Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update documentation to cover both new and classic config formats #161

Merged
merged 80 commits into from
Mar 23, 2016
Merged

Update documentation to cover both new and classic config formats #161

Show file tree
Hide file tree
Changes from 69 commits
Commits
Show all changes
80 commits
Select commit Hold shift + click to select a range
759428a
Clean up some links that are several years old
michaelklishin Feb 24, 2016
0ec16ca
Update the Configuration guide to cover the sysctl format
michaelklishin Feb 24, 2016
c73b7dc
Refer to advanced.config
michaelklishin Feb 24, 2016
2f18ec7
Access Control guide examples in two config formats
michaelklishin Feb 24, 2016
60d1951
Merge branch 'master' into rabbitmq-server-550
michaelklishin Feb 24, 2016
cd5c2c5
Add sysctl format examples
michaelklishin Feb 24, 2016
c85b4ea
List known aliases
michaelklishin Feb 24, 2016
676fa0b
Porting configuration options to the sysctl format
michaelklishin Feb 26, 2016
cf2dd47
Mention both relative and absolute values for limits
michaelklishin Feb 26, 2016
16e12f5
Typos
michaelklishin Feb 26, 2016
add0599
Typo
michaelklishin Feb 26, 2016
a51a165
Typo
michaelklishin Feb 26, 2016
566effe
Wording
michaelklishin Feb 26, 2016
4f36511
Http backend config. "none" format for loopback users
Feb 29, 2016
ddafe06
New config format for partition handling
Feb 29, 2016
d44de21
sysctl config for ldap plugin
Feb 29, 2016
c67415f
sysctl format for management plugin
Feb 29, 2016
cb05190
Duplicate config examples
Feb 29, 2016
47bd4bf
Networking manual sysctl config
Feb 29, 2016
4f731d4
SSL and password hashing sysctl config
Feb 29, 2016
000c9d8
STOMP sysctl config
Feb 29, 2016
63942f1
sysctl config for web dispatch page
Mar 1, 2016
d93b647
Grammar
michaelklishin Mar 1, 2016
104ec15
Typo
michaelklishin Mar 1, 2016
46a4fd2
sysctl config for disk alarms
Mar 1, 2016
bb23d59
schema doc in plugin example
Mar 1, 2016
e6b2fc1
mention advanced.config in shovel doc
Mar 1, 2016
8704d52
Merge branch 'master' into rabbitmq-server-550
michaelklishin Mar 2, 2016
34abcb7
More sysctl config examples
Mar 4, 2016
b7675ab
Documentation config fixes
Mar 4, 2016
7a47fa4
config snippets testing fixes
Mar 4, 2016
bfba1ab
rabbitmq.config => rabbitmq.conf/advanced.config in a few more places
michaelklishin Mar 16, 2016
7244dc4
Merge branch 'master' into rabbitmq-server-550
michaelklishin Mar 16, 2016
420bca4
Move an example
michaelklishin Mar 17, 2016
7dedb29
List RABBITMQ_CONFIG_FILE and RABBITMQ_ADVANCED_CONFIG_FILE in the en…
michaelklishin Mar 17, 2016
dc03631
Mention RABBITMQ_ADVANCED_CONFIG_FILE in more places
michaelklishin Mar 17, 2016
f49f77e
typo
michaelklishin Mar 17, 2016
8f1d5b0
Document RABBITMQ_ENV_CONF_FILE and that it's now supported on Windows
michaelklishin Mar 17, 2016
61f6a67
Coonfig variables default values
Mar 17, 2016
441e093
Configuration guide edits
michaelklishin Mar 17, 2016
2f1604f
Use distinct section ids
michaelklishin Mar 17, 2016
2013fd3
Ldap example config file explanation
Mar 17, 2016
4cfa70d
Link to classic config format
Mar 17, 2016
429ed9d
RABBITMQ_CONF_ENV_FILE filename for windows
Mar 17, 2016
4ea222a
LDAP guide edits
