[rabbitmq-discuss] Publisher Authentication
Rosa, Andrea (HP Cloud Services)
andrea.rosa at hp.com
Thu Sep 6 09:40:06 BST 2012
Hi,
Some months ago I tested the SASL EXTERNAL support for authenticate both clients and server, it worked well apart an issue with revoked certificates.
It seems that the plugin was not able to verify a certificate against a CRL, and in my understanding (and if I remember correctly) that was a limitation due to SSL erlang library.
Anyone has a similar experience?
Regards
--
Andrea Rosa
From: rabbitmq-discuss-bounces at lists.rabbitmq.com [mailto:rabbitmq-discuss-bounces at lists.rabbitmq.com] On Behalf Of Jerry Kuch
Sent: 05 September 2012 19:23
To: Discussions about RabbitMQ
Subject: Re: [rabbitmq-discuss] Publisher Authentication
Hi, Satyarh...
On Wed, Sep 5, 2012 at 10:27 AM, Satyarth Negi <snegi at buffalo-studios.com<mailto:snegi at buffalo-studios.com>> wrote:
I am exploring RabbitMQ for use in our backend infrastructure. I have some backend servers that will publish to RabbitMQ broker. I am trying to look for a good way to authenticate our users. I am inclined towards putting ipchain rules to only allow incoming connections from my authorized servers and block for the rest.
This is a very reasonable thing to do. Let your trusted pieces of infrastructure through the firewall to touch the broker, and block others.
However i am interested to explore what authentication RabbitMQ supports. My publishers create persistent connection with Broker and i will prefer authentication to happen only during connection setup. What are the best practices for my use case ?
You have a variety of authentication mechanisms including:
* The built-in RabbitMQ user database against which one authenticates by presenting a user name or password (such connections and conversations can be encrypted by SSL)
* A plugin that allows you to delegate authentication tasks to an LDAP server
* Support for the SASL EXTERNAL, where clients are required to present a client certificate, and the client's identity is determined from that
* The ability to write custom authentication (and even authorization) plugins if you want to do something more esoteric; note, that to do this you'll need to write code in Erlang, and learn a bit out how Rabbit's internals, boot process, plugin system, etc., work.
Thanks !
_______________________________________________
rabbitmq-discuss mailing list
rabbitmq-discuss at lists.rabbitmq.com<mailto:rabbitmq-discuss at lists.rabbitmq.com>
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20120906/36f63b6f/attachment.htm>
More information about the rabbitmq-discuss
mailing list