[rabbitmq-discuss] Creating an auth plugin (Kerberos)
Simon Lundström
simlu at su.se
Thu May 2 11:44:27 BST 2013
On Tue, 2013-04-30 at 14:57:02 +0100, Simon MacMullen wrote:
> On 30/04/13 11:07, Simon Lundström wrote:
> >Hm, I'm experiencing some weirdness now that I didn't before. I'm sure
> >I'm to blame but I belive I have checked all configuration parameters.
> >
> >In rabbitmq.config I've made sure that RabbitMQ uses my plugin:
> >{auth_backends, [rabbit_auth_backend_kerberos, rabbit_auth_backend_internal]},
>
> Are you absolutely sure about this? The broker really will just try
> the backends in order, and only the last module's {refused, _, _}
> will be returned.
The only thing I'm sure about is that I'm a moron. XP
I had misenterpreted the Erlang NIF documentation about binaries, see
<http://www.erlang.org/doc/man/erl_nif.html#id178259> headline Binaries.
"Both data and size are read-only and should only be written using calls
to API functions."
My interpretation: The pointers are pointing to a copy of the binaries
in Erlang and are thus read-only since they cannot change what the
actual value is in Erlang.
The correct interpretation: They are pointers to the actual data in
Erlang and should be handled as read-only but nothing enforces this (and
if you change them in your NIF they get changed in Erlang, so much for
immutable obejcts ; P).
So since rabbit_auth_backend_kerberos is always run before
rabbit_auth_backend_internal and my NIF code does this
<https://github.com/simmel/rabbitmq-auth-backend-kerberos/blob/71cffb/c_src/kinit.c#L59-L61>
and overwrites the password that exists in Erlang with NULLs when
rabbit_auth_backend_internal tries to authenticate the user with said
password, it doesn't match...
Thanks for your invaluable help, as always!
Br,
- Simon
More information about the rabbitmq-discuss
mailing list