michaelklishin Mar 17, 2016
64835e0
Cosmetics
michaelklishin Mar 17, 2016
0f4684a
TLS guide edits
michaelklishin Mar 17, 2016
47dada7
TLS guide edits
michaelklishin Mar 17, 2016
70fa365
whitespace
michaelklishin Mar 17, 2016
6305fed
Networking guide edits
michaelklishin Mar 17, 2016
5663e23
Link to the classic config format
michaelklishin Mar 17, 2016
631afea
Rearrange config-related subsections
michaelklishin Mar 17, 2016
8d2bf01
Management guide edits
michaelklishin Mar 17, 2016
0ad7d9e
Cosmetics
michaelklishin Mar 17, 2016
2c166cd
Ditto
michaelklishin Mar 17, 2016
e49c113
Cosmetics
michaelklishin Mar 17, 2016
bfa6795
More specific links
michaelklishin Mar 17, 2016
4bc4b49
Link to specific configuration guide sections
michaelklishin Mar 17, 2016
e53ddf1
Not to be confused with Homebrew the OS X package manager
michaelklishin Mar 17, 2016
780da90
MQTT guide edits
michaelklishin Mar 17, 2016
b7e41f4
Plugin Development guide edits
michaelklishin Mar 17, 2016
4c4308d
STOMP guide edits
michaelklishin Mar 17, 2016
a1ffa26
Web Dispatch guide edits
michaelklishin Mar 17, 2016
0612d4c
Web STOMP guide edits (cosmetics)
michaelklishin Mar 17, 2016
db86187
Partitions guide edits (cosmetics)
michaelklishin Mar 17, 2016
0a5cb95
Static Shovels guide edits (cosmetics)
michaelklishin Mar 17, 2016
0471c3e
Make listeners.ssl.default a bit more prominent
michaelklishin Mar 17, 2016
7f2e443
Clarify
michaelklishin Mar 18, 2016
f6c1aaa
Clarify
michaelklishin Mar 18, 2016
ef16c8d
Cosmetic changes
bdshroyer Mar 21, 2016
1a06ba5
Enquote IPv6 address in this example
michaelklishin Mar 22, 2016
2ae238a
Trailing ws
michaelklishin Mar 22, 2016
e3e1f0e
b => strong
michaelklishin Mar 22, 2016
8d41d85
Correct verb ending
michaelklishin Mar 22, 2016
4f54fc8
Wording
michaelklishin Mar 22, 2016
f63e2af
Revert "Enquote IPv6 address in this example"
michaelklishin Mar 22, 2016
d170d88
Sync with recent schema changes
michaelklishin Mar 23, 2016
84af7f3
Cosmetic edits to Disk Alarms page
bdshroyer Mar 23, 2016
d92f404
Sysctl config examples for web-stomp
Mar 23, 2016
c697128
removed _config suffix for web_stomp config
Mar 23, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
123 changes: 106 additions & 17 deletions site/access-control.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,7 @@ limitations under the License.
By default, the <code>guest</code> user is prohibited from
connecting to the broker remotely; it can only connect over
a loopback interface (i.e. <code>localhost</code>). This
applies both to AMQP and to any other protocols enabled via
applies both to AMQP 0-9-1 and to any other protocols enabled via
plugins. Any other users you create will not (by default) be
restricted in this way.
</p>
Expand All @@ -92,10 +92,16 @@ limitations under the License.
<p>
If you wish to allow the <code>guest</code> user to connect
from a remote host, you should set the
<code>loopback_users</code> configuration item to
<code>[]</code>. A complete <code>rabbitmq.config</code>
<code>loopback_users</code> configuration to
<code>none</code>. A complete <a href="/configure.html">RabbitMQ config file</a>
which does this would look like:
</p>
<pre class="sourcecode">
loopback_users = none
</pre>

