Merge pull request #8 from rabbitmq/rabbitmq-auth-backend-cache-7

Sysctl config schema
rabbitmq · Feb 9, 2017 · 544e074 · 544e074
2 parents 51ebb92 + cd7931a
commit 544e074
Show file tree

Hide file tree

Showing 2 changed files with 89 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -16,7 +16,7 @@ It's not an independent auth backend but a caching layer for existing backends
 such as the built-in, [LDAP](github.com/rabbitmq/rabbitmq-auth-backend-ldap), or [HTTP](github.com/rabbitmq/rabbitmq-auth-backend-http)
 ones.
 
-Cache expiration is currently time-based. It is not very useful with the built-in 
+Cache expiration is currently time-based. It is not very useful with the built-in
 (internal) [authn/authz backends](http://rabbitmq.com/access-control.html) but can be very useful for LDAP, HTTP or other backends that
 use network requests.
 
@@ -47,27 +47,43 @@ for the `rabbit` application to include `rabbit_auth_backend_cache`.
 
 So a configuration fragment that enables this plugin *only* would look like:
 
+    auth_backends.1 = cache
+
+Or using the classic config for both parameters:
+
     [{rabbit, [{auth_backends, [rabbit_auth_backend_cache]}]}].
 
 To configure upstream auth backend, you should use `cached_backend` configuration item
 for the `rabbitmq_auth_backend_cache` application.
 
 Configuration that uses LDAP auth backend:
 
+    auth_cache.cached_backend = ldap
+
     [{rabbitmq_auth_backend_cache, [{cached_backend, rabbit_auth_backend_ldap}]}].
 
 It is still possible to [use different backends for authorization and authentication](https://www.rabbitmq.com/access-control.html).
 
 The following example configures plugin to use LDAP backend for authentication
 but internal backend for authorisation:
 
+    auth_cache.cached_backend.authn = ldap
+    auth_cache.cached_backend.authz = internal
+
+Or using the classic config for both parameters:
+
     [{rabbitmq_auth_backend_cache, [{cached_backend, {rabbit_auth_backend_ldap,
                                                       rabbit_auth_backend_internal}}]}].
 
 ## Cache Configuration
 
 You can configure TTL for cache items, by using `cache_ttl` configuration item, specified in **milliseconds**
 
+    auth_cache.cached_backend = ldap
+    auth_cache.cache_ttl = 5000
+
+Or using the classic config for both parameters:
+
     [{rabbitmq_auth_backend_cache, [{cached_backend, rabbit_auth_backend_ldap}
                                     {cache_ttl, 5000}]}].
 
@@ -83,17 +99,28 @@ This repository provides several implementations:
    uses a separate process for garbage collection.
  * `rabbit_auth_cache_ets_segmented_stateless` same as previous, but with minimal use of `gen_server` state, using ets tables to store information about segments.
 
-To specify module for caching you should use `cache_module` configuration item and 
+To specify module for caching you should use `cache_module` configuration item and
 specify start args with `cache_module_args`.
 Start args should be list of arguments passed to module `start_link` function
 
+Cache module can be set via sysctl config format:
+
+    auth_cache.cache_module = rabbit_auth_backend_ets_segmented
+
+Cache module additional arguments can be defined via the classic-style config only:
+
+    [{rabbitmq_auth_backend_cache, [{cache_module_args, [10000]}]}].
+
+The above two snippets used in the classic config format:
+
     [{rabbitmq_auth_backend_cache, [{cache_module, rabbit_auth_backend_ets_segmented},
                                     {cache_module_args, [10000]}]}].
 
-Default values are `rabbit_auth_cache_ets` and `[]`, respectively.
+The default values are `rabbit_auth_cache_ets` and `[]`, respectively.
+
 
 ## License and Copyright
 
-(c) 2016 Pivotal Software Inc.
+(c) 2016-2017 Pivotal Software Inc.
 
 Released under the Mozilla Public License 1.1, same as RabbitMQ.
diff --git a/priv/schema/rabbitmq_auth_backend_cache.schema b/priv/schema/rabbitmq_auth_backend_cache.schema
@@ -0,0 +1,58 @@
+
+%% ==========================================================================
+%% ----------------------------------------------------------------------------
+%% RabbitMQ Authorization cache
+%%
+%% ----------------------------------------------------------------------------
+
+{mapping, "auth_cache.cached_backend", "rabbitmq_auth_backend_cache.cached_backend",[
+    {datatype, atom}
+]}.
+
+{mapping, "auth_cache.cached_backend.authn", "rabbitmq_auth_backend_cache.cached_backend",[
+    {datatype, atom}
+]}.
+
+{mapping, "auth_cache.cached_backend.authz", "rabbitmq_auth_backend_cache.cached_backend",[
+    {datatype, atom}
+]}.
+
+
+{translation, "rabbitmq_auth_backend_cache.cached_backend",
+fun(Conf) ->
+    BackendModule = fun
+        (internal)  -> rabbit_auth_backend_internal;
+        (ldap)      -> rabbit_auth_backend_ldap;
+        (http)      -> rabbit_auth_backend_http;
+        (amqp)      -> rabbit_auth_backend_amqp;
+        (dummy)     -> rabbit_auth_backend_dummy;
+        (undefined) -> undefined;
+        (Other) when is_atom(Other) -> Other;
+        (_) -> cuttlefish:invalid("Unknown/unsupported auth backend")
+    end,
+    AuthN = BackendModule(cuttlefish:conf_get("auth_cache.cached_backend.authn", Conf, undefined)),
+    AuthZ = BackendModule(cuttlefish:conf_get("auth_cache.cached_backend.authz", Conf, undefined)),
+    Common = BackendModule(cuttlefish:conf_get("auth_cache.cached_backend", Conf, undefined)),
+    case {Common, AuthN, AuthZ} of
+        {undefined, V, undefined} when V =/= undefined ->
+            cuttlefish:warn(io_lib:format("Cached authZ backend undefined. Using ~p", [AuthN])),
+            {AuthN, AuthN};
+        {undefined, undefined, V} when V =/= undefined ->
+            cuttlefish:warn(io_lib:format("Cached suthN backend undefined. Using ~p", [AuthZ])),
+            {AuthZ, AuthZ};
+        {V, undefined, undefined} when V =/= undefined ->
+            Common;
+        {undefined, V, V1} when V =/= undefined, V1 =/= undefined ->
+            {AuthN, AuthZ};
+        _ ->
+            cuttlefish:invalid(iolist_to_binary(io_lib:format("Cached auth backend already defined", [])))
+    end
+end}.
+
+{mapping, "auth_cache.cache_ttl", "rabbitmq_auth_backend_cache.cache_ttl", [
+    {datatype, integer}, {validators, ["non_negative_integer"]}
+]}.
+
+{mapping, "auth_cache.cache_module", "rabbitmq_auth_backend_cache.cache_module", [
+    {datatype, atom}
+]}.