[rabbitmq-discuss] Creating an auth plugin (Kerberos)

Simon MacMullen simon at rabbitmq.com
Mon Apr 29 16:45:16 BST 2013

On 29/04/13 12:24, Simon Lundström wrote:
> To resurrect my work and this old thread, I'm now starting very near to
> release. A few questions though.
> I've tried to read the code but I guess I've failed, I'm trying to
> understand the structure of the {refused} and {error} messages when
> authentication fails. {refused} seems to have two "arguments" while
> {error} only has one? What's the correct structure and thinking here?

The idea is that the two "arguments" for {refused} are a Fmt and Args 
pair like in io:format/2. Since the refusal is "expected" it should be 
possible to construct a nice log message for it. On the other hand an 
error could be any Erlang term.

> When a user authenticate via my plugin via the management GUI we get
> this error message in the log:
> =ERROR REPORT==== 29-Apr-2013::09:28:54 ===
> webmachine error: path="/api/whoami"
> {error,function_clause,
>         [{rabbit_auth_backend_internal,check_password,[<<"totally_secret_password">>,<<>>]},
>          {rabbit_auth_backend_internal,internal_check_user_login,2},
>          {rabbit_access_control,'-check_user_login/2-fun-0-',4},
>          {lists,foldl,3},
>          {rabbit_mgmt_util,is_authorized,4},
>          {webmachine_resource,resource_call,3},
>          {webmachine_resource,do,3},
>          {webmachine_decision_core,resource_call,1}]}
> If I understand the code correctly it's because the function
> check_password can't compare the stored hash to the password that the
> user has supplied when trying to login. Since the password is cleared
> and thus there exists no hash it errors out.
> Some mechanism for checking if a password (and/or hash) is empty and
> then refusing the client might be needed?

Ah, yes. This is just a bug in mgmt, doesn't require your plugin. Will fix.

Cheers, Simon

Simon MacMullen
RabbitMQ, VMware

More information about the rabbitmq-discuss mailing list