Or, in the <a href="/configure.html#erlang-term-config-file">classic config file format</a> (<code>rabbitmq.config</code>):
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would use "legacy" instead of "classic" to designate the old file formar.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We still support this format, and it is still used in the advanced config. It would be odd to call something legacy and then use it for both backwards compatibility and advanced cases.


<pre class="sourcecode">
[{rabbit, [{loopback_users, []}]}].</pre>
</doc:section>
Expand Down Expand Up @@ -254,14 +260,14 @@ limitations under the License.
IP range one</a>, only provide an authorisation backend. Authentication
is supposed to be handled by the internal database, LDAP, etc.
</p>

<doc:subsection name="combined-backends">
<doc:heading>Combining Backends</doc:heading>

<p>
It is possible to use multiple backends for
<code>authn</code> or <code>authz</code> using the
<code>rabbit.auth_backends</code> configuration key. When
<code>auth_backends</code> configuration key. When
several authentication backends are used then the first
positive result returned by a backend in the chain is
considered to be final. This should not be confused with
Expand All @@ -273,19 +279,53 @@ limitations under the License.
The following example configures RabbitMQ to use the internal backend
only (and is the default):
</p>


<pre class="example">
# rabbitmq.conf
#
# 1 here is a backend name. It can be anything.
# Since we only really care about backend
# ordering, we use numbers throughout this guide.
#
# "internal" is an alias for rabbit_auth_backend_internal
auth_backends.1 = internal
</pre>

Or, in the <a href="/configure.html#erlang-term-config-file">classic config format</a>:

<pre class="example">
[{rabbit, [
{auth_backends, [rabbit_auth_backend_internal]}
]
}].
</pre>

<p>
The example above uses an alias, <code>internal</code> for <code>rabbit_auth_backend_internal</code>.
The following aliases are available:

<ul>
<li><code>internal</code> for <code>rabbit_auth_backend_internal</code></li>
<li><code>ldap</code> for <code>rabbit_auth_backend_ldap</code> (from the <a href="/ldap.html">LDAP plugin</a>)</li>
<li><code>http</code> for <code>rabbit_auth_backend_http</code> (from the <a href="https://github.com/rabbitmq/rabbitmq-auth-backend-http">HTTP auth backend plugin</a>)</li>
<li><code>amqp</code> for <code>rabbit_auth_backend_amqp</code> (from the <a href="https://github.com/rabbitmq/rabbitmq-auth-backend-amqp">AMQP 0-9-1 auth backend plugin</a>)</li>
<li><code>dummy</code> for <code>rabbit_auth_backend_dummy</code></li>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How are aliases managed? Is it a hard-coded list? Or does RabbitMQ try to use rabbit_auth_backend_${alias}?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A hard-coded list.

</ul>

When using third party plugins, providing a full module name is necessary.
</p>

<p>
The following example configures RabbitMQ to use the <a href="/ldap.html">LDAP backend</a>
for both authentication and authorisation. Internal database will not be consulted:
</p>


<pre class="example">
auth_backends.1 = ldap
</pre>

Or, in the <a href="/configure.html#erlang-term-config-file">classic config format</a>:

<pre class="example">
[{rabbit, [
{auth_backends, [rabbit_auth_backend_ldap]}
Expand All @@ -297,18 +337,42 @@ limitations under the License.
This will check LDAP first, and then fall back to the internal
database if the user cannot be authenticated through LDAP:
</p>

<pre class="example">
auth_backends.1 = ldap
auth_backends.2 = internal
</pre>

Or, in the <a href="/configure.html#erlang-term-config-file">classic config format</a>:

<pre class="example">
[{rabbit, [
{auth_backends, [rabbit_auth_backend_ldap, rabbit_auth_backend_internal]}
]
}].
</pre>

<p>
Same as above but will fall back to the <a
href="https://github.com/rabbitmq/rabbitmq-auth-backend-http">HTTP backend</a>
instead:
</p>

<pre class="example">
# rabbitmq.conf
#
auth_backends.1 = ldap
# uses module name instead of a short alias, "http"
auth_backends.2 = rabbit_auth_backend_http

# See HTTP backend docs for details
http.user_path = http://my-authenticator-app/auth/user
http.vhost_path = http://my-authenticator-app/auth/vhost
http.resource_path = http://my-authenticator-app/auth/resource
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I find the http prefix to be too generic in the context of the authentication backend. Maybe it should be the full module name? Or an additional prefix before the authentication mechanism name?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree. Perhaps we should use module names instead (and not only in the docs).

