root
/
rabbitmq-server
mirror of https://github.com/rabbitmq/rabbitmq-server.git
1
0
Fork 0
Code Issues Actions 9 Packages Projects Releases Wiki Activity

Support separate authn and authz backends

This commit is contained in:
Daniil Fedotov 2016-05-17 17:44:20 +01:00
parent 10518c3468
commit 960669c0d9
1 changed files with 19 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
deps/rabbitmq_auth_backend_cache/src/rabbit_auth_backend_cache.erl vendored
View File

@ -26,7 +26,7 @@
%% Implementation of rabbit_auth_backend %% Implementation of rabbit_auth_backend
user_login_authentication(Username, AuthProps) -> user_login_authentication(Username, AuthProps) ->
with_cache({user_login_authentication, [Username, AuthProps]}, with_cache(authn, {user_login_authentication, [Username, AuthProps]},
fun({ok, _}) -> success; fun({ok, _}) -> success;
({refused, _, _}) -> refusal; ({refused, _, _}) -> refusal;
({error, _} = Err) -> Err; ({error, _} = Err) -> Err;
@ -34,7 +34,7 @@ user_login_authentication(Username, AuthProps) ->
end). end).
user_login_authorization(Username) -> user_login_authorization(Username) ->
with_cache({user_login_authorization, [Username]}, with_cache(authz, {user_login_authorization, [Username]},
fun({ok, _}) -> success; fun({ok, _}) -> success;
({ok, _, _}) -> success; ({ok, _, _}) -> success;
({refused, _, _}) -> refusal; ({refused, _, _}) -> refusal;
@ -43,7 +43,7 @@ user_login_authorization(Username) ->
end). end).
check_vhost_access(#auth_user{} = AuthUser, VHostPath, Sock) -> check_vhost_access(#auth_user{} = AuthUser, VHostPath, Sock) ->
with_cache({check_vhost_access, [AuthUser, VHostPath, Sock]}, with_cache(authz, {check_vhost_access, [AuthUser, VHostPath, Sock]},
fun(true) -> success; fun(true) -> success;
(false) -> refusal; (false) -> refusal;
({error, _} = Err) -> Err; ({error, _} = Err) -> Err;
@ -52,22 +52,21 @@ check_vhost_access(#auth_user{} = AuthUser, VHostPath, Sock) ->
check_resource_access(#auth_user{} = AuthUser, check_resource_access(#auth_user{} = AuthUser,
#resource{} = Resource, Permission) -> #resource{} = Resource, Permission) ->
with_cache({check_resource_access, [AuthUser, Resource, Permission]}, with_cache(authz, {check_resource_access, [AuthUser, Resource, Permission]},
fun(true) -> success; fun(true) -> success;
(false) -> refusal; (false) -> refusal;
({error, _} = Err) -> Err; ({error, _} = Err) -> Err;
(_) -> unknown (_) -> unknown
end). end).
with_cache({F, A}, Fun) -> with_cache(BackendType, {F, A}, Fun) ->
{ok, AuthCache} = application:get_env(rabbitmq_auth_backend_cache, {ok, AuthCache} = application:get_env(rabbitmq_auth_backend_cache,
cache_module), cache_module),
case AuthCache:get({F, A}) of case AuthCache:get({F, A}) of
{ok, Result} -> {ok, Result} ->
Result; Result;
{error, not_found} -> {error, not_found} ->
{ok, Backend} = application:get_env(rabbitmq_auth_backend_cache, Backend = get_cached_backend(BackendType),
cached_backend),
{ok, TTL} = application:get_env(rabbitmq_auth_backend_cache, {ok, TTL} = application:get_env(rabbitmq_auth_backend_cache,
cache_ttl), cache_ttl),
BackendResult = apply(Backend, F, A), BackendResult = apply(Backend, F, A),
@ -78,6 +77,19 @@ with_cache({F, A}, Fun) ->
BackendResult BackendResult
end. end.
get_cached_backend(Type) ->
{ok, BackendConfig} = application:get_env(rabbitmq_auth_backend_cache,
cached_backend),
case BackendConfig of
Mod when is_atom(Mod) ->
Mod;
{N, Z} ->
case Type of
authn -> N;
authz -> Z
end
end.
should_cache(Result, Fun) -> should_cache(Result, Fun) ->
{ok, CacheRefusals} = application:get_env(rabbitmq_auth_backend_cache, {ok, CacheRefusals} = application:get_env(rabbitmq_auth_backend_cache,
cache_refusals), cache_refusals),