rabbitmq-server/deps/rabbitmq_auth_backend_http/README.md

# Overview

This plugin provides the ability for your RabbitMQ server to perform
authentication (determining who can log in) and authorisation
(determining what permissions they have) by making requests to an HTTP
server.

This plugin can put a significant amount of load on its backing service.
We recommend using it together with [rabbitmq_auth_backend_cache](http://github.com/rabbitmq/rabbitmq-auth-backend-cache)
with a reasonable caching interval (e.g. 1-3 minutes).


## Project Maturity

As of 3.7.0, this plugin is distributed with RabbitMQ.


## RabbitMQ Version Requirements

As of 3.7.0, this plugin is distributed with RabbitMQ.

As with all [authentication plugins](http://rabbitmq.com/access-control.html), this one requires RabbitMQ server
2.3.1 or later.

## Using with RabbitMQ 3.6.x

Install the corresponding .ez files from our
[Community Plugins page](http://www.rabbitmq.com/community-plugins.html). Note that different
releases of this plugin support different versions of RabbitMQ.

## Enabling the Plugin

First enable the plugin using `rabbitmq-plugins`:

    rabbitmq-plugins enable rabbitmq_auth_backend_http


## Configuring the Plugin

To use this backend exclusively, use the following snippet in `rabbitmq.conf` (currently
in master)

    auth_backends.1 = http

Or, in the classic config format (`rabbitmq.config`, prior to 3.7.0) or `advanced.config`:

    [{rabbit, [{auth_backends, [rabbit_auth_backend_http]}]}].

See [RabbitMQ Configuration guide](http://www.rabbitmq.com/configure.html) and
[Access Control guide](http://rabbitmq.com/access-control.html) for more information.

You need to configure the plugin to know which URIs to point at
and which HTTP method to use.

Below is a minimal configuration file example.

In `rabbitmq.conf`:

    auth_backends.1 = http
    auth_http.http_method   = post
    auth_http.user_path     = http://some-server/auth/user
    auth_http.vhost_path    = http://some-server/auth/vhost
    auth_http.resource_path = http://some-server/auth/resource
    auth_http.topic_path    = http://some-server/auth/topic

In the [classic config format](http://www.rabbitmq.com/configure.html) (`rabbitmq.config` prior to 3.7.0 or `advanced.config`):

    [
      {rabbit, [{auth_backends, [rabbit_auth_backend_http]}]},
      {rabbitmq_auth_backend_http,
       [{http_method,   post},
        {user_path,     "http(s)://some-server/auth/user"},
        {vhost_path,    "http(s)://some-server/auth/vhost"},
        {resource_path, "http(s)://some-server/auth/resource"},
        {topic_path,    "http(s)://some-server/auth/topic"}]}
    ].

By default `http_method` configuration is `GET` for backwards compatibility. It's recommended
to use `POST` requests to avoid credentials logging.

## What Must My Web Server Do?

This plugin requires that your web server respond to requests in a
certain predefined format. It will make GET (by default) or POST requests
against the URIs listed in the configuration file. It will add query string
(for `GET` requests) or a URL-encoded request body (for `POST` requests) parameters as follows:

### user_path

* `username` - the name of the user
* `password` - the password provided (may be missing if e.g. rabbitmq-auth-mechanism-ssl is used)

### vhost_path

* `username`   - the name of the user
* `vhost`      - the name of the virtual host being accessed
* `ip`         - the client ip address

Note that you cannot create arbitrary virtual hosts using this plugin; you can only determine whether your users can see / access the ones that exist.

### resource_path

* `username`    - the name of the user
* `vhost`       - the name of the virtual host containing the resource
* `resource`    - the type of resource (`exchange`, `queue`, `topic`)
* `name`        - the name of the resource
* `permission`  - the access level to the resource (`configure`, `write`, `read`) - see [the Access Control guide](http://www.rabbitmq.com/access-control.html) for their meaning

### topic_path

* `username`    - the name of the user
* `vhost`       - the name of the virtual host containing the resource
* `resource`    - the type of resource (`topic` in this case)
* `name`        - the name of the exchange
* `permission`  - the access level to the resource (`write` or `read`)
* `routing_key` - the routing key of a published message (when the permission is `write`)
or routing key of the queue binding (when the permission is `read`)

See [topic authorisation](http://www.rabbitmq.com/access-control.html#topic-authorisation) for more information
about topic authorisation.

