Skip to content

simmel/rabbitmq-auth-backend-kerberos

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

94 Commits
c_src
c_src
 
 
src
src
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
erlang.mk
erlang.mk
 
 
package.mk
package.mk
 
 
rabbitmq-components.mk
rabbitmq-components.mk
 
 

Repository files navigation

Overview

This plugin provides the ability for your RabbitMQ server authenticate users against a Kerberos KDC using the password sent to the RabbitMQ server as part of normal connection.

Since Kerberos is an authentication protocol and cannot do authorization this plugin depends on the user existing with the correct tags/roles in in internal user backend (until authzorisation has been properly fixed).

This plugin will use your systems Kerberos settings.

NOTE: This plugin will only work on >3.7.x! For >3.3.x && <3.5.x use versions 1.x. For >3.5.x && <3.7.x use versions 2.x.

The plugin is BSD-licensed.

Requirements

You can build and install it like any other plugin (see http://www.rabbitmq.com/plugin-development.html).

Headers for Erlang and Heimdal or MIT Kerberos are needed to build it. So on any Debian derived distro that's erlang-dev and heimdal-dev or libkrb5-dev.

Compiling

The plugin works both with Heimdal and MIT Kerberos.

So e.g:

Mac OS X

When using heimdal and erlang from Homebrew:

LDFLAGS="-undefined dynamic_lookup -dynamiclib" make dist

Ubuntu 12.04 Precise

make dist

Usage

Enabling the plugin

  • Enable the plugin rabbitmq_auth_backend_kerberos, see http://www.rabbitmq.com/plugins.html
  • To make RabbitMQ use the plugin, add kerberos to the auth_backends list of authentication providers to try in order.

Therefore a complete RabbitMQ configuration that enables this plugin would look like this:

In rabbitmq.conf:

auth_backends.1.authn = rabbit_auth_backend_kerberos
auth_backends.1.authz = rabbit_auth_backend_internal
auth_backends.2 = rabbit_auth_backend_internal

or in advanced.config:

[{rabbit,
  [{auth_backends, [rabbit_auth_backend_kerberos, rabbit_auth_backend_internal]}]
 }].

Adding the user

Now you must add the users that you want to be able to use Kerberos authentication to the local database:

$ rabbitmqctl add_user test temporary_password
Creating user "test" ...
...done.
$ rabbitmqctl clear_password test
Clearing password for user "test" ...
...done.

See http://www.rabbitmq.com/management.html#permissions if you want the user to be able to access the management gui.

Acknowledgements

Many thanks to:

All in all, a very helpful and supportive community!

About

A Kerberos authN backend for RabbitMQ

Resources

Readme

License

BSD-3-Clause license
Activity

Stars

7 stars

Watchers

4 watching

Forks

3 forks
Report repository

Releases

5 tags

Packages

No packages published

Languages