Anyone here used rabbitmq-auth-backend-uaa plugin?

[Justin Teaw]

I'm trying to get the uaa_jwt plugin that the rabbitmq-auth-backend-uaa plugin depends on.  Not sure where to get that.

[Michael Klishin]

I will upload two `.ez` files in a bit but there is a reason why this project is listed as experimental and uaa_jwt

wasn't even open source just a few minutes ago: it's not ready for prime time.

Unless you are willing to build it from source, target RabbitMQ 3.7.0 and generally follow its development,

this plugin is not yet ready for you (and potentially never will be).

1. https://github.com/rabbitmq/uaa_jwt

On Tue, Sep 12, 2017 at 1:44 PM, Justin Teaw <justi...@gmail.com> wrote:

I'm trying to get the uaa_jwt plugin that the rabbitmq-auth-backend-uaa plugin depends on.  Not sure where to get that.

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

MK

Staff Software Engineer, Pivotal/RabbitMQ

[Justin Teaw]

Thank you.  Perhaps you can recommend another type of authentication and authorization method for rabbit that will be great.

Right now, we are planning to use keycloak oAuth2 server to get the token.  oAuth2 is a open standard and as long as I provide the proper public key for jwt token validation, everything should technically work.

On Tue, Sep 12, 2017 at 1:49 PM, Michael Klishin <mkli...@pivotal.io> wrote:

I will upload two `.ez` files in a bit but there is a reason why this project is listed as experimental and uaa_jwt

wasn't even open source just a few minutes ago: it's not ready for prime time.

Unless you are willing to build it from source, target RabbitMQ 3.7.0 and generally follow its development,

this plugin is not yet ready for you (and potentially never will be).

1. https://github.com/rabbitmq/uaa_jwt

On Tue, Sep 12, 2017 at 1:44 PM, Justin Teaw <justi...@gmail.com> wrote:

I'm trying to get the uaa_jwt plugin that the rabbitmq-auth-backend-uaa plugin depends on.  Not sure where to get that.

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.

To post to this group, send email to rabbitm...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

MK

Staff Software Engineer, Pivotal/RabbitMQ

--
You received this message because you are subscribed to a topic in the Google Groups "rabbitmq-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rabbitmq-users/Q0DwZyzZrC8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rabbitmq-users+unsubscribe@googlegroups.com.

[Michael Klishin]

I believe this is the complete set of dependencies of rabbitmq-auth-backend-uaa,

targeting RabbitMQ master (and 3.7.0 milestones).

On Tue, Sep 12, 2017 at 1:49 PM, Michael Klishin <mkli...@pivotal.io> wrote:

I will upload two `.ez` files in a bit but there is a reason why this project is listed as experimental and uaa_jwt

wasn't even open source just a few minutes ago: it's not ready for prime time.

Unless you are willing to build it from source, target RabbitMQ 3.7.0 and generally follow its development,

this plugin is not yet ready for you (and potentially never will be).

1. https://github.com/rabbitmq/uaa_jwt

On Tue, Sep 12, 2017 at 1:44 PM, Justin Teaw <justi...@gmail.com> wrote:

I'm trying to get the uaa_jwt plugin that the rabbitmq-auth-backend-uaa plugin depends on.  Not sure where to get that.

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.

To post to this group, send email to rabbitm...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

MK

Staff Software Engineer, Pivotal/RabbitMQ

[Justin Teaw]

Thank you very much Michael!

--
You received this message because you are subscribed to a topic in the Google Groups "rabbitmq-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rabbitmq-users/Q0DwZyzZrC8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.

[Michael Klishin]

Supporting OAuth 2 is more than fetching the token and decoding it.

OAuth 2 uses a different permission set abstraction from RabbitMQ. If we oversimplify, in OAuth 2

permissions are expressed in terms of scopes (labels with very basic hierarchy) but in RabbitMQ it's a completely different story:

http://www.rabbitmq.com/access-control.html.

So a translation mechanism is necessary and that means an opinionated convention. We have put together something that

we believe is reasonable:

https://github.com/rabbitmq/rabbitmq-auth-backend-uaa#scopes

but we cannot ship it because we don't yet know if this idea is not appealing to various teams who maintain UAA, Cloud Foundry, RabbitMQ BOSH release

and so on. Unfortunately getting everyone in the same room to finish this off has been a real struggle for us: it's never a high enough priority.

Feel free to try the plugin but please take it for what it really is: an experiment that was halted because we don't have enough information

to proceed.

[Michael Klishin]

This should read: "if this idea IS appealing to …"

[Justin Teaw]

Thank you for your feedback.  Appreciate it!

--
You received this message because you are subscribed to a topic in the Google Groups "rabbitmq-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rabbitmq-users/Q0DwZyzZrC8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rabbitmq-users+unsubscribe@googlegroups.com.

[Alvaro Lopez]

Hi, I have included this .ez plugin files to my project, but I am getting an exception when I try to authenticate.

