[rabbitmq-discuss] RabbitMQ Federation & SSL
matthias at rabbitmq.com
Thu May 30 17:00:28 BST 2013
On 30/05/13 15:35, Eric Cozzi wrote:
> Thanks. Setting the local-username to a valid username fixed the
> problem. But, I'm still confused.
Take a look at the diagram and explanation at
> I have RabbitMQ configured to use the auth_mechanism_ssl plugin. So, why
> do I have to set the local-username at all? I expected that by setting
> the client ssl-keys in the federation URI, federation would pull the
> username out of the SSL key and use that to authenticate. This works for
> normal clients connecting via SSL. Why doesn't this work for federation
The URIs you specify in the federation config tell a downstream
(right-hand side of the diagram) how to establish an AMQP connection to
an upstream (left-hand side of the diagram), thus establishing an
upstream link (as labelled in the diagram) across which messages that
have been published on the upstream are pulled to the downstream.
The ssl config in the broker configuration of the upstream, and the ssl
settings in the URIs of the federation config of the downstream, control
authentication and authorisation for that link.
But there is more....
Any messages pulled down over the upstream link are re-published
locally, via a local/internal connection - indicated by the fat arrow on
the right-hand side that loops back onto the exchange. That local
connection requires a username for authorisation. It is that username
which you set in the federation config with local-username.
Note that this user only requires authorisation, not authentication
(hence no password, ssl credentials, etc).
More information about the rabbitmq-discuss