[rabbitmq-discuss] Creating an auth plugin (Kerberos)
Simon MacMullen
simon at rabbitmq.com
Wed Nov 28 10:35:21 GMT 2012
On 27/11/12 14:37, Simon Lundström wrote:
> On Tue, 2012-11-27 at 14:01:22 +0000, Simon MacMullen wrote:
>> On 27/11/12 13:48, Simon Lundström wrote:
>>> Would it be OK to just accept all authentications with an undefined
>>> password?
>>
>> Well, you will be asserting that those users exist. So this will
>> happen in two cases:
>>
>> * With 2.x only from mgmt / stomp, where the plugin has already
>> checked the password itself (so you should be fine).
>>
>> * With 3.x and 2.x, with federation / shovel for local users
>> (local_username in federation, "amqp://" URIs in shovel).
>>
>> The second case bears a little thought - although in those cases the
>> username to use is configured by the sysadmin ultimately.
>
> Ugh. It's never easy, huh? = )
>
> But, with federation / shovel are the users authentication in some
> other way first or is the "does this user exist-check" the only
> authentication?
It's the only check. Note that this is not the case for *all*
connections used by federation / shovel, the remote connections are
normal AMQP. This is only for connecting into the same broker the plugin
is running on.
> Is there any way that I can from my plugin see that this is an auth
> request from federation / shovel? This way I could just reject all those
> connections.
When running 3.x you could just reject all passwordless auth requests.
Any federation / shovel local connections would have to be to a user
supplied by another auth backend, e.g. the internal one. Since there's
usually only one such user anyway that shouldn't be too big a deal.
But with 2.x you would reject all mgmt/stomp connections as well.
Another reason to upgrade...
Cheers, Simon
--
Simon MacMullen
RabbitMQ, VMware
More information about the rabbitmq-discuss
mailing list