Hi On Wed, Jul 8, 2009 at 11:56 AM, Esteve Fernandez<[email protected]> wrote: > Hi > >> It seems like talking about txAMQP+txThrift is all the rage on this >> mailing list nowadays (and I'm not surprised, it's awesome!), so >> here's some more :-) > > Great to know it's useful for somebody else :-) BTW, this problem would > probably be best answered in the rabbitmq-discuss mailing list (or any other > AMQP-related mailing list).
Yeah, I sent it here originally because I didn't think it could be done in the AMQP side of things, and I would need to incorporate authentication inside my Thrift messages instead. I created a new post on rabbitmq-discuss :-) > Anyway, there are different ways to solve it: > > - At the lowest transport level (SSL) > - At the protocol/transport level (AMQP) > - At the application level (Thrift) > > 1) If you're already using SSL, you can use client certification > authentication: > > http://www.stunnel.org/examples/client_cert.html > http://software.wwwi.com/ssl/stunnel.shtml > > this basically means that your clients will need to present a valid > certificate. In an ideal scenario, each client will have a different > certificate. Right -- but that only means that known users can (securely) connect to the message broker. As I understand it, my AMQP consumers won't be able to verify anything regarding the certificate used to contact the broker from the producer (mobile client). So I know that the client *is* authenticated, but I still don't know *who* he is (unless I'm getting something terribly wrong here). > 2) AMQP supports basic authentication (username/password), just create > different users for every client. The problem is that, in contrast to SSL, > traffic is unencrypted, so you'll only get authentication, I could combine 1 and 2 and use RabbitMQ vhosts (one per each user and consumer). This isn't perfect, I have posted about it on the RabbitMQ mailing list. > 3) Use what JP described, it's feasible, but it requires you to figure out an > authentication scheme. It depends on how you design your application, and if > it requests credentials. Keep in mind that AMQP should not be exposed to the > internet directly unless you add permissions to the AMQP resources. RabbitMQ > recently introduced support for access control in the 1.6.0 release: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Use GnuPG with Firefox : http://getfiregpg.org (Version: 0.7.6) iEYEARECAAYFAkpU0FcACgkQT5v5zGkvKT4NRgCgit0cdWEIxRA7LMdFf0SEeXZL RscAoNhmzZk7knNdW8RaoXk00hsrE/SR =lrD6 -----END PGP SIGNATURE----- > http://www.rabbitmq.com/admin-guide.html#access-control Cheers, Laurens
