[rabbitmq-discuss] Creating an auth plugin (Kerberos)

Simon Lundström simlu at su.se
Tue Nov 13 12:51:01 GMT 2012


On Tue, 2012-11-13 at 10:38:39 +0000, Emile Joubert wrote:
> >1.2, If I use `-behaviour(rabbit_auth_backend).` I must implement
> >check_vhost_access and check_resource_access. What is the appropriate
> >way to handle this?
> 
> The simplest implementation simply returns 'true' without performing
> any checks. I suggest you use that during development, which it
> seems you are.

I see.
But if one has multiple auth plugins in RabbitMQ which one prevails?
Let's say my rabbitmq.config is:
{auth_backends, [rabbit_auth_backend_internal, rabbit_auth_backend_kerberos, rabbitmq_auth_imaginary]},

If a backend returns false I understand that it goes to the next backend.
What if a backend returns true? Does it go on to the next backend?
What if all backends except the last return true?

What we want it only to provide authN with rabbit_auth_backend_kerberos
and thus implement check_vhost_access and check_resource_access to only
return true(?).
Then we want rabbitmq_auth_imaginary to implement check_vhost_access and
check_resource_access to do real checks and for check_user_login only
return false(?).

Would this work or?

Is it possible to use authZ from rabbit_auth_backend_internal? I.e. can
I set up permissions and roles for "fake" users (which isn't
`rabbitmqctl add_user`:ed)? Or I mean, I know I can't (because I get an
"Error: no_such_user:" error) but would it be possible to do that some
how (like by adding an entry in the correct place in Mnesia)?

> >heh, and RabbitMQ starts and "accepts" the connection but some how it fails
> >anyway.
> 
> You have not provided the error message, and the code looks like it
> should work. Try to run individual parts of your solution in
> isolation and make sure they work correctly before composing them.

That is because I couldn't find one. But Simon pointed out that it was
in the SASL log (which I had looked in when I had a previous issue and
then nothing was there, but not this time of course... = ).

My AMQP client just said "AMQP broker closed TCP connection before
authentication succeeded: this usually means authentication failure due
to misconfiguration.".

Thanks,
- Simon


More information about the rabbitmq-discuss mailing list