custom exchange checking auth user

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

custom exchange checking auth user

Dmitry Andrianov
Hi.
can a custom exchange plugin access record of the user that sent the
message?
when I am dumping (with io::format) what came into exchange's route
function,
I do not see anything that auth backend check_login put into user it
returned.
There is a user id (CN=xxxyyy, because we are using SSL), but not the
extra fields auth backend put into impl:

           {ok, #user{username     = Username,
                      tags         = [],
                      auth_backend = ?MODULE,
                      impl         = #impl{first_name  =
list_to_binary(FirstName)}}}

I would like to access that first_name of the user who posted the
message if possible...

Thanks

This email is for the use of the intended recipient(s) only.
If you have received this email in error, please notify the sender immediately and then delete it.
If you are not the intended recipient, you must not use, disclose or distribute this email without the
author's prior permission. AlertMe.com Ltd. is not responsible for any personal views expressed
in this message or any attachments that are those of the individual sender.

AlertMe.com Ltd, 30 Station Road, Cambridge, CB1 2RE, UK.
Registered in England, Company number 578 2908, VAT registration number GB 895 9914 42.


_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: custom exchange checking auth user

Simon MacMullen-2
On 20/06/14 15:21, Dmitry Andrianov wrote:
> can a custom exchange plugin access record of the user that sent the
> message?

It can't, I'm afraid.

What are you trying to do?

Cheers, Simon

--
Simon MacMullen
RabbitMQ, Pivotal
_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: custom exchange checking auth user

Dmitry Andrianov
Uh, oh. You will criticize my idea :)

So there is a custom auth backend that extract something from client's
SSL certificate and puts it into user's impl.
Client is obliged to also provide the same information in AMQP headers.
This is done because our server app also needs that data and by the time
message reaches it, there is no SSL anymore.

Since client may put whatever it likes in the header, I want that
RabbitMQ that accepts the message did the validation - compare that
value in the header and the value from user.impl (extracted from SSL
cert) are the same or reject the message otherwise.

So we do not trust AMQP headers we receive from the client but we do
trust the SSL certificate and we do trust AQMP headers after the message
came through the first Rabbit and was verified.


A am also thinking of relaxing the requirements for the client to add
that header in the first place - the custom exchange can add it if it is
missing.
I do understand that it violates AMQP specs but it does not look that
serious.

Thanks


On 20/06/14 15:28, Simon MacMullen wrote:

> On 20/06/14 15:21, Dmitry Andrianov wrote:
>> can a custom exchange plugin access record of the user that sent the
>> message?
>
> It can't, I'm afraid.
>
> What are you trying to do?
>
> Cheers, Simon
>

This email is for the use of the intended recipient(s) only.
If you have received this email in error, please notify the sender immediately and then delete it.
If you are not the intended recipient, you must not use, disclose or distribute this email without the
author's prior permission. AlertMe.com Ltd. is not responsible for any personal views expressed
in this message or any attachments that are those of the individual sender.

AlertMe.com Ltd, 30 Station Road, Cambridge, CB1 2RE, UK.
Registered in England, Company number 578 2908, VAT registration number GB 895 9914 42.


_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: custom exchange checking auth user

Matthias Radestock-3
On 20/06/14 15:45, Dmitry Andrianov wrote:
> So we do not trust AMQP headers we receive from the client but we do
> trust the SSL certificate and we do trust AQMP headers after the message
> came through the first Rabbit and was verified.

Would https://www.rabbitmq.com/validated-user-id.html help, perhaps?

Matthias.

_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: custom exchange checking auth user

Dmitry Andrianov
Matthias,
we actually using that thing already - client sets the user ID property
and server rejects a message if it does not match the actual auth user.
However, I did read it as that setUserId call being optional - it is up
to the client to set it. And if client does not set it, no validation is
performed.
So how do I prevent messages without an user id from being accepted?
If I need a custom exchange type or exchange decorator - it does not
really makes life much easier.

Also, as I said, there was an idea to automatically add a header with
client's IP address to each incoming message.
However after playing with custom exchange, I can see that its route
call is not the place for it anyway, so we are back to square one with
this specific idea.

Thanks


On 20/06/14 23:53, Matthias Radestock wrote:
> On 20/06/14 15:45, Dmitry Andrianov wrote:
>> So we do not trust AMQP headers we receive from the client but we do
>> trust the SSL certificate and we do trust AQMP headers after the message
>> came through the first Rabbit and was verified.
>
> Would https://www.rabbitmq.com/validated-user-id.html help, perhaps?
>
> Matthias.
>

This email is for the use of the intended recipient(s) only.
If you have received this email in error, please notify the sender immediately and then delete it.
If you are not the intended recipient, you must not use, disclose or distribute this email without the
author's prior permission. AlertMe.com Ltd. is not responsible for any personal views expressed
in this message or any attachments that are those of the individual sender.

AlertMe.com Ltd, 30 Station Road, Cambridge, CB1 2RE, UK.
Registered in England, Company number 578 2908, VAT registration number GB 895 9914 42.


_______________________________________________
rabbitmq-discuss mailing list
[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: custom exchange checking auth user

Matthias Radestock-3
Dmitry,

On 23/06/14 09:37, Dmitry Andrianov wrote:
> we actually using that thing already - client sets the user ID property
> and server rejects a message if it does not match the actual auth user.
> However, I did read it as that setUserId call being optional - it is up
> to the client to set it. And if client does not set it, no validation is
> performed.
> So how do I prevent messages without an user id from being accepted?

You can't, though your consuming applications could drop such messages.

> If I need a custom exchange type or exchange decorator - it does not
> really makes life much easier.

It would be quite straightforward to write an exchange type or decorator
that drops messages which do not have the user-id header. Or rejects
them with some amqp error.

