[rabbitmq-discuss] Creating an auth plugin (Kerberos)

Simon Lundström simlu at su.se
Thu May 2 11:44:27 BST 2013


On Tue, 2013-04-30 at 14:57:02 +0100, Simon MacMullen wrote:
> On 30/04/13 11:07, Simon Lundström wrote:
> >Hm, I'm experiencing some weirdness now that I didn't before. I'm sure
> >I'm to blame but I belive I have checked all configuration parameters.
> >
> >In rabbitmq.config I've made sure that RabbitMQ uses my plugin:
> >{auth_backends, [rabbit_auth_backend_kerberos, rabbit_auth_backend_internal]},
> 
> Are you absolutely sure about this? The broker really will just try
> the backends in order, and only the last module's {refused, _, _}
> will be returned.

The only thing I'm sure about is that I'm a moron. XP

I had misenterpreted the Erlang NIF documentation about binaries, see
<http://www.erlang.org/doc/man/erl_nif.html#id178259> headline Binaries.

"Both data and size are read-only and should only be written using calls
to API functions."

My interpretation: The pointers are pointing to a copy of the binaries
in Erlang and are thus read-only since they cannot change what the
actual value is in Erlang.

The correct interpretation: They are pointers to the actual data in
Erlang and should be handled as read-only but nothing enforces this (and
if you change them in your NIF they get changed in Erlang, so much for
immutable obejcts ; P).

So since rabbit_auth_backend_kerberos is always run before
rabbit_auth_backend_internal and my NIF code does this
<https://github.com/simmel/rabbitmq-auth-backend-kerberos/blob/71cffb/c_src/kinit.c#L59-L61>
and overwrites the password that exists in Erlang with NULLs when
rabbit_auth_backend_internal tries to authenticate the user with said
password, it doesn't match...

Thanks for your invaluable help, as always!

Br,
- Simon


More information about the rabbitmq-discuss mailing list