[rabbitmq-discuss] AMQP authentication with RabbitMQ

Laurens Van Houtven lvh at laurensvh.be
Wed Jul 8 17:57:55 BST 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi :-)


I'm wondering about encryption and authentication within AMQP (using RabbitMQ).

I'm porting existing code that did not have a messaging component.
This code used per-client (in AMQP these would be producers)
pre-shared certificates to do authentication. The problem in porting
it (as I see it at least), is that with RabbitMQ+stunnel, the servers
(= AMQP consumers) never get to see the SSL'ed data coming from the
clients, so they cannot see the client certificate, so I can't use it
to do authentication.

I'm trying to find a solution to this problem. I'd like to keep using
SSL, but just using SSL with pre-shared certificates only guarantees
my consumers that the producer is *a* known user -- my consumers don't
know *who* the producer is. For example, given two registered users
(with pre shared SSL certs) Alice and Mallory (the latter being up to
no good), I want to prevent that Mallory logs in with his SSL cert and
his username, but then pretends to be Alice in the actual message
contents.

I'm not yet intricately familiar with the way RabbitMQ ACL's work, but
I think that it could be solved by using SSL (with stunnel), together
with a username and a password, and then have one vhost per user and
per consumer role. I'm not entirely sure how well RabbitMQ is designed
to scale as the number of vhosts increase, since this would result in
N*M queues (with M the number of services and N the number of uesrs).
Also, I think this means I also need one queue per user and per
service, since otherwise my consumers still don't know anything about
the user identity. I think this (unfortunately) means that my
consumers will need to be reconfigured every time a new user is added,
which obviously sucks pretty bad.

Am I better off putting authentication in my message contents?

Thanks in advance
Laurens
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Use GnuPG with Firefox : http://getfiregpg.org (Version: 0.7.6)

iEYEARECAAYFAkpUz+4ACgkQT5v5zGkvKT7VjQCfRxz/PD00FieuaEhQ3aAsjOFB
zyYAoLwdWb8pd34zaHCldzGUFnrD70yh
=wttN
-----END PGP SIGNATURE-----




More information about the rabbitmq-discuss mailing list