[rabbitmq-discuss] Leaking upstream credentials into federated messages' x-received-from header
james.gardner at noaa.gov
Mon Mar 11 17:22:05 GMT 2013
First if I may, I would like to extend my personal thanks to the
RabbitMQ team for what I consider an exceptionally well-designed and
generally very well documented piece of open source software. It really
has been a pleasure to set up, configure and learn about, and I am
excited about all the possible uses for a deployment here. Clearly a
great deal of thought has gone into it, which I am always grateful for
in any software I have to deal with :).
Having just experimented with federation while investigating RabbitMQ
for a possible deployment, all has gone very well, with one important
and uncharacteristic exception; I was frankly shocked to see that in the
x-received-from header that is inserted into the re-published messages,
one of the subcomponents (in addition to virtual_host and exchange which
I can see might be useful) is called 'uri' and states verbatim the URI
that was used to connect to the upstream server. This might be useful
to, if it weren't for the fact that it includes the username and most
worryingly, the plain text password!
This is one of those occasions where it seems so wrong I think there
must be something I'm not getting :) and perhaps there is. But I don't
see what I could be doing to invoke this behavior, nor do I see a way to
switch it off.
I would be grateful if you could help me understand the rationale behind
this feature and more importantly let me know how I can make sure
credentials are not leaked into message headers, with all the obvious
I am using RabbitMQ version 3.0.3 on RHEL 6.4. To do the federation I am
using a simple amqp:// style URI upstream definition mentioning
username, password, hostname and vhost, and a policy which applies to
one exchange using the 'all' upstream-set.
Let me know if you need any more info.
- NWS Internet Dissemination System
More information about the rabbitmq-discuss