diff options
Diffstat (limited to 'deps/rabbitmq_auth_backend_http/README.md')
-rw-r--r-- | deps/rabbitmq_auth_backend_http/README.md | 170 |
1 files changed, 170 insertions, 0 deletions
diff --git a/deps/rabbitmq_auth_backend_http/README.md b/deps/rabbitmq_auth_backend_http/README.md new file mode 100644 index 0000000000..651e32d7d6 --- /dev/null +++ b/deps/rabbitmq_auth_backend_http/README.md @@ -0,0 +1,170 @@ +# Overview + +This plugin provides the ability for your RabbitMQ server to perform +authentication (determining who can log in) and authorisation +(determining what permissions they have) by making requests to an HTTP +server. + +This plugin can put a significant amount of load on its backing service. +We recommend using it together with [rabbitmq_auth_backend_cache](http://github.com/rabbitmq/rabbitmq-auth-backend-cache) +with a reasonable caching interval (e.g. 1-3 minutes). + + +## Project Maturity + +As of 3.7.0, this plugin is distributed with RabbitMQ. + + +## RabbitMQ Version Requirements + +As of 3.7.0, this plugin is distributed with RabbitMQ. + +As with all [authentication plugins](http://rabbitmq.com/access-control.html), this one requires RabbitMQ server +2.3.1 or later. + +## Using with RabbitMQ 3.6.x + +Install the corresponding .ez files from our +[Community Plugins page](http://www.rabbitmq.com/community-plugins.html). Note that different +releases of this plugin support different versions of RabbitMQ. + +## Enabling the Plugin + +First enable the plugin using `rabbitmq-plugins`: + + rabbitmq-plugins enable rabbitmq_auth_backend_http + + +## Configuring the Plugin + +To use this backend exclusively, use the following snippet in `rabbitmq.conf` (currently +in master) + + auth_backends.1 = http + +Or, in the classic config format (`rabbitmq.config`, prior to 3.7.0) or `advanced.config`: + + [{rabbit, [{auth_backends, [rabbit_auth_backend_http]}]}]. + +See [RabbitMQ Configuration guide](http://www.rabbitmq.com/configure.html) and +[Access Control guide](http://rabbitmq.com/access-control.html) for more information. + +You need to configure the plugin to know which URIs to point at +and which HTTP method to use. + +Below is a minimal configuration file example. + +In `rabbitmq.conf`: + + auth_backends.1 = http + auth_http.http_method = post + auth_http.user_path = http://some-server/auth/user + auth_http.vhost_path = http://some-server/auth/vhost + auth_http.resource_path = http://some-server/auth/resource + auth_http.topic_path = http://some-server/auth/topic + +In the [classic config format](http://www.rabbitmq.com/configure.html) (`rabbitmq.config` prior to 3.7.0 or `advanced.config`): + + [ + {rabbit, [{auth_backends, [rabbit_auth_backend_http]}]}, + {rabbitmq_auth_backend_http, + [{http_method, post}, + {user_path, "http(s)://some-server/auth/user"}, + {vhost_path, "http(s)://some-server/auth/vhost"}, + {resource_path, "http(s)://some-server/auth/resource"}, + {topic_path, "http(s)://some-server/auth/topic"}]} + ]. + +By default `http_method` configuration is `GET` for backwards compatibility. It's recommended +to use `POST` requests to avoid credentials logging. + +## What Must My Web Server Do? + +This plugin requires that your web server respond to requests in a +certain predefined format. It will make GET (by default) or POST requests +against the URIs listed in the configuration file. It will add query string +(for `GET` requests) or a URL-encoded request body (for `POST` requests) parameters as follows: + +### user_path + +* `username` - the name of the user +* `password` - the password provided (may be missing if e.g. rabbitmq-auth-mechanism-ssl is used) + +### vhost_path + +* `username` - the name of the user +* `vhost` - the name of the virtual host being accessed +* `ip` - the client ip address + +Note that you cannot create arbitrary virtual hosts using this plugin; you can only determine whether your users can see / access the ones that exist. + +### resource_path + +* `username` - the name of the user +* `vhost` - the name of the virtual host containing the resource +* `resource` - the type of resource (`exchange`, `queue`, `topic`) +* `name` - the name of the resource +* `permission` - the access level to the resource (`configure`, `write`, `read`) - see [the Access Control guide](http://www.rabbitmq.com/access-control.html) for their meaning + +### topic_path + +* `username` - the name of the user +* `vhost` - the name of the virtual host containing the resource +* `resource` - the type of resource (`topic` in this case) +* `name` - the name of the exchange +* `permission` - the access level to the resource (`write` or `read`) +* `routing_key` - the routing key of a published message (when the permission is `write`) +or routing key of the queue binding (when the permission is `read`) + +See [topic authorisation](http://www.rabbitmq.com/access-control.html#topic-authorisation) for more information +about topic authorisation. + +Your web server should always return HTTP 200 OK, with a body +containing: + +* `deny` - deny access to the user / vhost / resource +* `allow` - allow access to the user / vhost / resource +* `allow [list of tags]` - (for `user_path` only) - allow access, and mark the user as an having the tags listed + +## Using TLS/HTTPS + +If your Web server uses HTTPS and certificate verification, you need to +configure the plugin to use a CA and client certificate/key pair using the `rabbitmq_auth_backend_http.ssl_options` config variable: + + [ + {rabbit, [{auth_backends, [rabbit_auth_backend_http]}]}, + {rabbitmq_auth_backend_http, + [{http_method, post}, + {user_path, "https://some-server/auth/user"}, + {vhost_path, "https://some-server/auth/vhost"}, + {resource_path, "https://some-server/auth/resource"}, + {topic_path, "https://some-server/auth/topic"}, + {ssl_options, + [{cacertfile, "/path/to/cacert.pem"}, + {certfile, "/path/to/client/cert.pem"}, + {keyfile, "/path/to/client/key.pem"}, + {verify, verify_peer}, + {fail_if_no_peer_cert, true}]}]} + ]. + +It is recommended to use TLS for authentication and enable peer verification. + + +## Debugging + +Check the RabbitMQ logs if things don't seem to be working +properly. Look for log messages containing "rabbit_auth_backend_http +failed". + +## Example Apps + +There are [example backend services](./examples) available in Python, PHP, Spring Boot, ASP.NET Web API. + +See [examples README](./examples/README.md) for more information. + +## Building from Source + +You can build and install it like any other plugin (see +[the plugin development guide](http://www.rabbitmq.com/plugin-development.html)). + +This plugin depends on the Erlang client (just to grab a URI parser). |