[rabbitmq-discuss] RabbitMQ Federation & SSL

Matthias Radestock matthias at rabbitmq.com
Thu May 30 17:00:28 BST 2013


On 30/05/13 15:35, Eric Cozzi wrote:
> Thanks. Setting the local-username to a valid username fixed the
> problem. But, I'm still confused.

Take a look at the diagram and explanation at 

> I have RabbitMQ configured to use the auth_mechanism_ssl plugin. So, why
> do I have to set the local-username at all? I expected that by setting
> the client ssl-keys in the federation URI, federation would pull the
> username out of the SSL key and use that to authenticate. This works for
> normal clients connecting via SSL. Why doesn't this work for federation
> clients?

The URIs you specify in the federation config tell a downstream 
(right-hand side of the diagram) how to establish an AMQP connection to 
an upstream (left-hand side of the diagram), thus establishing an 
upstream link (as labelled in the diagram) across which messages that 
have been published on the upstream are pulled to the downstream.

The ssl config in the broker configuration of the upstream, and the ssl 
settings in the URIs of the federation config of the downstream, control 
authentication and authorisation for that link.

But there is more....

Any messages pulled down over the upstream link are re-published 
locally, via a local/internal connection - indicated by the fat arrow on 
the right-hand side that loops back onto the exchange. That local 
connection requires a username for authorisation. It is that username 
which you set in the federation config with local-username.

Note that this user only requires authorisation, not authentication 
(hence no password, ssl credentials, etc).



More information about the rabbitmq-discuss mailing list