[rabbitmq-discuss] Custom authentication and authorization

Simon MacMullen simon at rabbitmq.com
Tue Feb 15 10:25:19 GMT 2011

(We prefer to keep rabbitmq-discuss in the loop; this is of general 

Hi Benjamin. The idea of securing access to RabbitMQ resources based on 
secret names is perfectly reasonable providing that:

* Any attacker can't use rabbitmqctl

* Furthermore, any attacker can't see the Erlang cookie

   - This is in fact always true, possession of the cookie lets you do
     anything, but I thought I should mention it.

* Any attacker can't use the management plugin

We go to some effort to ensure that server-generated names for queues 
are unguessable; the intent is to allow exactly this sort of security model.

That said, would there be general interest in a hypothetical 
rabbitmq-auth-backend-http plugin?

Cheers, Simon

On 15/02/11 01:05, Benjamin Renaud wrote:
> Simon,
> Thanks a lot for your response! These are very useful pointers and
> it's much appreciated.
> First a bit of background - we're all very experienced Java, C and
> Ruby developers, but we have no Erlang experience whatsoever.
> Securing something like Rabbit using a custom module represents a lot
> of work, and  as I was looking into this some more, we came up with
> an idea of securing the whole system, and I was wondering if you
> could give me some feedback on it?
> The basic idea would be to make every exchange name a secret 256-bit
> key that could only be obtained using a regular (authenticated and
> authorized) REST call to our usual REST server.
> It would require that a client (attacker) not be able to list all
> active exchanges, and to run all traffic over HTTPS. Does that sound
> like a workable solution?
> Thanks!
> Benjamin
> On 14/02/11 07:23, Benjamin Renaud wrote:
>> /  I've started reading on Rabbit MQ's plugin's and the custom
>> auth, but I
> />/  wanted to check with the list before I launched into
> implementing our />/  solution. />/ />/  We run RabbitMQ over the
> public Internet (.NET clients talking to an EC2 />/  cloud). On
> subscription, we'd like to run an />/  authentication/authorization
> process, which would query our user server />/  for auth/auth via
> REST. From what I gather, the right way to do this is />/  to write a
> plugin for Rabbit, perhaps starting from an existing plugin />/  as a
> starting point? / Yes.
> You would need to write an implementation of the rabbit_auth_backend
> behaviour. You should look at:
> rabbitmq-server/src/rabbit_auth_backend.erl - the behaviour itself
> rabbitmq-server/include/rabbit_auth_backend_spec.erl - the type
> signatures for the behaviour
> rabbitmq-server/src/rabbit_auth_backend_internal.erl - the
> implementation of the built in auth database. Note that you only need
> to look at the code before the comment "Manipulation of the user
> database".
> rabbitmq-auth-backend-ldap/src/rabbit_auth_backend_ldap.erl -
> alternate implementation using LDAP
> You'll need to configure RabbitMQ to use your plugin. Set the
> auth_backends variable for the rabbit application to a list of
> authentication plugins to try in order.
> And tell us of your experiences here :)
> Cheers, Simon
> -- Simon MacMullen Staff Engineer, RabbitMQ SpringSource, a division
> of VMware

Simon MacMullen
Staff Engineer, RabbitMQ
SpringSource, a division of VMware

More information about the rabbitmq-discuss mailing list