[rabbitmq-discuss] Publisher Authentication

Rosa, Andrea (HP Cloud Services) andrea.rosa at hp.com
Thu Sep 6 09:40:06 BST 2012

Some months ago I tested the SASL EXTERNAL support for authenticate both clients and server, it worked well apart an issue with revoked certificates.
It seems that the plugin was not able to verify a certificate against a CRL, and in my understanding (and if I remember correctly) that was a limitation due to SSL erlang library.
Anyone has a similar experience?

Andrea Rosa

From: rabbitmq-discuss-bounces at lists.rabbitmq.com [mailto:rabbitmq-discuss-bounces at lists.rabbitmq.com] On Behalf Of Jerry Kuch
Sent: 05 September 2012 19:23
To: Discussions about RabbitMQ
Subject: Re: [rabbitmq-discuss] Publisher Authentication

Hi, Satyarh...
On Wed, Sep 5, 2012 at 10:27 AM, Satyarth Negi <snegi at buffalo-studios.com<mailto:snegi at buffalo-studios.com>> wrote:

I am exploring RabbitMQ for use in our backend infrastructure. I have some backend servers that will publish to RabbitMQ broker. I am trying to look for a good way to authenticate our users. I am inclined towards putting ipchain rules to only allow incoming connections from my authorized servers and block for the rest.

This is a very reasonable thing to do.  Let your trusted pieces of infrastructure through the firewall to touch the broker, and block others.

However i am interested to explore what authentication RabbitMQ supports. My publishers create persistent connection with Broker and i will prefer authentication to happen only during connection setup. What are the best practices for my use case ?

You have a variety of authentication mechanisms including:

  *   The built-in RabbitMQ user database against which one authenticates by presenting a user name or password (such connections and conversations can be encrypted by SSL)
  *   A plugin that allows you to delegate authentication tasks to an LDAP server
  *   Support for the SASL EXTERNAL, where clients are required to present a client certificate, and the client's identity is determined from that
  *   The ability to write custom authentication (and even authorization) plugins if you want to do something more esoteric; note, that to do this you'll need to write code in Erlang, and learn a bit out how Rabbit's internals, boot process, plugin system, etc., work.

Thanks !

rabbitmq-discuss mailing list
rabbitmq-discuss at lists.rabbitmq.com<mailto:rabbitmq-discuss at lists.rabbitmq.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20120906/36f63b6f/attachment.htm>

More information about the rabbitmq-discuss mailing list