[rabbitmq-discuss] Shoveling & Security

Lionel Cons lionel.cons at cern.ch
Thu Feb 4 13:53:58 GMT 2010

The recently announced RabbitMQ-shovel plugin
brings interesting security questions.

The current RabbitMQ security model
(http://www.rabbitmq.com/admin-guide.html#access-control) requires
the user identity to be known by the broker so that it can then
enforce ACLs.

If you shovel from Broker1 to Broker2, with messages ending up in a
resource protected by ACLs, what should Broker2 use to perform
security checks: the identity of the shovel source (i.e. Broker1) or
the identity of the real user who connected to Broker1?

It would make sense to use the identity of the real user but in this
case the shovel must be a special connection, allowing the source to
tag messages with the identity of the user who produced the messages,
i.e. JMSXUserID in the JMS world.

And it's getting worse with read access. If the source queue on
Broker1 is protected, how does Broker1 know that Broker2 will not
violate its security policy? It probably only works if all brokers
share the same security policy.

Reading the RabbitMQ-shovel documentation, it seems that the plugin
does not need to run on one end of the link. So maybe you could shovel
from Broker1 to Broker2 but run the plugin on Broker3. A kind of
man-in-the middle attack...

Lionel Cons        http://cern.ch/lionel.cons
CERN               http://cern.ch

More information about the rabbitmq-discuss mailing list