[rabbitmq-discuss] Creating an auth plugin (Kerberos)
Simon MacMullen
simon at rabbitmq.com
Tue Nov 27 14:01:22 GMT 2012
On 27/11/12 13:48, Simon Lundström wrote:
> On Tue, 2012-11-27 at 11:36:51 +0000, Simon MacMullen wrote:
>> Auth plugins should be able to handle the case where a password is
>> undefined - there are some legitimate cases around the direct client
>> (for example local federation connections) where no password is
>> supplied (we take direct connections on trust, since anything which
>> can do Erlang message passing can control the broker anyway). In
>> this case the auth plugin should just answer the question "does the
>> user exist?"
>
> Aha. This might be a problem, atleast a nuisance, with Kerberos.
>
> Would it be OK to just accept all authentications with an undefined
> password?
Well, you will be asserting that those users exist. So this will happen
in two cases:
* With 2.x only from mgmt / stomp, where the plugin has already checked
the password itself (so you should be fine).
* With 3.x and 2.x, with federation / shovel for local users
(local_username in federation, "amqp://" URIs in shovel).
The second case bears a little thought - although in those cases the
username to use is configured by the sysadmin ultimately.
Cheers, Simon
--
Simon MacMullen
RabbitMQ, VMware
More information about the rabbitmq-discuss
mailing list