Authentication, authorization, access control
Overview
This section describes the authentication and authorization features of RabbitMQ. And access control to the operating system. Different users can be granted to specific vitual host access. Specific license for each virtual host can also limit.
RabbitMQ supports two main authentication mechanism and several back-end authentication and authorization.
Based password has integrated guidelines authentication. About support TLS content is also included in a special guide in.
Other topics discussed in the guide include:
- The default virtual host and user
- Restrictions on the user's default connection
- Authentication and authorization failures Troubleshooting
Related Terms and Definitions
Authentication and authorization are often confused or used interchangeably. In RabbitMQ these two are separate, interchangeable wrong. In simple terms, it is to verify who the user is authenticated, authorized users are allowed to decide and not allowed to do.
The default virtual host and user
When the server is first started, detects that the database is not initialized or is deleted, it will use these resources to initialize a new database:
- A virtual host named
/; - Called
guestthe default password for theguestuser, and give/the virtual host full access
It is recommended to delete guestthe user, or at least a change in value is not reasonable for the public to know the security of their passwords generated.
Authentication: You say you are?
After an application connected RabbitMQ, before any operation, it must go through authentication, and also to provide proof of its identity. With proof of identity, RabbitMQ node permission to view it and authorized access to the appropriate resources, such as virtual hosts, queues, switches, and so on.
Two basic authentication client is to use user passwords and X.509 certificates. User password may use a variety of back-end authentication to verify the credentials.
Authentication failed connection will be closed, and an error message is recorded in the server log.
Using the X.509 certificate authentication mode of connection need to use the built-in plug-ins, rabbitmq-auth-mechanism-ssland all must enable the plug-in, the client must be configured to use 外部机制. In this mechanism, any password of the client will be ignored.
"Guest" users can only access local
By default, guestthe user is prohibited synchronous remote host connection; it can only return to the interface via a ring (such as: localhost) connection. This applies to any connection protocol. Any other user will not have such restrictions (default).
In a production system, recommended by creating new users, or users that only access the corresponding series of web hosting privileges. By CLI tools, HTTP API or definitions import.
This is done by configuration file loopback_usersentries configuration.
By setting loopback_usersto noneenables guestusers connect remotely.
It allows a guestmost simplified remote user connected RabitMQ config file looks like this:
# DANGER ZONE!
#
# allowing remote connections for default user is highly discouraged
# as it dramatically decreases the security of the system. Delete the user
# instead and create a new one with generated secure credentials.
loopback_users = none
Or classic configuration file format (rabbitmq.config):
%% DANGER ZONE!
%%
%% Allowing remote connections for default user is highly discouraged
%% as it dramatically decreases the security of the system. Delete the user
%% instead and create a new one with generated secure credentials.
[{rabbit, [{loopback_users, []}]}].
Authorization: Permissions How It Works
RabbitMQ When a client establishes a connection to the server, and authentication, which specifies the virtual host is ready to operate. At this first stage of the implementation of access control, the server checks whether the user has permission to access the virtual host, or refuse the connection attempt.
Resources, such as: switches and queues, a specific virtual host named entities; at each virtual host, even if the same name is different resources. When performing certain operations on a resource, a second level access control.
RabbitMQ distinguish operating in resource configuration , write , read . Configuration operation can be created or destroyed resources or change their behavior. Write a message inject resources. Read operations retrieve messages from the resource.
User wants to perform an operation must be given the appropriate permissions on the resource. The following table shows the execution permission checks all AMQP command requires permissions when different types of resources.
| AMQP 0-9-1 Operation | configure | write | read | |
|---|---|---|---|---|
| exchange.declare | (passive=false) | exchange | ||
| exchange.declare | (passive=true) | |||
| exchange.declare | (with [AE](ae.html)) | exchange | exchange (AE) | exchange |
| exchange.delete | exchange | |||
| queue.declare | (passive=false) | queue | ||
| queue.declare | (passive=true) | |||
| queue.declare | (with [DLX](dlx.html)) | queue | exchange (DLX) | queue |
| queue.delete | queue | |||
| exchange.bind | exchange (destination) | exchange (source) | ||
| exchange.unbind | exchange (destination) | exchange (source) | ||
| queue.bind | queue | exchange | ||
| queue.unbind | queue | exchange | ||
| basic.publish | exchange | |||
| basic.get | queue | |||
| basic.consume | queue | |||
| queue.purge | queue |
- passive understanding: passive meaning is passive, when set to true, then the switch or queue exists, it returns true, otherwise it will throw an exception, but does not create a new exchange or queue;
- AE: Alternate Exchanges, standby switch
- DLX: Dead Letter Exchanges, the dead-letter switches
Permissions on a per-virtual host, the regular expression represented by the three representatives configured ---- order, write and read. Users are granted appropriate permissions to all resources with names that match the regular expression to operate. (Note: For convenience, RabbitMQ when performing permission check will be empty by default switch name is mapped to amq.default.)
