Allow the rabbitmq_auth_backend_http plug-in to be used only for user authentication and authorization against the HTTP backend by setting vhost_path, resource_path, and topic_path to 'disabled'

[mqhase]

Proposed Changes

Please describe the big picture of your changes here to communicate to the RabbitMQ team why we should accept this pull request.
If it fixes a bug or resolves a feature request, be sure to link to that issue.

A pull request that doesn't explain why the change was made has a much lower chance of being accepted.

Types of Changes

What types of changes does your code introduce to this project?
Put an x in the boxes that apply

• Bug fix (non-breaking change which fixes issue #NNNN)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause an observable behavior change in existing systems)
• Documentation improvements (corrections, new content, etc)
• Cosmetic change (whitespace, formatting, etc)
• Build system and/or CI

Checklist

Put an x in the boxes that apply.
You can also fill these out after creating the PR.
If you're unsure about any of them, don't hesitate to ask on the mailing list.
We're here to help!
This is simply a reminder of what we are going to look for before merging your code.

• I have read the CONTRIBUTING.md document
• I have signed the CA (see https://cla.pivotal.io/sign/rabbitmq)
• I have added tests that prove my fix is effective or that my feature works
• [] All tests pass locally with my changes
• If relevant, I have added necessary documentation to https://github.com/rabbitmq/rabbitmq-website
• If relevant, I have added this change to the first version(s) in release-notes that I expect to introduce it

Further Comments

If this is a relatively large or complex change, kick off the discussion by explaining why you chose the solution
you did and what alternatives you considered, etc.

[lukebakken]

Hello, would you mind providing a use-case for this change? It's surprising something like this has never been requested in the long history of this project.

[mqhase]

@lukebakken - In our production environment we are using the rabbitmq_auth_backend_http plug-in mainly for user authentication against a custom, central HTTP backend. Once the user is authenticated and authorized, there is theoretically no further need to e.g. authenticate/authorize the bindings and publish requests. Until now we solve(d) this situation by deploying httpd on the same machine returning as static file with content "allow".

But just recently a feature was introduced, which relies on highly per-mutating routing keys and we discovered that rabbitmq_auth_backend_cache isn't of much help in this case, thus we ended up in a situation where or each and every message published resulted in a HTTP request (only to return static allow). This additional HTTP request caused that throughput decreased due to flow control and/or added some additional latency.
And the second motivation is that the need for a local httpd instance (even if only serving static content) introduces another point of failure we'd like to avoid.

Therefore the most performant and reliable solution, from our point of view, is to granularly disable certain backend calls (e.g. only by setting topic_path to disabled) requiring only allow/deny (being fully aware that it's not applicable for user_path as the tag is required).

If this pull request is accepted, in order to backport the solution (actually func bool_req hasn't changed) to e.g. 3.12.x do I need to create another pull request on 3.13.x?

[michaelklishin]

Thank you for taking the time to contribute.

This feature repeats something that's already possible with very little effort. Your backend can return allow for the endpoints you don't want to implement. That's what our example apps do, in fact.

If the intent is to cut down the upstream HTTP service traffic, this plugin should only be used with rabbitmq_auth_backend_cache.