[rabbitmq-discuss] Creating an auth plugin (Kerberos)

Simon Lundström simlu at su.se
Tue Nov 27 14:37:15 GMT 2012


On Tue, 2012-11-27 at 14:01:22 +0000, Simon MacMullen wrote:
> On 27/11/12 13:48, Simon Lundström wrote:
> >Aha. This might be a problem, atleast a nuisance, with Kerberos.

Just checked, it isn't possible, or rather viable, at all.
I would need to implement the kadmin protocol (which differs between
MIT, Heimdal and MS AD) and the sysadmin would have to create a user
which has access to (atleast) get on all users which then the plugin
would have to use via a keytab.

> >Would it be OK to just accept all authentications with an undefined
> >password?
> 
> Well, you will be asserting that those users exist. So this will
> happen in two cases:
> 
> * With 2.x only from mgmt / stomp, where the plugin has already
> checked the password itself (so you should be fine).
> 
> * With 3.x and 2.x, with federation / shovel for local users
> (local_username in federation, "amqp://" URIs in shovel).
> 
> The second case bears a little thought - although in those cases the
> username to use is configured by the sysadmin ultimately.

Ugh. It's never easy, huh? = )

But, with federation / shovel are the users authentication in some
other way first or is the "does this user exist-check" the only
authentication?

Is there any way that I can from my plugin see that this is an auth
request from federation / shovel? This way I could just reject all those
connections.

What are your recommendations?

Thanks,
- Simon


More information about the rabbitmq-discuss mailing list