Your web server should always return HTTP 200 OK, with a body
containing:

* `deny`  - deny access to the user / vhost / resource
* `allow` - allow access to the user / vhost / resource
* `allow [list of tags]` - (for `user_path` only) - allow access, and mark the user as an having the tags listed

## Using TLS/HTTPS

If your Web server uses HTTPS and certificate verification, you need to
configure the plugin to use a CA and client certificate/key pair using the `rabbitmq_auth_backend_http.ssl_options` config variable:

    [
      {rabbit, [{auth_backends, [rabbit_auth_backend_http]}]},
      {rabbitmq_auth_backend_http,
       [{http_method,   post},
        {user_path,     "https://some-server/auth/user"},
        {vhost_path,    "https://some-server/auth/vhost"},
        {resource_path, "https://some-server/auth/resource"},
        {topic_path,    "https://some-server/auth/topic"},
        {ssl_options,
         [{cacertfile, "/path/to/cacert.pem"},
          {certfile,   "/path/to/client/cert.pem"},
          {keyfile,    "/path/to/client/key.pem"},
          {verify,     verify_peer},
          {fail_if_no_peer_cert, true}]}]}
    ].

It is recommended to use TLS for authentication and enable peer verification.


## Debugging

Check the RabbitMQ logs if things don't seem to be working
properly. Look for log messages containing "rabbit_auth_backend_http
failed".

## Example Apps

There are [example backend services](./examples) available in Python, PHP, Spring Boot, ASP.NET Web API.

See [examples README](./examples/README.md) for more information.

## Building from Source

You can build and install it like any other plugin (see
[the plugin development guide](http://www.rabbitmq.com/plugin-development.html)).

This plugin depends on the Erlang client (just to grab a URI parser).
Add a README. 2011-03-25 19:18:40 +08:00			`# Overview`

			`This plugin provides the ability for your RabbitMQ server to perform`
			`authentication (determining who can log in) and authorisation`
			`(determining what permissions they have) by making requests to an HTTP`
			`server.`

Mention that this plugin is distributed with RabbitMQ as of 3.7.0 2017-12-19 19:09:51 +08:00			`This plugin can put a significant amount of load on its backing service.`
			`We recommend using it together with [rabbitmq_auth_backend_cache](http://github.com/rabbitmq/rabbitmq-auth-backend-cache)`
			`with a reasonable caching interval (e.g. 1-3 minutes).`


			`## Project Maturity`

			`As of 3.7.0, this plugin is distributed with RabbitMQ.`


			`## RabbitMQ Version Requirements`

			`As of 3.7.0, this plugin is distributed with RabbitMQ.`

README updates 2016-03-23 16:25:30 +08:00			`As with all [authentication plugins](http://rabbitmq.com/access-control.html), this one requires RabbitMQ server`
Make some things a bit clearer. 2011-03-26 21:04:22 +08:00			`2.3.1 or later.`

Wording (cherry picked from commit c8b1d32ed53a9802e665f98f4fd22a09c952d5ff) 2017-12-23 00:24:50 +08:00			`## Using with RabbitMQ 3.6.x`
Add a link. 2014-04-10 21:33:30 +08:00
De-emphasize "Building from Source" 2017-01-27 20:55:39 +08:00			`Install the corresponding .ez files from our`
Sync README with master 2017-03-18 06:20:37 +08:00			`[Community Plugins page](http://www.rabbitmq.com/community-plugins.html). Note that different`
			`releases of this plugin support different versions of RabbitMQ.`
Yet more readme. 2011-03-25 19:36:41 +08:00
README edits, grammar, formatting 2016-04-28 23:56:24 +08:00			`## Enabling the Plugin`
Add a README. 2011-03-25 19:18:40 +08:00
README edits, references #65 2018-03-19 19:40:38 +08:00			First enable the plugin using `rabbitmq-plugins`:
Add a README. 2011-03-25 19:18:40 +08:00
README edits, references #65 2018-03-19 19:40:38 +08:00			`rabbitmq-plugins enable rabbitmq_auth_backend_http`


			`## Configuring the Plugin`
Add a README. 2011-03-25 19:18:40 +08:00
README updates 2016-03-23 16:25:30 +08:00			To use this backend exclusively, use the following snippet in `rabbitmq.conf` (currently
			`in master)`
sysctl format config in README 2016-02-29 21:12:54 +08:00
			`auth_backends.1 = http`

README updates 2016-03-23 16:25:30 +08:00			Or, in the classic config format (`rabbitmq.config`, prior to 3.7.0) or `advanced.config`:
sysctl format config in README 2016-02-29 21:12:54 +08:00
Add a README. 2011-03-25 19:18:40 +08:00			`[{rabbit, [{auth_backends, [rabbit_auth_backend_http]}]}].`

