[rabbitmq-discuss] Establishing user identity
Dmitry Andrianov
dmitry.andrianov at alertme.com
Wed Apr 10 11:51:16 BST 2013
Hi.
I'm very new to RabbitMQ but I googled as much as I could before mailing here so my apologies in case the issue was discussed a million times.
I need your advise on the general approach.
What we need in the end is for consumers to be able to see which client sent the message. Producers should not be able to impersonate each other.
We use SSL certificates for each client and our own certificate authority.
Here is what I came with:
1. Use rabbitmq_auth_mechanism_ssl so RabbitMQ extracts name from client SSL certificate and uses it as "authenticated user".
2. Create our own auth backend which basically says "everyone is allowed to post anything" so we do not need to maintain a database of our users or anything like that. If account needs to be removed we can just revoke the certificate.
3. Producers add user-id property to every message they send - just the name from its certificate. RabbitMQ already checks that user-id against authenticated user id and will discard a message if they do not match. So one user won't be able to impersonate another.
4. Consumer just uses user-id property supplied with the message to see where it came from.
What I do not like about this approach:
* Most of all I do not like the fact that sending client needs to explicitly provide its user-id with each message. I would much prefer RabbitMQ has the ability to "attach" authenticated user ID to every received message automatically before passing it down the queues. Is that possible at all? Can it be done with plugins? Are there any examples?
* Second, I do not like the fact we need to create auth backend even though it is very simple. But from the other hand we do not want to add every user because there can be thousands of them. Is there a better way?
Or maybe this problem needs to be solved in a completely different way?
Thanks very much.
Dmitry
This email is for the use of the intended recipient(s) only.
If you have received this email in error, please notify the sender immediately and then delete it.
If you are not the intended recipient, you must not use, disclose or distribute this email without the
author's prior permission. AlertMe.com Ltd. is not responsible for any personal views expressed
in this message or any attachments that are those of the individual sender.
AlertMe.com Ltd, 30 Station Road, Cambridge, CB1 2RE, UK.
Registered in England, Company number 578 2908, VAT registration number GB 895 9914 42.
More information about the rabbitmq-discuss
mailing list