[rabbitmq-discuss] RabbitMQ logs, ticket check

Tue Aug 5 15:57:20 BST 2008

Edwin, David,

On Tue, Aug 5, 2008 at 3:20 PM, Edwin Fine
<rabbitmq-discuss_efine at usa.net> wrote:
> I get the same issue (for the same reason) using the Erlang client, namely
> "Lax ticket check mode: ignoring cross-realm access for ticket 101"
>  I'd appreciate an explanation as to what changed between 1.3.0 and 1.4.0 to
> make this happen, and a suggestion on what I need to do to get rid of the
> warning.

By default, strict ticket checking is turned off, which means that
Rabbit will not enforce strict realm based ACL.

When this is turned off, and a client sends down an invalid ticket,
this will be treated as a NOOP and merely logged.

This is useful for development scenarios.

Usually you would turn this on in production, in which you actually
cared about this type of ACL.

Having said all of this, the whole topic of realm based access control
is going to disappear very soon.

We have decided that because although realms are in the spec, no other
AMQP broker has bothered to implement them, and hence we should follow
suit.

Furthermore, realms are confusing, too fine grained as an ACL concept
and the cost of their maintenance is not really justified by the
minimal benefits they offer.

For example, in Rabbit 1.3.0, 12% of the entire code base was
dedicated to realm handling.

Having said all of this, and for the record, what has changed between
1.3 and 1.4 is that a bug has been introduced, which we have already
noted in our internal bug system.

But instead of fixing this bug, because we are deleting realms anyway,
we have decided to push through the realm deletion patch first
(bug18994 in hg refers).

We are in the late stages of QA'ing this, it will be merged into the
default branch soon and upon which a new release will be made.

HTH,

Ben