Skip to content
This repository has been archived by the owner on Nov 17, 2020. It is now read-only.

Investigate if client ID can be safely propagated to authn backends #139

Closed
michaelklishin opened this issue Jun 7, 2017 · 7 comments
Closed

Investigate if client ID can be safely propagated to authn backends #139

michaelklishin opened this issue Jun 7, 2017 · 7 comments
Assignees
@acogoluegnes
Labels
effort-low enhancement
Milestone
3.7.0

Comments

@michaelklishin
Copy link
Member

See #137 for the idea. This makes sense for some authn backends (e.g. HTTP, possibly LDAP) but not others (e.g. internal database backend won't use the client ID value).

rabbit_authn_backend: user_login_authentication/2 already accepts additional options.

@acogoluegnes may have additional thoughts.
@acogoluegnes
Copy link
Contributor

acogoluegnes commented Jun 21, 2017
edited
Loading

The authentication backends usually extract the credentials from a list of tuples (e.g. in the internal backend). So it should be safe to add an extra client_id tuple.

Unfortunately, the most obvious location to pass in the client ID would be in rabbit_direct (so not just in the MQTT plugin), where the connection info is available (with the MQTT client ID inside it). We could change this call.

@michaelklishin
Copy link
Member Author

@acogoluegnes what if we detect what protocol is used in connect/5 and come up with a convention that retrieves additional arguments from a module in that plugin, e.g. rabbit_mqtt_connection_info, rabbit_stomp_connection_info, etc. This way rabbit_direct would have next to no protocol-specific bits. Connection info modules can return a proplist/map that is merged with the credentials we already pass on.

@acogoluegnes
Copy link
Contributor

@michaelklishin Looks good to me, thanks. Stable or master?

@michaelklishin
Copy link
Member Author

@acogoluegnes master only sounds reasonable to me.

@michaelklishin michaelklishin added this to the 3.7.0 milestone Jun 21, 2017
@michaelklishin
Copy link
Member Author

I should clarify the function in e.g. rabbit_mqtt_connection_info, say, rabbit_mqtt_connection_info:additional_authn_params/N, will accept some or all of the same arguments as connect/5. Providing more context sounds like the right thing to do here.

acogoluegnes added a commit to rabbitmq/rabbitmq-server that referenced this issue Jun 22, 2017
@acogoluegnes
Pass in extra arguments to authentication backend
9b25c14 
Those extra arguments are extracted from an external module,
the convention being "rabbit_%protocol%_connection_info" for the module name.
This allows to pass in plugin-specific authentication arguments,
e.g. client ID in the case of MQTT.

Part of rabbitmq/rabbitmq-mqtt#139
acogoluegnes added a commit that referenced this issue Jun 23, 2017
@acogoluegnes
Propagate client ID to authn with dedicated module
9672371 
Fixes #139
This was referenced Jun 23, 2017
Merged
Merged
@michaelklishin michaelklishin mentioned this issue Jun 27, 2017
Closed
@rasgele
Copy link

rasgele commented Sep 18, 2018
edited
Loading

Requests to my auth backend server's auth/user has this body:
{username: "guest", password: "guest", vhost: "/"}
Although in /auth/topic I receive such body,

{ 
  username: 'guest',
  vhost: '/',
  resource: 'topic',
  name: 'amq.topic',
  permission: 'write',
  routing_key: 'mytenant.agent-00000000.inbox',
  'variable_map.client_id': 'publisherclient-randomid-0',
  'variable_map.username': 'guest',
  'variable_map.vhost': '/' 
}

So it seems extra props(e.g. client_id) is not passed for auth/user endpoint, which is the point of #137 Am I missing smth?

P.S. I run 3.7.6 version( {rabbit,"RabbitMQ","3.7.6"})

@michaelklishin
Copy link
Member Author

michaelklishin commented Sep 18, 2018
edited
Loading

@rasgele please use the mailing list for discussions and provide a way to reproduce. This is not something that's commonly reported.

@rabbitmq rabbitmq locked and limited conversation to collaborators Sep 18, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@acogoluegnes acogoluegnes

Labels
effort-low enhancement
Projects
None yet
Milestone
3.7.0
Development

No branches or pull requests
3 participants
@michaelklishin @acogoluegnes @rasgele