[rabbitmq-discuss] Creating an auth plugin (Kerberos)

Tim Watson tim at rabbitmq.com
Tue Dec 11 17:07:02 GMT 2012 

On 11 Dec 2012, at 16:20, Simon Lundström wrote:

> That was easy. The only hard thing was to get it to compile correctly on
> OS X = ).

Glad it was, and *not at all surprised* it's a pain on OSX - I frequently have issues there as well with .dylib vs .so and whatnot when making linked-in drivers.

> (Note to future readers see
> <http://stackoverflow.com/questions/8288358/erlang-nif-test-os-x-lion>)
> 

Thanks for sharing that with the list!

> The NIF needs to be loaded at some point and from the examples and
> documentation I've found that it's done via -on_load, like this:
> <https://github.com/simmel/rabbitmq-auth-backend-kerberos/blob/use_nif/src/rabbit_auth_backend_kerberos.erl#L10-L14>
> 

That *is* the correct way to load a NIF.

> However, I've tried using -on_load before in my plugin and it didn't
> work. I suspected that the -behaviour had some magic which involved
> -on_load and using -on_load in your model bricks that. I worked around
> needing -on_load and forgot about it. However, now I need it again. This
> is from the error log:
> 

-behaviour doesn't affect NIFs at all AFAIK - that behaviour attribute just tells the compiler to puke unless certain functions are defined and exported, and generates a behaviour_info/2 function. Hmn, perhaps that latter part *does* interfere with NIFs, but I've never heard of that before.

> When logging in via AMQP:
> 
> =ERROR REPORT==== 11-Dec-2012::09:57:02 ===
> closing AMQP connection <0.287.0> (130.237.168.221:48736 -> 77.238.35.76:5671):
> {channel0_error,starting,
>    {error,undef,'connection.start_ok',
>        [{rabbit_auth_backend_kerberos,check_user_login,
>             [<<"simlu">>,[{password,<<"notmypassword">>}]]},


That's not saying check_user_login is undefined. In fact, check_user_login is not even part of the NIF infrastructure. It looks like it's saying 'connection.start_ok' is undefined. Hmn - doesn't make much sense to me I'm afraid. What happens if you move the NIF part out into another module, using the -on_load attribute there and then just call that utility module from your plugin?

-module(kinit).

-export([init/0, kinit/2]).
-on_load(init/0).

init() ->
  Kinit = code:priv_dir(?APPLICATION) ++ "/kinit.so",
  erlang:load_nif(Kinit, 0).

kinit(User, Password) -> exit(nif_library_not_loaded).


And then in rabbit_auth_backend_kerberos just call:

case kinit:kinit(User, PassWd) of .....

Anyway, if you put the NIF part into another module, you *should* be able to test it outside of rabbit my doing something like:

$ erl -sname foo
banner. .....
% ok = application:start(rabbit_auth_backend_kerberos).
ok
% X = kinit:kinit("auser", "password").
<< a term >>
% io:format("~p~n", [X]).


Then if it *still* doesn't work when you're running it inside rabbit we might need to consider other things that could be going wrong (such as the NIF init magic). 

Cheers,
Tim

>         {rabbit_access_control,'-check_user_login/2-fun-0-',4},
>         {lists,foldl,3},
>         {rabbit_reader,auth_phase,2},
>         {rabbit_reader,handle_method0,3},
>         {rabbit_reader,handle_input,3},
>         {rabbit_reader,recvloop,2},
>         {rabbit_reader,start_connection,7}]}}
> 
> when using the API (this is in the sasl log):
> 
> =CRASH REPORT==== 11-Dec-2012::11:51:04 ===
>  crasher:
>    initial call: mochiweb_acceptor:init/3
>    pid: <0.256.0>
>    registered_name: []
>    exception error: undefined function rabbit_auth_backend_kerberos:check_user_login/2
>      in function  rabbit_access_control:'-check_user_login/2-fun-0-'/4
>      in call from lists:foldl/3
>      in call from rabbit_mgmt_app:'-make_loop/0-fun-0-'/4
>      in call from mochiweb_http:headers/5
>    ancestors: [rabbit_mochiweb_web_mgmt,rabbit_mochiweb_sup,<0.132.0>]
>    messages: []
>    links: [<0.252.0>]
>    dictionary: []
>    trap_exit: false
>    status: running
>    heap_size: 4181
>    stack_size: 24
>    reductions: 1467
>  neighbours:
> 
> 
> Thanks,
> - Simon
> _______________________________________________
> rabbitmq-discuss mailing list
> rabbitmq-discuss at lists.rabbitmq.com
> https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss

More information about the rabbitmq-discuss mailing list