Regular expression ^$matches only an empty string, in fact, prevent users from performing operations on any resource. AMQP standard resource names ampgenerated for the prefix, server name to amp.genbe prefixed. For example, '^(amq.gen.*|amq.default)$'it indicates that the user owns the server automatically generated name, and the default permissions switch. An empty string ''is '^$'synonymous with permission restrictions on effect is the same.
RabbitMQ each connection and each channelof the cache based on the access control check. Therefore, change user permissions will not take effect until the user reconnects.
For more information about setting access control, see rabbitmqctl manual of the access control section section.
User interface to access and manage labels
In addition to the above-mentioned privileges, users can tag associated with it. At present, only management access controlled by the user interface of the label.
Notes by rabbitmqctlmanagement. The newly created user default without any label.
Refer to the management plug-guide to learn more about the label, such as label content specific support, and how they limit access to the management interface.
Topic authorization (Topic Authorisation)
In version 3.7.0, RabbitMQ support the topic authorization prepared for the topic switches. When you publish authorized to carry out the theme of the message carried by the routing switch key will be matched (eg: the default background RabbitMQ authorization, routing keys and regular expressions to determine whether a message can be routed ratio down theme authorized to STOMP and MQTT agreement as the goal, to build agreement around these themes, and theme using the switch behind the scenes.
Authorization is the subject of one of the existing inspection of outside publishers. Post a message to the subject type of switch will pass basic.publishand two key route inspection. When denied access to the front layer behind this layer we will not use the.
Theme authorization may be enforceable against the consumer theme. Note that for different protocols, which work in different ways. Conceptual topic will be authorized only in theme-oriented protocols, such as under MQTT and STOMP will be meaningful. For example, in the AMQP 0-9-1, consumer spending from the queue, so the standard resource permissions apply. Additional, if any topic permissions are configured, the binding agreement between AMQP 0-9-1 in the subject switches and queue / switch routing keys will be checked. For more information on how to deal with RabbitMQ topics related to authorization, consult STOMPand MQTTguidance documents.
If not defined theme permission, when using the default back-end authorization, send messages, or switch to the theme from next topic consumer is not authorized (there will be such a situation in RabbitMQ service newly installed). At this time, the theme of the authorization is optional: you do not need to switch to any whitelist. If you want to use themes authorization, you need to select one or more switches and custom theme permission. For details, see rabbitmqctl manual.
Internal (default) Authorized variable back-end support extended access mode. It supports three usernamevariables: vhost, client_id, . Mainly client_Idit applies only to MQTT agreement. For example: If tonyga user is connected, the license ^{username}-.*is ^tonyg-.*.
If other authorization backend (such as LDAP, HTTP, AMQP), please refer to the relevant back-end document.
If you use a custom back-end authorization, the authorization theme by implementing rabbit_authz_backendactions check_topic_accessto implement callbacks.
Alternative back-end authentication and authorization
Pluggable authentication and authorization. Plug-in can provide:
- Authentication ( "authn") backend
- Authorization ( "authz") backend
This is a plug-in may provide both. For example, the built-in LDAP and HTTP back-end it is.
Some plug-ins, such as Source IP range oneonly authorized to provide the back-end. Internal data authentication portion, LDAP, etc. process.
A combination of back-end
You can auth_backendsconfigure the key to authnor authzthe use of multiple backend. When using multiple authentication back-end, back-end chain in the first returned a positive result considered to be the final result. This should not be confused with the mixed backend (eg: using LDAP authentication, and authorization to use the built-in back-end).
