[rabbitmq-discuss] Creating an auth plugin (Kerberos)

Simon Lundström simlu at su.se
Mon Nov 12 11:44:19 GMT 2012


Hello!

I'm trying, first time doing something serious in Erlang, to create an
Kerberos authentication plugin for RabbitMQ and this have raised a
couple of questions.

I've looked at the other authentication plugins available and tried to
solve these questions but I haven't succeeded.

1, Since Kerberos is an authentication protocol, not authorization, how
can I implement my plugin just to do authN?
Should I look at SASL EXTERNAL? That looked very SSL client authN specific.

1.2, If I use `-behaviour(rabbit_auth_backend).` I must implement
check_vhost_access and check_resource_access. What is the appropriate
way to handle this?
* Don't use `-behaviour(rabbit_auth_backend).`?
* Implement check_vhost_access and check_resource_access but just have
them call rabbit_access_control:check_vhost_access?
Later we are planning on implementing an authZ *only* plugin for
RabbitMQ, will this break if we want to have a plugin which only
implements check_vhost_access and check_resource_access?

2, I have started to create my code and the idea is to use open_port to open an
external binary to do the actual Kerberos "talk". As a start I've made my to
check the exit status of /bin/true. See
<https://github.com/simmel/rabbitmq-auth-backend-kerberos>. The code compiles,
heh, and RabbitMQ starts and "accepts" the connection but some how it fails
anyway.



More information about the rabbitmq-discuss mailing list