2017-10-12 11:41:39.967 [warning] <0.635.0> closing AMQP connection <0.635.0> (127.0.0.1:51625 -> 127.0.0.1:5672 - connectionFactory#7a083b96:8):
{handshake_error,starting,0,{error,badarg,'connection.start_ok',[{jsx_decoder,number,5,[{file,"src/jsx_decoder.erl"},{line,887}]},{'Elixir.UaaJWT.JWK',make_jwk,1,[{file,"lib/uaa_jwt/jwk.ex"},{line,5}]},{'Elixir.UaaJWT',decode_and_verify,1,[{file,"lib/uaa_jwt.ex"},{line,18}]},{rabbit_auth_backend_uaa,check_token,1,[{file,"src/rabbit_auth_backend_uaa.erl"},{line,97}]},{rabbit_auth_backend_uaa,user_login_authentication,2,[{file,"src/rabbit_auth_backend_uaa.erl"},{line,41}]},{rabbit_access_control,try_authenticate,3,[{file,"src/rabbit_access_control.erl"},{line,88}]},{rabbit_access_control,'-check_user_login/2-fun-0-',4,[{file,"src/rabbit_access_control.erl"},{line,74}]},{lists,foldl,3,[{file,"lists.erl"},{line,1263}]}]}}

I am using RabbitMQ 3.7RC. Could you tell me which Erlang version should I use? Should I care about the version of something more?

I installed the 32bits version of Elixir 1.5.2. on Windows.

Thanks in advance.

El martes, 12 de septiembre de 2017, 20:11:19 (UTC+2), Michael Klishin escribió:

I believe this is the complete set of dependencies of rabbitmq-auth-backend-uaa,

targeting RabbitMQ master (and 3.7.0 milestones).

On Tue, Sep 12, 2017 at 1:49 PM, Michael Klishin <mkli...@pivotal.io> wrote:

I will upload two `.ez` files in a bit but there is a reason why this project is listed as experimental and uaa_jwt

wasn't even open source just a few minutes ago: it's not ready for prime time.

Unless you are willing to build it from source, target RabbitMQ 3.7.0 and generally follow its development,

this plugin is not yet ready for you (and potentially never will be).

1. https://github.com/rabbitmq/uaa_jwt

On Tue, Sep 12, 2017 at 1:44 PM, Justin Teaw <justi...@gmail.com> wrote:

I'm trying to get the uaa_jwt plugin that the rabbitmq-auth-backend-uaa plugin depends on.  Not sure where to get that.

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.

To post to this group, send email to rabbitm...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

MK

Staff Software Engineer, Pivotal/RabbitMQ

[Justin Teaw]

I've tried it myself with 3.7 and didn't it to work.  Your best bet is to use the auth_backend_http together with backend_cache.  Pass the token through the username and it should work.  Just note i had some issues passing in tokens with a lot of claims.  I had one token with about 1600 chars and i had an error.

I can tell more details if you want to go this route...probably your ONLY solution if you want to use tokens.

--
You received this message because you are subscribed to a topic in the Google Groups "rabbitmq-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rabbitmq-users/Q0DwZyzZrC8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.

[Alvaro Lopez]

Is it possible to use auth_backend_http without making requests to the UAA server? (As rabbitmq-auth-backend-uaa does when it works)

I have an UAA working and I would like to not modify it or add new endpoints to this project (I will do it if it is necessary).

Could you show me how the structure of the rabbitmq.config file is in that case?

Thank you very much.

To unsubscribe from this group and all its topics, send an email to rabbitmq-user...@googlegroups.com.

[Justin Teaw]

It is possible.  You'll need to put the public key for jwt validation in the rest end point that you need to implement.  auth_backend_http requires you to setup 4 new REST endpoints.  You can simply embed the public key there.

Downside that you cannot rotate the private key which is recommended as best security practices.  Below is my rabbit config file. 

[

 {rabbit,

 

 %%

 %% Security / AAA

 %% ==============

 %%

[

{auth_backends, 

[rabbit_auth_backend_cache, rabbit_auth_backend_internal]

}

]

 },

 

 %% ----------------------------------------------------------------------------

 %% RabbitMQ rabbit_auth_backend_cache plugin

 %%

 %% See https://github.com/rabbitmq/rabbitmq-auth-backend-cache for details.

 %%

 %% ----------------------------------------------------------------------------

 

 {rabbitmq_auth_backend_cache, 

[

{cached_backend, rabbit_auth_backend_http},

{cache_ttl, 300000}

]

 },

 

 %% ----------------------------------------------------------------------------

 %% RabbitMQ rabbitmq_auth_backend_http plugin

 %%

 %% See https://github.com/rabbitmq/rabbitmq-auth-backend-http for details.

 %%

 %% ----------------------------------------------------------------------------

 

 {rabbitmq_auth_backend_http,

   [{http_method,   post},

    {user_path,     "http://localhost:50037/api/user"},

    {vhost_path,    "http://localhost:50037/api/vhost"},

    {resource_path, "http://localhost:50037/api/resource"},

    {topic_path,    "http://localhost:50037/api/topic"}]

 }

  

].

To unsubscribe from this group and all its topics, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.