The following configuration examples of RabbitMQ using only the built-in back-end (which is the default):
# rabbitmq.conf
#
# 1 here is a backend name. It can be anything.
# Since we only really care about backend
# ordering, we use numbers throughout this guide.
#
# "internal" is an alias for rabbit_auth_backend_internal
auth_backends.1 = internal
Or use the classic configuration format:
[{rabbit, [
{auth_backends, [rabbit_auth_backend_internal]}
]
}].
The above examples use an alias, internalit is rabbit_auth_backend_internalan alias. The following is an alias that can be used:
internal->rabbit_auth_backend_internalldap->rabbit_auth_backend_ldap(the LDAP plugin)http->rabbit_auth_backend_http(HTTP auth backend plugin)
amqp->rabbit_auth_backend_amqp(AMQP 0-9-1 auth backend plugin)
dummy->rabbit_auth_backend_dummy
When using third-party plug-ins, you must provide the full name of the module.
The following example uses the configuration RabbitMQ LDAPbackend authentication and authorization. It will not use the built-in database:
auth_backends.1 = ldap
Or classic configuration format:
[{rabbit, [
{auth_backends, [rabbit_auth_backend_ldap]}
]
}].
It will check for LDAP, internal user database if not through LDAP authentication will be used:
auth_backends.1 = ldap
auth_backends.2 = internal
Or classic configuration format:
[{rabbit, [
{auth_backends, [rabbit_auth_backend_ldap, rabbit_auth_backend_internal]}
]
}].
Similar to the above, but it will be returned to use HTTP:
# rabbitmq.conf
#
auth_backends.1 = ldap
# uses module name instead of a short alias, "http"
auth_backends.2 = rabbit_auth_backend_http
# See HTTP backend docs for details
auth_http.user_path = http://my-authenticator-app/auth/user
auth_http.vhost_path = http://my-authenticator-app/auth/vhost
auth_http.resource_path = http://my-authenticator-app/auth/resource
auth_http.topic_path = http://my-authenticator-app/auth/topic
Or classic configuration format:
[{rabbit, [
{auth_backends, [rabbit_auth_backend_ldap, rabbit_auth_backend_http]}
]
},
%% See HTTP backend docs for details
{rabbitmq_auth_backend_http,
[{user_path, "http://my-authenticator-app/auth/user"},
{vhost_path, "http://my-authenticator-app/auth/vhost"},
{resource_path, "http://my-authenticator-app/auth/resource"},
{topic_path, "http://my-authenticator-app/auth/topic"}]}].
The following configuration examples will use the built-in database authentication and source IP range backendauthorization:
# rabbitmq.conf
#
auth_backends.1.authn = internal
# uses module name because this backend is from a 3rd party
auth_backends.1.authz = rabbit_auth_backend_ip_range
Or classic configuration format:
[{rabbit, [
{auth_backends, [{rabbit_auth_backend_internal, rabbit_auth_backend_ip_range}]}
]
}].
The following example will be used as an LDAP authentication, built as authentication backend:
# rabbitmq.conf
#
auth_backends.1.authn = ldap
auth_backends.1.authz = internal
Or classic configuration format:
[{rabbit, [
{auth_backends, [{rabbit_auth_backend_ldap, rabbit_auth_backend_internal}]
]}].
The following example is more advanced. It will check for LDAP. If the user is found in LDAP, and then verifies the password, and the subsequent authorization checks will be performed than the internal database (internal database and therefore must also be stored in an LDAP user, but the password can not). If the user is not found in LDAP, then use only internal data for a second attempt.
# rabbitmq.conf
#
auth_backends.1.authn = ldap
auth_backends.1.authz = internal
auth_backends.2 = internal
Or classic configuration format:
[{rabbit, [
{auth_backends, [{rabbit_auth_backend_ldap, rabbit_auth_backend_internal},
rabbit_auth_backend_internal]}
]
}].
Authentication mechanism
RabbitMQ supports multiple SASL authentication mechanism. Server built into three types: PLAIN, AMQPLAINand RABBIT-CR-DEMO, and a plug-in by way of EXTERNAL.
More authentication mechanism can be provided by plug-ins. Check Plug-in Development Guide for more information about common plug-in development.