README edits, references #65 2018-03-19 19:40:38 +08:00			`See [RabbitMQ Configuration guide](http://www.rabbitmq.com/configure.html) and`
			`[Access Control guide](http://rabbitmq.com/access-control.html) for more information.`
Add a README. 2011-03-25 19:18:40 +08:00
Describe HTTPS and http_method in readme 2016-04-28 23:43:49 +08:00			`You need to configure the plugin to know which URIs to point at`
			`and which HTTP method to use.`
Add a README. 2011-03-25 19:18:40 +08:00
README updates 2016-03-23 16:25:30 +08:00			`Below is a minimal configuration file example.`
Add a README. 2011-03-25 19:18:40 +08:00
More 3.7.0 README updates (cherry picked from commit 306263adc89a039e1a7f835f2fc80d8301bbff4d) 2017-12-19 20:21:45 +08:00			In `rabbitmq.conf`:
Shorter prefix for configuration keys 2017-02-09 18:55:10 +08:00
Auth backend in config example 2016-03-17 19:36:14 +08:00			`auth_backends.1 = http`
Updated Readme.md to include HTTP Method in conf The rabbitmq.conf section in new format is missing the inclusion of HTTP METHOD due to which it default to a Get call and does not work for controller methods defined for HttpPost . This what most of the examples in the repo outline as well for the AuthBackend. 2019-04-24 19:21:39 +08:00			`auth_http.http_method = post`
Shorter prefix for configuration keys 2017-02-09 18:55:10 +08:00			`auth_http.user_path = http://some-server/auth/user`
			`auth_http.vhost_path = http://some-server/auth/vhost`
			`auth_http.resource_path = http://some-server/auth/resource`
			`auth_http.topic_path = http://some-server/auth/topic`
sysctl format config in README 2016-02-29 21:12:54 +08:00
More 3.7.0 README updates (cherry picked from commit 306263adc89a039e1a7f835f2fc80d8301bbff4d) 2017-12-19 20:21:45 +08:00			In the [classic config format](http://www.rabbitmq.com/configure.html) (`rabbitmq.config` prior to 3.7.0 or `advanced.config`):
sysctl format config in README 2016-02-29 21:12:54 +08:00
Add a README. 2011-03-25 19:18:40 +08:00			`[`
			`{rabbit, [{auth_backends, [rabbit_auth_backend_http]}]},`
App name changed. 2011-04-15 22:44:39 +08:00			`{rabbitmq_auth_backend_http,`
Describe HTTPS and http_method in readme 2016-04-28 23:43:49 +08:00			`[{http_method, post},`
			`{user_path, "http(s)://some-server/auth/user"},`
			`{vhost_path, "http(s)://some-server/auth/vhost"},`
Implement check_topic_access callback References rabbitmq/rabbitmq-server#505 2016-12-29 15:58:10 +08:00			`{resource_path, "http(s)://some-server/auth/resource"},`
			`{topic_path, "http(s)://some-server/auth/topic"}]}`
Add a README. 2011-03-25 19:18:40 +08:00			`].`

README edits, grammar, formatting 2016-04-28 23:56:24 +08:00			By default `http_method` configuration is `GET` for backwards compatibility. It's recommended
			to use `POST` requests to avoid credentials logging.
Describe HTTPS and http_method in readme 2016-04-28 23:43:49 +08:00
README edits, grammar, formatting 2016-04-28 23:56:24 +08:00			`## What Must My Web Server Do?`
Add a README. 2011-03-25 19:18:40 +08:00
More README. 2011-03-25 19:33:28 +08:00			`This plugin requires that your web server respond to requests in a`
Describe HTTPS and http_method in readme 2016-04-28 23:43:49 +08:00			`certain predefined format. It will make GET (by default) or POST requests`
			`against the URIs listed in the configuration file. It will add query string`
README edits, grammar, formatting 2016-04-28 23:56:24 +08:00			(for `GET` requests) or a URL-encoded request body (for `POST` requests) parameters as follows:
Add a README. 2011-03-25 19:18:40 +08:00
			`### user_path`

			* `username` - the name of the user
			* `password` - the password provided (may be missing if e.g. rabbitmq-auth-mechanism-ssl is used)

			`### vhost_path`

			* `username` - the name of the user
			* `vhost` - the name of the virtual host being accessed
update README 2016-03-29 17:07:25 +08:00			* `ip` - the client ip address
Add a README. 2011-03-25 19:18:40 +08:00
Add note about vhosts. 2011-04-05 00:35:48 +08:00			`Note that you cannot create arbitrary virtual hosts using this plugin; you can only determine whether your users can see / access the ones that exist.`

Add a README. 2011-03-25 19:18:40 +08:00			`### resource_path`

Support topic authorisation Forward all the options of the resource record to the web server as HTTP parameters. This will then add a routing_key parameter to the resource check request. References rabbitmq/rabbitmq-server#505 2016-12-23 19:27:12 +08:00			* `username` - the name of the user
			* `vhost` - the name of the virtual host containing the resource
			* `resource` - the type of resource (`exchange`, `queue`, `topic`)
			* `name` - the name of the resource
			* `permission` - the access level to the resource (`configure`, `write`, `read`) - see [the Access Control guide](http://www.rabbitmq.com/access-control.html) for their meaning
Implement check_topic_access callback References rabbitmq/rabbitmq-server#505 2016-12-29 15:58:10 +08:00
			`### topic_path`

			* `username` - the name of the user
			* `vhost` - the name of the virtual host containing the resource
			* `resource` - the type of resource (`topic` in this case)
Use exchange when referring to topic authorisation References rabbitmq/rabbitmq-server#505 2017-01-03 19:09:30 +08:00			* `name` - the name of the exchange
Mention topic authorisation for consumption Part of rabbitmq/rabbitmq-server#1085 2017-01-20 16:37:49 +08:00			* `permission` - the access level to the resource (`write` or `read`)
Only document what is actually implemented so far 2017-02-06 06:18:26 +08:00			* `routing_key` - the routing key of a published message (when the permission is `write`)
Wording 2017-02-16 06:56:38 +08:00			or routing key of the queue binding (when the permission is `read`)
Implement check_topic_access callback References rabbitmq/rabbitmq-server#505 2016-12-29 15:58:10 +08:00
			`See [topic authorisation](http://www.rabbitmq.com/access-control.html#topic-authorisation) for more information`
			`about topic authorisation.`
Add a README. 2011-03-25 19:18:40 +08:00
			`Your web server should always return HTTP 200 OK, with a body`
Debitrot: tags not admin flag, simpler vhost permissions. 2011-12-01 19:36:42 +08:00			`containing:`
Add a README. 2011-03-25 19:18:40 +08:00
			* `deny` - deny access to the user / vhost / resource
			* `allow` - allow access to the user / vhost / resource
Debitrot: tags not admin flag, simpler vhost permissions. 2011-12-01 19:36:42 +08:00			* `allow [list of tags]` - (for `user_path` only) - allow access, and mark the user as an having the tags listed
Add a README. 2011-03-25 19:18:40 +08:00
README edits, grammar, formatting 2016-04-28 23:56:24 +08:00			`## Using TLS/HTTPS`
Describe HTTPS and http_method in readme 2016-04-28 23:43:49 +08:00
README edits, grammar, formatting 2016-04-28 23:56:24 +08:00			`If your Web server uses HTTPS and certificate verification, you need to`
			configure the plugin to use a CA and client certificate/key pair using the `rabbitmq_auth_backend_http.ssl_options` config variable:
Describe HTTPS and http_method in readme 2016-04-28 23:43:49 +08:00
			`[`
			`{rabbit, [{auth_backends, [rabbit_auth_backend_http]}]},`
			`{rabbitmq_auth_backend_http,`
			`[{http_method, post},`
			`{user_path, "https://some-server/auth/user"},`
			`{vhost_path, "https://some-server/auth/vhost"},`
			`{resource_path, "https://some-server/auth/resource"},`
Implement check_topic_access callback References rabbitmq/rabbitmq-server#505 2016-12-29 15:58:10 +08:00			`{topic_path, "https://some-server/auth/topic"},`
Describe HTTPS and http_method in readme 2016-04-28 23:43:49 +08:00			`{ssl_options,`
			`[{cacertfile, "/path/to/cacert.pem"},`
			`{certfile, "/path/to/client/cert.pem"},`
			`{keyfile, "/path/to/client/key.pem"},`
			`{verify, verify_peer},`
			`{fail_if_no_peer_cert, true}]}]}`
			`].`

README edits, grammar, formatting 2016-04-28 23:56:24 +08:00			`It is recommended to use TLS for authentication and enable peer verification.`
Describe HTTPS and http_method in readme 2016-04-28 23:43:49 +08:00

README updates 2016-03-23 16:25:30 +08:00			`## Debugging`
Add a README. 2011-03-25 19:18:40 +08:00
More README. 2011-03-25 19:33:28 +08:00			`Check the RabbitMQ logs if things don't seem to be working`
			`properly. Look for log messages containing "rabbit_auth_backend_http`
			`failed".`
Add a README. 2011-03-25 19:18:40 +08:00
Wording, formatting 2017-10-11 04:00:19 +08:00			`## Example Apps`

README updates 2018-04-01 04:51:21 +08:00			`There are [example backend services](./examples) available in Python, PHP, Spring Boot, ASP.NET Web API.`
Add a README. 2011-03-25 19:18:40 +08:00
README updates 2018-04-01 04:51:21 +08:00			`See [examples README](./examples/README.md) for more information.`
De-emphasize "Building from Source" 2017-01-27 20:55:39 +08:00
			`## Building from Source`

			`You can build and install it like any other plugin (see`
			`[the plugin development guide](http://www.rabbitmq.com/plugin-development.html)).`

			`This plugin depends on the Erlang client (just to grab a URI parser).`