[rabbitmq-discuss] Creating an auth plugin (Kerberos)
Simon Lundström
simlu at su.se
Tue Nov 27 13:48:40 GMT 2012
On Tue, 2012-11-27 at 11:36:51 +0000, Simon MacMullen wrote:
> On 27/11/12 10:07, Simon Lundström wrote:
> >Is there a way to do this without using a seperate function?
> ><https://github.com/simmel/rabbitmq-auth-backend-kerberos/commit/8911bd68d729142d0d2b5b1959fb2d53de42800e>
>
> This is starting to look like erlang-questions territory :-)
Heh, I tried #erlang multiple times before asking here but got no hits
(which I usually get, great community!). Thanks, I forgot about begin
blocks (I've read the expressions chapter)!
Will test their mailinglist next time!
> But try this (untested, and condensed to fit on one line):
>
> -define(APP, begin {ok,A}=application:get_application(?MODULE),A end).
Worked awesomely.
> >While developing the plugin I've noticed a weird issue. When using the
> >API's /api/aliveness-test/%2F it makes a few authentication requests.
> >In the third (or so) request password is undefined. In all other
> >requests the password is a binary which is the password being used.
> >
> >Is this a bug? Are auth plugins supposed to handle this? Why is it
> >undefined?
>
> Auth plugins should be able to handle the case where a password is
> undefined - there are some legitimate cases around the direct client
> (for example local federation connections) where no password is
> supplied (we take direct connections on trust, since anything which
> can do Erlang message passing can control the broker anyway). In
> this case the auth plugin should just answer the question "does the
> user exist?"
Aha. This might be a problem, atleast a nuisance, with Kerberos.
Would it be OK to just accept all authentications with an undefined
password?
> In 2.x this also happened with the management plugin when it was
> using the direct client (after it had validated the username /
> password itself). But this was less than useful for auth plugins, so
> in 3.0 the management plugin always passes the password in. I assume
> you're using 2.x?
Ah, I see. We will upgrade to 3.x soonish (as soon as I'm done with the
Kerberos auth plugin = ).
Once again, many thanks!
- Simon
More information about the rabbitmq-discuss
mailing list