Skip to content

Allow the rabbitmq_auth_backend_http plug-in to be used only for user authentication and authorization against the HTTP backend by setting vhost_path, resource_path, and topic_path to 'disabled' #13573

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
mqhase wants to merge 3 commits into from
Closed

Allow the rabbitmq_auth_backend_http plug-in to be used only for user authentication and authorization against the HTTP backend by setting vhost_path, resource_path, and topic_path to 'disabled' #13573

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
cc64318
Allow the rabbitmq_auth_backend_http plug-in to be used only for user…
invalid-email-address Mar 19, 2025
06a91c8
Update README.md
mqhase Mar 19, 2025
a9cff01
Update README.md
mqhase Mar 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion deps/rabbitmq_auth_backend_http/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,7 @@ For instance, if the user accessed RabbitMQ via the MQTT protocol, it is expecte
* `vhost`: the name of the virtual host being accessed
* `ip`: the client ip address

Note that you cannot create arbitrary virtual hosts using this plugin; you can only determine whether your users can see / access the ones that exist.
Note that you cannot create arbitrary virtual hosts using this plugin; you can only determine whether your users can see / access the ones that exist. By setting `vhost_path` to `disabled`, this authentication request is skipped, and unrestricted access is granted.

### resource_path

Expand All @@ -105,6 +105,7 @@ Note that you cannot create arbitrary virtual hosts using this plugin; you can o

Note: This request may include additional http request parameters in addition to the ones listed above.
For instance, if the user accessed RabbitMQ via the MQTT protocol, it is expected `client_id` request parameter too.
By setting `resource_path` to `disabled`, this authentication request is skipped, and unrestricted access is granted.

### topic_path

Expand All @@ -116,6 +117,8 @@ For instance, if the user accessed RabbitMQ via the MQTT protocol, it is expecte
* `routing_key`: the routing key of a published message (when the permission is `write`)
or routing key of the queue binding (when the permission is `read`)

Note: By setting `topic_path` to `disabled`, this authentication request is skipped, and unrestricted access is granted.

See [topic authorisation](http://www.rabbitmq.com/access-control.html#topic-authorisation) for more information
about topic authorisation.

Expand Down
15 changes: 11 additions & 4 deletions deps/rabbitmq_auth_backend_http/src/rabbit_auth_backend_http.erl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -148,10 +148,17 @@ context_as_parameters(_) ->
[].

bool_req(PathName, Props) ->
case http_req(p(PathName), q(Props)) of
"deny" -> false;
"allow" -> true;
E -> E
Authpath = p(PathName),
case Authpath of
"disabled" ->
rabbit_log:debug("auth_backend_http: Skip ~ts!", [PathName]),
true;
_Else ->
case http_req(Authpath, q(Props)) of
"deny" -> false;
"allow" -> true;
E -> E
end
end.

http_req(Path, Query) -> http_req(Path, Query, ?RETRY_ON_KEEPALIVE_CLOSED).
Expand Down
Loading