[rabbitmq-discuss] Problems with rabbitmq-auth-mechanism-ssl
Jiri Krutil
jiri at krutil.com
Tue Feb 22 14:36:26 GMT 2011
>> The management plugin displays a "Can log in with password" flag for users.
>>
>> How do I disable the possibility to log in with password? I want to
>> force the users to use SSL cert-based authentication (SASL EXTERNAL).
>
> If only EXTERNAL is available server-wide, then no user can log in
> with a password, you need PLAIN to do that. That flag is for if you
> want to prevent only certain users from logging in with a password.
> Essentially if it's not set it means the user has no password.
>
> You can set this by using the "Add / update a user" form on the
> Users listing page. Enter the name of an existing user to set the
> password and administrator status for that user (yes, this could be
> clearer...)
We have a backend connecting to the broker using a non-encrypted TCP
connection and PLAIN authentication. The backend uses a dedicated
broker user account with full AMQP permissions.
We also have one admin account that is used for the management plugin API.
We then have customers connecting from public Internet that should be
forced to use SSL with SASL EXTERNAL authentication. Each customer has
its own broker account with limited AMQP permissions.
The firewall is set up to open only the SSL port to the public. That
means no customer may connect using TCP without SSL.
The question is how do I make sure that the customers won't connect
using SSL with PLAIN authentication. (Currently we set up customer
accounts manually using rabbitmqctl, but we are planning to automate
this using the management plugin API.)
I would like to have the password authentication disabled for new
users by default. The only users than may login with a password are
the backend and admin users.
Any hints?
Cheers
Jiri
More information about the rabbitmq-discuss
mailing list