit we might need to consider other things that could be going wrong (such as the NIF init magic). 
>>> 
>>> I have no idea, but this seems more and more likely.
>> 
>> Hmn seems so. It's getting on a bit now, but I'll poke around in the broker code tomorrow and see if anything stands out. The really interesting point is that the kinit:kinit call (which is oddly named IMHO btw) works *regardless* of whether or not the application is loaded, so it's unlikely to be that which is at fault afaict.
> 
> I'm interested to hear what you have found.
> 
> Many thanks,
> - Simon
> _______________________________________________
> rabbitmq-discuss mailing list
> rabbitmq-discuss at lists.rabbitmq.com
> https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss


More information about the rabbitmq-discuss mailing list