[rabbitmq-discuss] Creating an auth plugin (Kerberos)
Simon MacMullen
simon at rabbitmq.com
Mon Apr 29 16:45:16 BST 2013
On 29/04/13 12:24, Simon Lundström wrote:
> To resurrect my work and this old thread, I'm now starting very near to
> release. A few questions though.
>
> I've tried to read the code but I guess I've failed, I'm trying to
> understand the structure of the {refused} and {error} messages when
> authentication fails. {refused} seems to have two "arguments" while
> {error} only has one? What's the correct structure and thinking here?
The idea is that the two "arguments" for {refused} are a Fmt and Args
pair like in io:format/2. Since the refusal is "expected" it should be
possible to construct a nice log message for it. On the other hand an
error could be any Erlang term.
> When a user authenticate via my plugin via the management GUI we get
> this error message in the log:
> =ERROR REPORT==== 29-Apr-2013::09:28:54 ===
> webmachine error: path="/api/whoami"
> {error,function_clause,
> [{rabbit_auth_backend_internal,check_password,[<<"totally_secret_password">>,<<>>]},
> {rabbit_auth_backend_internal,internal_check_user_login,2},
> {rabbit_access_control,'-check_user_login/2-fun-0-',4},
> {lists,foldl,3},
> {rabbit_mgmt_util,is_authorized,4},
> {webmachine_resource,resource_call,3},
> {webmachine_resource,do,3},
> {webmachine_decision_core,resource_call,1}]}
>
> If I understand the code correctly it's because the function
> check_password can't compare the stored hash to the password that the
> user has supplied when trying to login. Since the password is cleared
> and thus there exists no hash it errors out.
> Some mechanism for checking if a password (and/or hash) is empty and
> then refusing the client might be needed?
Ah, yes. This is just a bug in mgmt, doesn't require your plugin. Will fix.
Cheers, Simon
--
Simon MacMullen
RabbitMQ, VMware
More information about the rabbitmq-discuss
mailing list