ae77becec7
|
||
|---|---|---|
| .. | ||
| src | ||
| test/src | ||
| .gitignore | ||
| .travis.yml | ||
| Makefile | ||
| README.md | ||
| build.config | ||
| erlang.mk | ||
| rabbitmq-components.mk | ||
README.md
Rabbitmq auth backend to use with Cloud Foundry UAA
Allows to use access tokens provided by CF UAA to authorize in RabbitMQ.
Make requests to /check_token endpoint on UAA server. See https://github.com/cloudfoundry/uaa/blob/master/docs/UAA-APIs.rst#id32
Usage
First, enable the plugin. Then, configure access to UAA:
{rabbitmq_auth_backend_uaa,
[{uri, <<"https://your-uaa-server">>},
{username, <<"uaa-client-id">>},
{password, <<"uaa-client-secret">>},
{resource_server_id, <<"your-resource-server-id"}]}
where
your-uaa-serveris a UAA server hostuaa-client-idis a UAA client IDuaa-client-secretis the shared secretyour-resource-server-idis a resource server ID (e.g. 'rabbitmq')
To learn more about UAA/OAuth 2 clients, see UAA docs.
Then you can use access_tokens acquired from UAA as username to authenticate in RabbitMQ.
Scopes
Note: scopes is a subject to change, the current implementation provides limited flexibility.
Current scope format is <vhost>_<kind>_<permission>_<name>, where
<vhost>is resource vhost<kind>:qfor queue,exfor exchange, ortfor topic<permission>is an access permission (configure,read, orwrite)<name>is an exact resource name (no regular expressions are supported)
The scopes implementation is shared with the RabbitMQ OAuth 2.0 backend.
Authorization workflow
Prerequisites
- There should be application client registered on UAA server.
- Client id and secret should be set in plugin env as
usernameandpassword - Client authorities should include
uaa.resource - RabbitMQ auth_backends should include
rabbit_auth_backend_uaa
Authorization
- Client authorize with UAA, requesting
access_token(using any grant type) - Token scope should contain rabbitmq resource scopes (e.g. /_q_configure_foo - configure queue 'foo')
- Client use token as username to connect to RabbitMQ server