That may not be the ideal solution but can be done now, without
requiring any changes to rabbit's APIs.

Matthias.
_______________________________________________
rabbitmq-discuss mailing list has moved to https://groups.google.com/forum/#!forum/rabbitmq-users,
please subscribe to the new list!

[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: custom exchange checking auth user

Dmitry Andrianov
Matthias,
we did not want to do that kind of tests in the consuming applications
because more consumers can be created later and copying that kind of
check into each of them is error prone and is easy to be forgotten,
especially by new team members. So we opted for the custom exchange type
that just does not allow these messages into the system. And I do
confirm no API changes were required :) - there are a few examples of
custom exchanges on the internet. My only problem was Erlang :)

While we are there given that we have our custom exchange - how can we
"enrich" a message with some data like client's IP?
(I know we are not supposed to touch the message according to AMQP
standard, but we are not very standard already given three custom plugins)

Thank you.

On 26/06/14 18:00, Matthias Radestock wrote:

> Dmitry,
>
> On 23/06/14 09:37, Dmitry Andrianov wrote:
>> we actually using that thing already - client sets the user ID property
>> and server rejects a message if it does not match the actual auth user.
>> However, I did read it as that setUserId call being optional - it is up
>> to the client to set it. And if client does not set it, no validation is
>> performed.
>> So how do I prevent messages without an user id from being accepted?
>
> You can't, though your consuming applications could drop such messages.
>
>> If I need a custom exchange type or exchange decorator - it does not
>> really makes life much easier.
>
> It would be quite straightforward to write an exchange type or
> decorator that drops messages which do not have the user-id header. Or
> rejects them with some amqp error.
>
> That may not be the ideal solution but can be done now, without
> requiring any changes to rabbit's APIs.
>
> Matthias.

This email is for the use of the intended recipient(s) only.
If you have received this email in error, please notify the sender immediately and then delete it.
If you are not the intended recipient, you must not use, disclose or distribute this email without the
author's prior permission. AlertMe.com Ltd. is not responsible for any personal views expressed
in this message or any attachments that are those of the individual sender.

AlertMe.com Ltd, 30 Station Road, Cambridge, CB1 2RE, UK.
Registered in England, Company number 578 2908, VAT registration number GB 895 9914 42.


_______________________________________________
rabbitmq-discuss mailing list has moved to https://groups.google.com/forum/#!forum/rabbitmq-users,
please subscribe to the new list!

[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: custom exchange checking auth user

Matthias Radestock-3
On 26/06/14 18:10, Dmitry Andrianov wrote:
> While we are there given that we have our custom exchange - how can we
> "enrich" a message with some data like client's IP?

you can't. That *would* require changes to APIs. And breaking some
significant assumptions on the way.

Matthias.
_______________________________________________
rabbitmq-discuss mailing list has moved to https://groups.google.com/forum/#!forum/rabbitmq-users,
please subscribe to the new list!

[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: custom exchange checking auth user

Dmitry Andrianov
Understood.

One more question: some time ago I was told that either custom exchange
or decorator will both serve for my purpose.
However while with exchange if I return empty list from route callback,
no routing happens, the same does not seem to work in decorator.
Reading Erlang in rabbit_exchange.erl is very hard for me so I can be
wrong but it looks like whatever decorator returns from route is only
appended to the list of destinations and decorator cannot override the
ones selected by exchange.

Is it correct? What is the correct way to deny processing message in the
decorator?

And is there a recommended best practice for what should be used for
validation purposes - custom exchange or exchange decorator?

Many thanks.
Dmitry


On 26/06/14 18:13, Matthias Radestock wrote:
> On 26/06/14 18:10, Dmitry Andrianov wrote:
>> While we are there given that we have our custom exchange - how can we
>> "enrich" a message with some data like client's IP?
>
> you can't. That *would* require changes to APIs. And breaking some
> significant assumptions on the way.
>
> Matthias.

This email is for the use of the intended recipient(s) only.
If you have received this email in error, please notify the sender immediately and then delete it.
If you are not the intended recipient, you must not use, disclose or distribute this email without the
author's prior permission. AlertMe.com Ltd. is not responsible for any personal views expressed
in this message or any attachments that are those of the individual sender.

AlertMe.com Ltd, 30 Station Road, Cambridge, CB1 2RE, UK.
Registered in England, Company number 578 2908, VAT registration number GB 895 9914 42.


_______________________________________________
rabbitmq-discuss mailing list has moved to https://groups.google.com/forum/#!forum/rabbitmq-users,
please subscribe to the new list!

[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
Reply | Threaded
Open this post in threaded view
|

Re: custom exchange checking auth user

Simon MacMullen-2
On 01/07/14 14:53, Dmitry Andrianov wrote:
> One more question: some time ago I was told that either custom exchange
> or decorator will both serve for my purpose.
> However while with exchange if I return empty list from route callback,
> no routing happens, the same does not seem to work in decorator.
> Reading Erlang in rabbit_exchange.erl is very hard for me so I can be
> wrong but it looks like whatever decorator returns from route is only
> appended to the list of destinations and decorator cannot override the
> ones selected by exchange.

That's correct.

> Is it correct? What is the correct way to deny processing message in the
> decorator?

You can't - I think at the point we said that we hadn't realised that
was what you wanted to do.

The problem with allowing decorators to modify the existing routes as
provided by the exchange is that it's not very obvious how to combine
them when you have more than one decorator...

Cheers, Simon

--
Simon MacMullen
RabbitMQ, Pivotal
_______________________________________________
rabbitmq-discuss mailing list has moved to https://groups.google.com/forum/#!forum/rabbitmq-users,
please subscribe to the new list!

[hidden email]
https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss