-
Notifications
You must be signed in to change notification settings - Fork 720
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update documentation to cover both new and classic config formats #161
Changes from 69 commits
759428a
0ec16ca
c73b7dc
2f18ec7
60d1951
cd5c2c5
c85b4ea
676fa0b
cf2dd47
16e12f5
add0599
a51a165
566effe
4f36511
ddafe06
d44de21
c67415f
cb05190
47bd4bf
4f731d4
000c9d8
63942f1
d93b647
104ec15
46a4fd2
bb23d59
e6b2fc1
8704d52
34abcb7
b7675ab
7a47fa4
bfba1ab
7244dc4
420bca4
7dedb29
dc03631
f49f77e
8f1d5b0
61f6a67
441e093
2f1604f
2013fd3
4cfa70d
429ed9d
4ea222a
64835e0
0f4684a
47dada7
70fa365
6305fed
5663e23
631afea
8d2bf01
0ad7d9e
2c166cd
e49c113
bfa6795
4bc4b49
e53ddf1
780da90
b7e41f4
4c4308d
a1ffa26
0612d4c
db86187
0a5cb95
0471c3e
7f2e443
f6c1aaa
ef16c8d
1a06ba5
2ae238a
e3e1f0e
8d41d85
4f54fc8
f63e2af
d170d88
84af7f3
d92f404
c697128
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -80,7 +80,7 @@ limitations under the License. | |
By default, the <code>guest</code> user is prohibited from | ||
connecting to the broker remotely; it can only connect over | ||
a loopback interface (i.e. <code>localhost</code>). This | ||
applies both to AMQP and to any other protocols enabled via | ||
applies both to AMQP 0-9-1 and to any other protocols enabled via | ||
plugins. Any other users you create will not (by default) be | ||
restricted in this way. | ||
</p> | ||
|
@@ -92,10 +92,16 @@ limitations under the License. | |
<p> | ||
If you wish to allow the <code>guest</code> user to connect | ||
from a remote host, you should set the | ||
<code>loopback_users</code> configuration item to | ||
<code>[]</code>. A complete <code>rabbitmq.config</code> | ||
<code>loopback_users</code> configuration to | ||
<code>none</code>. A complete <a href="/configure.html">RabbitMQ config file</a> | ||
which does this would look like: | ||
</p> | ||
<pre class="sourcecode"> | ||
loopback_users = none | ||
</pre> | ||
|
||
Or, in the <a href="/configure.html#erlang-term-config-file">classic config file format</a> (<code>rabbitmq.config</code>): | ||
|
||
<pre class="sourcecode"> | ||
[{rabbit, [{loopback_users, []}]}].</pre> | ||
</doc:section> | ||
|
@@ -254,14 +260,14 @@ limitations under the License. | |
IP range one</a>, only provide an authorisation backend. Authentication | ||
is supposed to be handled by the internal database, LDAP, etc. | ||
</p> | ||
|
||
<doc:subsection name="combined-backends"> | ||
<doc:heading>Combining Backends</doc:heading> | ||
|
||
<p> | ||
It is possible to use multiple backends for | ||
<code>authn</code> or <code>authz</code> using the | ||
<code>rabbit.auth_backends</code> configuration key. When | ||
<code>auth_backends</code> configuration key. When | ||
several authentication backends are used then the first | ||
positive result returned by a backend in the chain is | ||
considered to be final. This should not be confused with | ||
|
@@ -273,19 +279,53 @@ limitations under the License. | |
The following example configures RabbitMQ to use the internal backend | ||
only (and is the default): | ||
</p> | ||
|
||
|
||
<pre class="example"> | ||
# rabbitmq.conf | ||
# | ||
# 1 here is a backend name. It can be anything. | ||
# Since we only really care about backend | ||
# ordering, we use numbers throughout this guide. | ||
# | ||
# "internal" is an alias for rabbit_auth_backend_internal | ||
auth_backends.1 = internal | ||
</pre> | ||
|
||
Or, in the <a href="/configure.html#erlang-term-config-file">classic config format</a>: | ||
|
||
<pre class="example"> | ||
[{rabbit, [ | ||
{auth_backends, [rabbit_auth_backend_internal]} | ||
] | ||
}]. | ||
</pre> | ||
|
||
<p> | ||
The example above uses an alias, <code>internal</code> for <code>rabbit_auth_backend_internal</code>. | ||
The following aliases are available: | ||
|
||
<ul> | ||
<li><code>internal</code> for <code>rabbit_auth_backend_internal</code></li> | ||
<li><code>ldap</code> for <code>rabbit_auth_backend_ldap</code> (from the <a href="/ldap.html">LDAP plugin</a>)</li> | ||
<li><code>http</code> for <code>rabbit_auth_backend_http</code> (from the <a href="https://github.com/rabbitmq/rabbitmq-auth-backend-http">HTTP auth backend plugin</a>)</li> | ||
<li><code>amqp</code> for <code>rabbit_auth_backend_amqp</code> (from the <a href="https://github.com/rabbitmq/rabbitmq-auth-backend-amqp">AMQP 0-9-1 auth backend plugin</a>)</li> | ||
<li><code>dummy</code> for <code>rabbit_auth_backend_dummy</code></li> | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. How are aliases managed? Is it a hard-coded list? Or does RabbitMQ try to use There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. A hard-coded list. |
||
</ul> | ||
|
||
When using third party plugins, providing a full module name is necessary. | ||
</p> | ||
|
||
<p> | ||
The following example configures RabbitMQ to use the <a href="/ldap.html">LDAP backend</a> | ||
for both authentication and authorisation. Internal database will not be consulted: | ||
</p> | ||
|
||
|
||
<pre class="example"> | ||
auth_backends.1 = ldap | ||
</pre> | ||
|
||
Or, in the <a href="/configure.html#erlang-term-config-file">classic config format</a>: | ||
|
||
<pre class="example"> | ||
[{rabbit, [ | ||
{auth_backends, [rabbit_auth_backend_ldap]} | ||
|
@@ -297,18 +337,42 @@ limitations under the License. | |
This will check LDAP first, and then fall back to the internal | ||
database if the user cannot be authenticated through LDAP: | ||
</p> | ||
|
||
<pre class="example"> | ||
auth_backends.1 = ldap | ||
auth_backends.2 = internal | ||
</pre> | ||
|
||
Or, in the <a href="/configure.html#erlang-term-config-file">classic config format</a>: | ||
|
||
<pre class="example"> | ||
[{rabbit, [ | ||
{auth_backends, [rabbit_auth_backend_ldap, rabbit_auth_backend_internal]} | ||
] | ||
}]. | ||
</pre> | ||
|
||
<p> | ||
Same as above but will fall back to the <a | ||
href="https://github.com/rabbitmq/rabbitmq-auth-backend-http">HTTP backend</a> | ||
instead: | ||
</p> | ||
|
||
<pre class="example"> | ||
# rabbitmq.conf | ||
# | ||
auth_backends.1 = ldap | ||
# uses module name instead of a short alias, "http" | ||
auth_backends.2 = rabbit_auth_backend_http | ||
|
||
# See HTTP backend docs for details | ||
http.user_path = http://my-authenticator-app/auth/user | ||
http.vhost_path = http://my-authenticator-app/auth/vhost | ||
http.resource_path = http://my-authenticator-app/auth/resource | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I find the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I agree. Perhaps we should use module names instead (and not only in the docs). There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Use There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
About aliases in eg. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Unfortunately if we go with module names in some places but not others, it will be more confusing than using just module names. Which is what we will do now. |
||
</pre> | ||
|
||
Or, in the <a href="/configure.html#erlang-term-config-file">classic config format</a>: | ||
|
||
<pre class="example"> | ||
[{rabbit, [ | ||
{auth_backends, [rabbit_auth_backend_ldap, rabbit_auth_backend_http]} | ||
|
@@ -319,16 +383,25 @@ limitations under the License. | |
[{user_path, "http://my-authenticator-app/auth/user"}, | ||
{vhost_path, "http://my-authenticator-app/auth/vhost"}, | ||
{resource_path, "http://my-authenticator-app/auth/resource"}]}]. | ||
</pre> | ||
|
||
</pre> | ||
|
||
<p> | ||
The following example configures RabbitMQ to use internal | ||
database for authentication and <a | ||
href="https://github.com/gotthardp/rabbitmq-auth-backend-ip-range">source | ||
IP range backend</a> for authorisation: | ||
</p> | ||
|
||
|
||
<pre class="example"> | ||
# rabbitmq.conf | ||
# | ||
auth_backends.1.authn = internal | ||
# uses module name because this backend is from a 3rd party | ||
auth_backends.1.authz = rabbit_auth_backend_ip_range | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I don't know enough how authentication and authorization are handled by RabbitMQ but this configuration parameters look reversed. I would expect something like:
In other words: RabbitMQ checks authentication first using the listed modules, then it checks authorization using another set of modules. Of course, correct me if my understanding of RabbitMQ internals is wrong. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. |
||
</pre> | ||
|
||
Or, in the <a href="/configure.html#erlang-term-config-file">classic config format</a>: | ||
|
||
<pre class="example"> | ||
[{rabbit, [ | ||
{auth_backends, [{rabbit_auth_backend_internal, rabbit_auth_backend_ip_range}]} | ||
|
@@ -341,6 +414,16 @@ limitations under the License. | |
The following example configures RabbitMQ to use <a href="/ldap.html">LDAP backend</a> | ||
for authentication and but internal backend for authorisation: | ||
</p> | ||
|
||
<pre class="example"> | ||
# rabbitmq.conf | ||
# | ||
auth_backends.1.authn = ldap | ||
auth_backends.1.authz = internal | ||
</pre> | ||
|
||
Or, in the <a href="/configure.html#erlang-term-config-file">classic config format</a>: | ||
|
||
<pre class="example"> | ||
[{rabbit, [ | ||
{auth_backends, [{rabbit_auth_backend_ldap, rabbit_auth_backend_internal}] | ||
|
@@ -357,17 +440,23 @@ limitations under the License. | |
a second attempt is made using only the internal database: | ||
</p> | ||
|
||
<pre class="example"> | ||
# rabbitmq.conf | ||
# | ||
auth_backends.1.authn = ldap | ||
auth_backends.1.authz = internal | ||
auth_backends.2 = internal | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ok, so disregard my previous comment, because authentication and authorization backends are organized as pairs. Sorry for the noise! |
||
</pre> | ||
|
||
Or, in the <a href="/configure.html#erlang-term-config-file">classic config format</a>: | ||
|
||
<pre class="example"> | ||
[{rabbit, [ | ||
{auth_backends, [{rabbit_auth_backend_ldap, rabbit_auth_backend_internal}, | ||
rabbit_auth_backend_internal] | ||
rabbit_auth_backend_internal]} | ||
] | ||
}]. | ||
</pre> | ||
</doc:subsection> | ||
|
||
<doc:subsection name=""> | ||
<doc:heading></doc:heading> | ||
</pre> | ||
</doc:subsection> | ||
</doc:section> | ||
</body> | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would use "legacy" instead of "classic" to designate the old file formar.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We still support this format, and it is still used in the advanced config. It would be odd to call something legacy and then use it for both backwards compatibility and advanced cases.