Built-in authentication mechanism
There are built-in mechanism:
| Type mechanism | description |
|---|---|
| PLAIN | SASL PLAIN authentication. In RabbitMQ server and client are enabled by default, most of the other client is the default setting. |
| AMQPPLAIN | Is compatible with the image of a non-standard version of PLAIN, this turned on by default in RabbitMQ server. |
| EXTERNAL | Authentication occurs outside the mechanism using a belt, such as x509 证书的对等验证, 客户端 IP 地址范围or similar. Such a mechanism is provided by the General RabbitMQ plugins. |
| RABBIT-CR-DEMO | Show challenge - response authentication mechanism of non-standard. This mechanism security and PLAINequal, in RabbitMQ server is not turned on by default. |
Server configuration mechanism
RabbitMQ application configuration variable auth_mechanismsdetermines the client what kind of mechanism installed to provide connections. This variable should be the appropriate mechanism names list atom, such as: the default ['PLAIN', 'AMQPLAIN']. The server list does not mean a specific order. Documents .
Client configuration mechanism
Different applications must join the optional authentication mechanism can be used, such as EXTERNAL.
java version of the configuration mechanism
Java client does not use the default package javax.security.sasl, because it is in a non-Oracle JDK unpredictable, but also in Android is completely missing. etc.
.NET version configuration mechanism
slightly…
erlang version configuration mechanism
slightly…
Authentication Troubleshooting
The server log contains the authentication request failed attempt to record:
2019-03-25 12:28:19.047 [info] <0.1613.0> accepting AMQP connection <0.1613.0> (127.0.0.1:63839 -> 127.0.0.1:5672)
2019-03-25 12:28:19.056 [error] <0.1613.0> Error on AMQP connection <0.1613.0> (127.0.0.1:63839 -> 127.0.0.1:5672, state: starting):
PLAIN login refused: user 'user2' - invalid credentials
2019-03-25 12:28:22.057 [info] <0.1613.0> closing AMQP connection <0.1613.0> (127.0.0.1:63839 -> 127.0.0.1:5672)
Use 证书connection authentication failure will have a different record. View TLS troubleshooting guide.
rabbitmqctl authenticate_user It can be used to test the username and password authentication methods.
rabbitmqctl authenticate_user 'a-username' 'a/password'
If the authentication is successful, it will exit code zero. If a fault occurs, the non-zero exit code values, and prints fault error message.
rabbitmqctl authenticate_userNode uses the command line API internal communications connection attempt for username and password for authentication.
The connection is considered to be credible. If not, its traffic can use TLSencryption.
According to AMQP 0-9-1 specifications, authentication failure can cause the server to immediately close the TCP connection. However, by using an extended based on AMQP 0-9-1 鉴权失败通知plug, RabbitMQ client can choose to get more specific notice. Modern client libraries to support the extension transparent to the user: no necessary configuration, authentication failure will result in visible error return, abnormal, or other ways to convey a particular programming language or environment issues in use.
Authorization Troubleshooting
rabbtmqctl list_permissions It can be used to check the user rights in a given virtual host:
rabbitmqctl list_permissions --vhost /
# => Listing permissions for vhost "/" ...
# => user configure write read
# => user2 .* .* .*
# => guest .* .* .*
# => temp-user .* .* .*
rabbitmqctl list_permissions --vhost gw1
# => Listing permissions for vhost "gw1" ...
# => user configure write read
# => guest .* .* .*
# => user2 ^user2 ^user2 ^user2
server logsIt will contain records of authorized operation to fail. For example: a user does not configure any authority in a virtual host:
2019-03-25 12:26:16.301 [info] <0.1594.0> accepting AMQP connection <0.1594.0> (127.0.0.1:63793 -> 127.0.0.1:5672)
2019-03-25 12:26:16.309 [error] <0.1594.0> Error on AMQP connection <0.1594.0> (127.0.0.1:63793 -> 127.0.0.1:5672, user: 'user2', state: opening):
access to vhost '/' refused for user 'user2'
2019-03-25 12:26:16.310 [info] <0.1594.0> closing AMQP connection <0.1594.0> (127.0.0.1:63793 -> 127.0.0.1:5672, vhost: 'none', user: 'user2')
Authorization failed (rights violations) also records:
2019-03-25 12:30:05.209 [error] <0.1627.0> Channel error on connection <0.1618.0> (127.0.0.1:63881 -> 127.0.0.1:5672, vhost: 'gw1', user: 'user2'), channel 1:
operation queue.declare caused a channel exception access_refused: access to queue 'user3.q1' in vhost 'gw1' refused for user 'user2'
Translated from: