root
/
rabbitmq-server
mirror of https://github.com/rabbitmq/rabbitmq-server.git
1
0
Fork 0
Code Issues Actions Packages Projects Releases Wiki Activity

merge default into bug24186

This commit is contained in:
Alexandru Scvortov 2011-08-16 14:02:38 +01:00
parent 4acceb7985 5d20872b41
commit 7b54511464
2 changed files with 28 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
deps/rabbitmq_auth_backend_ldap/README-authorisation vendored
View File

@ -5,15 +5,16 @@ Authorisation is effected by three configuration options:
* vhost_access_query * vhost_access_query
* resource_access_query * resource_access_query
* is_admin_query * tag_queries
Each defines a query that will determine whether a user has access to Each defines a query that will determine whether a user has access to
a vhost, a resource (e.g. exchange, queue, binding) or is considered a vhost, a resource (e.g. exchange, queue, binding) or is considered
an administrator. an administrator.
The default values are {constant, true}, {constant, true} and The default values are {constant, true}, {constant, true} and
{constant, false}, granting all users access to all objects in all [{administrator, {constant, false}}] respectively, granting all users
vhosts, but not making them administrators. access to all objects in all vhosts, but not making them
administrators.
A query can be of one of several types: A query can be of one of several types:
@ -57,10 +58,15 @@ The terms configure, write and read for resource access have the same
meanings that they do for the built-in RabbitMQ permissions system, meanings that they do for the built-in RabbitMQ permissions system,
see http://www.rabbitmq.com/admin-guide.html#access-control see http://www.rabbitmq.com/admin-guide.html#access-control
is_admin_query: tag_queries:
${username} ${username}
${user_dn} ${user_dn}
Note that tag_queries consists of a proplist, mapping the name of a
tag to a query to perform to determine whether or not the user has
that tag. You must list queries for all tags that you want your users
to have.
In Group Query In Group Query
-------------- --------------
@ -119,7 +125,7 @@ TODO improve and explain this
{permission, read, {constant, true}} {permission, read, {constant, true}}
]}}, ]}},
{resource, queue, {constant, true}} ]}}, {resource, queue, {constant, true}} ]}},
{is_admin_query, {constant, false}}, {tag_queries, [{administrator, {constant, false}}]},
{use_ssl, false}, {use_ssl, false},
{port, 389}, {port, 389},
{log, false} ] } {log, false} ] }

29
deps/rabbitmq_auth_backend_ldap/src/rabbit_auth_backend_ldap.erl vendored
View File

@ -40,7 +40,7 @@
-include_lib("rabbit_common/include/rabbit_auth_backend_spec.hrl"). -include_lib("rabbit_common/include/rabbit_auth_backend_spec.hrl").
-export([description/0]). -export([description/0]).
-export([check_user_login/2, check_vhost_access/3, check_resource_access/3]). -export([check_user_login/2, check_vhost_access/2, check_resource_access/3]).
-behaviour(gen_server). -behaviour(gen_server).
@ -55,7 +55,7 @@
other_bind, other_bind,
vhost_access_query, vhost_access_query,
resource_access_query, resource_access_query,
is_admin_query, tag_queries,
use_ssl, use_ssl,
log, log,
port }). port }).
@ -81,11 +81,10 @@ check_user_login(Username, AuthProps) ->
exit({unknown_auth_props, Username, AuthProps}). exit({unknown_auth_props, Username, AuthProps}).
check_vhost_access(User = #user{username = Username, check_vhost_access(User = #user{username = Username,
impl = UserDN}, VHost, Permission) -> impl = UserDN}, VHost) ->
gen_server:call(?SERVER, {check_vhost, [{username, Username}, gen_server:call(?SERVER, {check_vhost, [{username, Username},
{user_dn, UserDN}, {user_dn, UserDN},
{vhost, VHost}, {vhost, VHost}], User},
{permission, Permission}], User},
infinity). infinity).
check_resource_access(User = #user{username = Username, impl = UserDN}, check_resource_access(User = #user{username = Username, impl = UserDN},
@ -157,8 +156,10 @@ with_ldap(BindOpts, Fun,
Opts0 = [{ssl, SSL}, {port, Port}], Opts0 = [{ssl, SSL}, {port, Port}],
Opts = case Log of Opts = case Log of
true -> true ->
[{log, fun(1, S, A) -> rabbit_log:warning(S, A); Pre = "LDAP backend: ",
(2, S, A) -> rabbit_log:info (S, A) rabbit_log:info(Pre ++ "connecting to ~p~n", [Servers]),
[{log, fun(1, S, A) -> rabbit_log:warning(Pre ++ S, A);
(2, S, A) -> rabbit_log:info (Pre ++ S, A)
end} | Opts0]; end} | Opts0];
_ -> _ ->
Opts0 Opts0
@ -192,17 +193,17 @@ get_env(F) ->
{ok, V} = application:get_env(F), {ok, V} = application:get_env(F),
V. V.
do_login(Username, LDAP, State = #state{ is_admin_query = IsAdminQuery }) -> do_login(Username, LDAP, State = #state{ tag_queries = TagQueries }) ->
UserDN = username_to_dn(Username, State), UserDN = username_to_dn(Username, State),
User = #user{username = Username, User = #user{username = Username,
auth_backend = ?MODULE, auth_backend = ?MODULE,
impl = UserDN}, impl = UserDN},
case evaluate(IsAdminQuery, [{username, Username}, TagRes = [{Tag, evaluate(Q, [{username, Username},
{user_dn, UserDN}], User, LDAP) of {user_dn, UserDN}], User, LDAP)} ||
{error, _} = E -> {Tag, Q} <- TagQueries],
E; case [E || {_, E = {error, _}} <- TagRes] of
IsAdmin -> [] -> {ok, User#user{tags = [Tag || {Tag, true} <- TagRes]}};
{ok, User#user{is_admin = IsAdmin}} [E | _] -> E
end. end.
username_to_dn(Username, #state{ user_dn_pattern = UserDNPattern }) -> username_to_dn(Username, #state{ user_dn_pattern = UserDNPattern }) ->