root
/
rabbitmq-server
mirror of https://github.com/rabbitmq/rabbitmq-server.git
1
0
Fork 0
Code Issues Actions Packages Projects Releases Wiki Activity

Merge branch 'stable' 

Conflicts:
	README.md
This commit is contained in:
Michael Klishin 2017-06-09 20:25:15 +03:00
parent 9dc43b1b82 9468fa0b79
commit c90b7cb353
1 changed files with 51 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
deps/rabbitmq_auth_mechanism_ssl/README.md vendored
View File

@ -1,35 +1,61 @@
# x509 (TLS/SSL) certificate Authentication Mechanism for RabbitMQ
Authenticates the user, obtaining the username from the client's
SSL certificate. The user's password is not checked.
This plugin allows RabbitMQ clients authenticate using x509 certificates
and TLS (PKI) [peer verification mechanism](https://tools.ietf.org/html/rfc5280#section-6)
instead of credentials (username/password pairs).
In order to use this mechanism the client must connect over SSL, and
## How it Works
When a client connects and performs TLS upgrade,
the username is obtained from the client's
TLS (x509) certificate. The user's password is not checked.
In order to use this mechanism the client must connect with TLS enabled, and
present a client certificate.
The mechanism must also be enabled in RabbitMQ's configuration file -
see [TLS Authentication guide](http://www.rabbitmq.com/authentication.html) for more details, or
in short, ensure that the 'rabbit' section of your configuration
contains:
## Usage
This mechanism must also be enabled in RabbitMQ's configuration file,
see [Authentication Mechanisms](http://www.rabbitmq.com/authentication.html) and
[Configuration](http://www.rabbitmq.com/configure.html) guides for
more details.
A couple of examples:
``` erlang
{auth_mechanisms, ['PLAIN', 'AMQPLAIN', 'EXTERNAL']}
[
{rabbit, [
{auth_mechanisms, ['PLAIN', 'AMQPLAIN', 'EXTERNAL']}
]}
].
```
to allow this mechanism in addition to the defaults, or:
``` erlang
{auth_mechanisms, ['EXTERNAL']}
[
{rabbit, [
{auth_mechanisms, ['EXTERNAL']}
]}
].
```
to allow only this mechanism.
to allow only this mechanism and prohibit connections that use
username and passwords.
For safety the server must be configured with the SSL option 'verify'
set to 'verify_peer', to ensure that if an SSL client presents a
certificate, it gets verified.
By default this will set the username to an RFC4514-ish string form of
### Username Extraction from Certificate
#### Distinguished Name
By default this will set the username to an [RFC 4514](https://tools.ietf.org/html/rfc4514)-ish string form of
the certificate's subject's Distinguished Name, similar to that
produced by OpenSSL's "-nameopt RFC2253" option.
produced by OpenSSL's "-nameopt [RFC 2253"](https://tools.ietf.org/html/rfc2253) option.
You can obtain this string form from a certificate with a command like:
@ -43,20 +69,27 @@ or from an existing amqps connection with commands like:
rabbitmqctl list_connections peer_cert_subject
```
To use the Common Name instead, ensure that the 'rabbit' section of
your configuration contains:
#### Common Name
To use the Common Name instead, set `rabbit.ssl_cert_login_from` to `common_name`:
```
{ssl_cert_login_from, common_name}
[
{rabbit, [
{auth_mechanisms, ['PLAIN', 'AMQPLAIN', 'EXTERNAL']},
{ssl_cert_login_from, common_name}
]}
].
```
Note that the authenticated user will then be looked up in the
configured authentication / authorisation backend(s) - this will be
the mnesia-based user database by default, but could include other
[configured authentication / authorisation backend(s)](http://www.rabbitmq.com/access-control.html). This will be
the internal node database by default but could include other
backends if so configured.
## Copyright & License
(c) Pivotal Software Inc., 2007-2016.
(c) Pivotal Software Inc., 2007 — 2017.
Released under the same license as RabbitMQ.