[rabbitmq-discuss] ssl certificate to client lookup

Lionel Cons lionel.cons at cern.ch
Tue Jul 6 08:07:20 BST 2010

Matthias Radestock writes:
 > Nathaniel Haggard wrote:
 > > On Mon, Jun 28, 2010 at 11:46 PM, Lionel Cons <lionel.cons at cern.ch> wrote:
 > >> In case something bad happens (invalid message, too many messages...),
 > >> we want to know who sent the offending messages.
 > That doesn't seem to have anything to do with SSL, intrinsically, i.e. 
 > one can imagine wanting to know the same even when the clients connect 
 > w/o ssl.


The idea is the following: a broker is a black box that can optionally
use authentication. What is needed is a way to attach to a message
authentication information, when available. This could be a user name
(with password authentication) or a DN (with certificate authentication)
or something else with other authentication mechanisms.

ActiveMQ has it: http://activemq.apache.org/jmsxuserid.html.

 > That raises the question of how exactly to identify the sender of a 
 > message to a) consumers, and b) administrators. That is a very large can 
 > of worms, raising issues of trust such as

IMHO, it is indeed a can of worms, but a small one ;-)

 > - How do consumers establish sufficient trust into the server (to supply 
 > the correct information)?

They have no choice: a broker is by definition a trusted entity. For
instance, consumers expect brokers to deliver message bodies unaltered.

 > - How do producers establish sufficient trust into the server (to not 
 > pass on information about their identity when they do not intent to, to 
 > not fake such information, etc)?

Idem. Producers already trust the brokers, for instance to deliver the
messages to the right consumers. For the "information about their
identity", if this may be a concern, it would be easy to have a broker
flag specifying whether authentication information is passed or not.

 > - How does one deal with proxies/shovels, i.e. entities that relay 
 > information? Do messages passing through them have their original sender 
 > info replaced? Or does the proxy/shovel identity get appended somehow?

This is a very good question.

I've worked on a very simple model with boolean trust. Either the
sender of the message (this could be a shovel) is trusted or it is
not. So:
 - if it is trusted, the broker accepts authentication information as
   provided by the sender and simply appends what it knows, i.e. the
   identity of the sender
 - if it is not trusted, the broker discards all previous
   authentication information and puts instead what it knows

 > None of these issues are particular to AMQP, [...]

Correct. So, IMHO, the solution(s) should be independent from AMQP.

It seems that all we need is a set of headers with well defined
semantic attached.

 > There is also an issue w.r.t. message fidelity. Currently RabbitMQ 
 > guarantees that the entire message payload, including headers, is 
 > transmitted to consumers unaltered. To some users that is a highly 
 > desirable property of a messaging system.

AFAIK, AMQP 1.0 has two different things (I hope the terminology is right):
 - the bare message, with properties
 - the annotated, with extra header and footer

For me, authentication information should be in the header, leaving
intact the body and the properties.



More information about the rabbitmq-discuss mailing list