This plugin provides the ability for your RabbitMQ server to perform authentication (determining who can log in) and authorisation (determining what permissions they have) by making requests to an HTTP server.
This plugin can put a significant amount of load on its backing service. We recommend using it together with rabbitmq_auth_backend_cache with a reasonable caching interval (e.g. 1-3 minutes).
As of 3.7.0, this plugin is distributed with RabbitMQ.
As of 3.7.0, this plugin is distributed with RabbitMQ.
As with all authentication plugins, this one requires RabbitMQ server 2.3.1 or later.
Install the corresponding .ez files from our Community Plugins page. Note that different releases of this plugin support different versions of RabbitMQ.
First enable the plugin using rabbitmq-plugins
:
rabbitmq-plugins enable rabbitmq_auth_backend_http
To use this backend exclusively, use the following snippet in rabbitmq.conf
(currently
in master)
auth_backends.1 = http
Or, in the classic config format (rabbitmq.config
, prior to 3.7.0) or advanced.config
:
[{rabbit, [{auth_backends, [rabbit_auth_backend_http]}]}].
See RabbitMQ Configuration guide and Access Control guide for more information.
You need to configure the plugin to know which URIs to point at and which HTTP method to use.
Below is a minimal configuration file example.
In rabbitmq.conf
:
auth_backends.1 = http
auth_http.http_method = post
auth_http.user_path = http://some-server/auth/user
auth_http.vhost_path = http://some-server/auth/vhost
auth_http.resource_path = http://some-server/auth/resource
auth_http.topic_path = http://some-server/auth/topic
In the classic config format (rabbitmq.config
prior to 3.7.0 or advanced.config
):
[
{rabbit, [{auth_backends, [rabbit_auth_backend_http]}]},
{rabbitmq_auth_backend_http,
[{http_method, post},
{user_path, "http(s)://some-server/auth/user"},
{vhost_path, "http(s)://some-server/auth/vhost"},
{resource_path, "http(s)://some-server/auth/resource"},
{topic_path, "http(s)://some-server/auth/topic"}]}
].
By default http_method
configuration is GET
for backwards compatibility. It's recommended
to use POST
requests to avoid credentials logging.
This plugin requires that your web server respond to requests in a
certain predefined format. It will make GET (by default) or POST requests
against the URIs listed in the configuration file. It will add query string
(for GET
requests) or a URL-encoded request body (for POST
requests) parameters as follows:
username
- the name of the userpassword
- the password provided (may be missing if e.g. rabbitmq-auth-mechanism-ssl is used)
username
- the name of the uservhost
- the name of the virtual host being accessedip
- the client ip address
Note that you cannot create arbitrary virtual hosts using this plugin; you can only determine whether your users can see / access the ones that exist.
username
- the name of the uservhost
- the name of the virtual host containing the resourceresource
- the type of resource (exchange
,queue
,topic
)name
- the name of the resourcepermission
- the access level to the resource (configure
,write
,read
) - see the Access Control guide for their meaning
username
- the name of the uservhost
- the name of the virtual host containing the resourceresource
- the type of resource (topic
in this case)name
- the name of the exchangepermission
- the access level to the resource (write
orread
)routing_key
- the routing key of a published message (when the permission iswrite
) or routing key of the queue binding (when the permission isread
)
See topic authorisation for more information about topic authorisation.
Your web server should always return HTTP 200 OK, with a body containing:
deny
- deny access to the user / vhost / resourceallow
- allow access to the user / vhost / resourceallow [list of tags]
- (foruser_path
only) - allow access, and mark the user as an having the tags listed
If your Web server uses HTTPS and certificate verification, you need to
configure the plugin to use a CA and client certificate/key pair using the rabbitmq_auth_backend_http.ssl_options
config variable:
[
{rabbit, [{auth_backends, [rabbit_auth_backend_http]}]},
{rabbitmq_auth_backend_http,
[{http_method, post},
{user_path, "https://some-server/auth/user"},
{vhost_path, "https://some-server/auth/vhost"},
{resource_path, "https://some-server/auth/resource"},
{topic_path, "https://some-server/auth/topic"},
{ssl_options,
[{cacertfile, "/path/to/cacert.pem"},
{certfile, "/path/to/client/cert.pem"},
{keyfile, "/path/to/client/key.pem"},
{verify, verify_peer},
{fail_if_no_peer_cert, true}]}]}
].
It is recommended to use TLS for authentication and enable peer verification.
Check the RabbitMQ logs if things don't seem to be working properly. Look for log messages containing "rabbit_auth_backend_http failed".
There are example backend services available in Python, PHP, Spring Boot, ASP.NET Web API.
See examples README for more information.
You can build and install it like any other plugin (see the plugin development guide).
This plugin depends on the Erlang client (just to grab a URI parser).