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use auth_http and auth_ldap instead http and ldap in plugin settings?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

auth_http and auth_ldap sound good to me.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

auth_http is still too confusing IMHO. It could be considered a parameter of the management plugin. Using the module name makes it clear we are talking about the authentication backend.

About aliases in eg. auth_backends.1 = http, it's ok because it's in the context of auth_backends.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately if we go with module names in some places but not others, it will be more confusing than using just module names. Which is what we will do now.

</pre>

Or, in the <a href="/configure.html#erlang-term-config-file">classic config format</a>:

<pre class="example">
[{rabbit, [
{auth_backends, [rabbit_auth_backend_ldap, rabbit_auth_backend_http]}
Expand All @@ -319,16 +383,25 @@ limitations under the License.
[{user_path, "http://my-authenticator-app/auth/user"},
{vhost_path, "http://my-authenticator-app/auth/vhost"},
{resource_path, "http://my-authenticator-app/auth/resource"}]}].
</pre>

</pre>

<p>
The following example configures RabbitMQ to use internal
database for authentication and <a
href="https://github.com/gotthardp/rabbitmq-auth-backend-ip-range">source
IP range backend</a> for authorisation:
</p>


<pre class="example">
# rabbitmq.conf
#
auth_backends.1.authn = internal
# uses module name because this backend is from a 3rd party
auth_backends.1.authz = rabbit_auth_backend_ip_range
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know enough how authentication and authorization are handled by RabbitMQ but this configuration parameters look reversed.

I would expect something like:

auth_backends.authn.1 = internal
auth_backends.authn.2 = http
auth_backends.authz.1 = rabbit_auth_backend_ip_range

In other words: RabbitMQ checks authentication first using the listed modules, then it checks authorization using another set of modules. Of course, correct me if my understanding of RabbitMQ internals is wrong.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See this internals guide.

</pre>

Or, in the <a href="/configure.html#erlang-term-config-file">classic config format</a>:

<pre class="example">
[{rabbit, [
{auth_backends, [{rabbit_auth_backend_internal, rabbit_auth_backend_ip_range}]}
Expand All @@ -341,6 +414,16 @@ limitations under the License.
The following example configures RabbitMQ to use <a href="/ldap.html">LDAP backend</a>
for authentication and but internal backend for authorisation:
</p>

<pre class="example">
# rabbitmq.conf
#
auth_backends.1.authn = ldap
auth_backends.1.authz = internal
</pre>

Or, in the <a href="/configure.html#erlang-term-config-file">classic config format</a>:

<pre class="example">
[{rabbit, [
{auth_backends, [{rabbit_auth_backend_ldap, rabbit_auth_backend_internal}]
Expand All @@ -357,17 +440,23 @@ limitations under the License.
a second attempt is made using only the internal database:
</p>

<pre class="example">
# rabbitmq.conf
#
auth_backends.1.authn = ldap
auth_backends.1.authz = internal
auth_backends.2 = internal
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, so disregard my previous comment, because authentication and authorization backends are organized as pairs. Sorry for the noise!

</pre>

Or, in the <a href="/configure.html#erlang-term-config-file">classic config format</a>:

<pre class="example">
[{rabbit, [
{auth_backends, [{rabbit_auth_backend_ldap, rabbit_auth_backend_internal},
rabbit_auth_backend_internal]
rabbit_auth_backend_internal]}
]
}].
</pre>
</doc:subsection>

<doc:subsection name="">
<doc:heading></doc:heading>
</pre>
</doc:subsection>
</doc:section>
</body>
Expand Down
Loading