[rabbitmq-discuss] Creating an auth plugin (Kerberos)

Simon MacMullen simon at rabbitmq.com
Tue Nov 27 14:01:22 GMT 2012


On 27/11/12 13:48, Simon Lundström wrote:
> On Tue, 2012-11-27 at 11:36:51 +0000, Simon MacMullen wrote:
>> Auth plugins should be able to handle the case where a password is
>> undefined - there are some legitimate cases around the direct client
>> (for example local federation connections) where no password is
>> supplied (we take direct connections on trust, since anything which
>> can do Erlang message passing can control the broker anyway). In
>> this case the auth plugin should just answer the question "does the
>> user exist?"
>
> Aha. This might be a problem, atleast a nuisance, with Kerberos.
>
> Would it be OK to just accept all authentications with an undefined
> password?

Well, you will be asserting that those users exist. So this will happen 
in two cases:

* With 2.x only from mgmt / stomp, where the plugin has already checked 
the password itself (so you should be fine).

* With 3.x and 2.x, with federation / shovel for local users 
(local_username in federation, "amqp://" URIs in shovel).

The second case bears a little thought - although in those cases the 
username to use is configured by the sysadmin ultimately.

Cheers, Simon

-- 
Simon MacMullen
RabbitMQ, VMware


More information about the rabbitmq-discuss mailing list