[rabbitmq-discuss] Custom authentication and authorization

• Previous message: [rabbitmq-discuss] Message persistence format
• Next message: [rabbitmq-discuss] Is the C client a show-stopper for rabbit?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

(We prefer to keep rabbitmq-discuss in the loop; this is of general 
interest.)

Hi Benjamin. The idea of securing access to RabbitMQ resources based on 
secret names is perfectly reasonable providing that:

* Any attacker can't use rabbitmqctl

* Furthermore, any attacker can't see the Erlang cookie

   - This is in fact always true, possession of the cookie lets you do
     anything, but I thought I should mention it.

* Any attacker can't use the management plugin

We go to some effort to ensure that server-generated names for queues 
are unguessable; the intent is to allow exactly this sort of security model.

That said, would there be general interest in a hypothetical 
rabbitmq-auth-backend-http plugin?

Cheers, Simon

On 15/02/11 01:05, Benjamin Renaud wrote:
> Simon,
>
> Thanks a lot for your response! These are very useful pointers and
> it's much appreciated.
>
> First a bit of background - we're all very experienced Java, C and
> Ruby developers, but we have no Erlang experience whatsoever.
> Securing something like Rabbit using a custom module represents a lot
> of work, and  as I was looking into this some more, we came up with
> an idea of securing the whole system, and I was wondering if you
> could give me some feedback on it?
>
> The basic idea would be to make every exchange name a secret 256-bit
> key that could only be obtained using a regular (authenticated and
> authorized) REST call to our usual REST server.
>
> It would require that a client (attacker) not be able to list all
> active exchanges, and to run all traffic over HTTPS. Does that sound
> like a workable solution?
>
> Thanks!
>
> Benjamin
>
>
> On 14/02/11 07:23, Benjamin Renaud wrote:
>> /  I've started reading on Rabbit MQ's plugin's and the custom
>> auth, but I
> />/  wanted to check with the list before I launched into
> implementing our />/  solution. />/ />/  We run RabbitMQ over the
> public Internet (.NET clients talking to an EC2 />/  cloud). On
> subscription, we'd like to run an />/  authentication/authorization
> process, which would query our user server />/  for auth/auth via
> REST. From what I gather, the right way to do this is />/  to write a
> plugin for Rabbit, perhaps starting from an existing plugin />/  as a
> starting point? / Yes.
>
> You would need to write an implementation of the rabbit_auth_backend
> behaviour. You should look at:
>
> rabbitmq-server/src/rabbit_auth_backend.erl - the behaviour itself
>
> rabbitmq-server/include/rabbit_auth_backend_spec.erl - the type
> signatures for the behaviour
>
> rabbitmq-server/src/rabbit_auth_backend_internal.erl - the
> implementation of the built in auth database. Note that you only need
> to look at the code before the comment "Manipulation of the user
> database".
>
> rabbitmq-auth-backend-ldap/src/rabbit_auth_backend_ldap.erl -
> alternate implementation using LDAP
>
> You'll need to configure RabbitMQ to use your plugin. Set the
> auth_backends variable for the rabbit application to a list of
> authentication plugins to try in order.
>
> And tell us of your experiences here :)
>
> Cheers, Simon
>
> -- Simon MacMullen Staff Engineer, RabbitMQ SpringSource, a division
> of VMware
>


-- 
Simon MacMullen
Staff Engineer, RabbitMQ
SpringSource, a division of VMware

• Previous message: [rabbitmq-discuss] Message persistence format
• Next message: [rabbitmq-discuss] Is the C client a show-stopper for rabbit?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]