gotthardp / rabbitmq-auth-backend-ip-range Goto Github PK

View Code? Open in Web Editor NEW

19.0 5.0 6.0 191 KB

RabbitMQ client authorization based on source IP address

Makefile 72.75% Erlang 27.25%

rabbitmq-auth-backend-ip-range's Introduction

RabbitMQ plug-in for client authorization based on source IP address

Supported RabbitMQ and Erlang Versions

This plugin currently targets RabbitMQ 3.8.x and Erlang 21.3+. Please see the Releases page for binary downloads.

Binary Builds

Binary builds are published as GitHub releases.

Configuration

This plugin uses both RabbitMQ configuration files, rabbitmq.conf and advanced.config.

An example configuration file follows:

auth_backends.1.authn = internal
auth_backends.1.authz = rabbit_auth_backend_ip_range

[
    {rabbitmq_auth_backend_ip_range, [
        {tag_masks,
            [{'ip-private', [<<"::FFFF:192.168.0.0/112">>]}]},
        {default_masks, [<<"::0/0">>]}
    ]}
].

See RabbitMQ Configuration for more details. The following sub-sections provide detailed explanation of the related configuration options.

Using IP Range as an AuthZ Backend

The rabbit_auth_backend_ip_range should be used for authorization only. It may be used with the rabbit_auth_backend_internal, rabbit_auth_backend_ldap, or other options.

For example:

auth_backends.1.authn = internal
auth_backends.1.authz = rabbit_auth_backend_ip_range

auth_backends.2.authz = internal

This will use the internal backend for authentication. rabbit_auth_backend_ip_range will be tried for authorization first, with a fallback to the standard internal database backend.

Controlling the IP Range Access Control List

The plugin supports several paramters configurable via advanced.config:

tag_masks -- List of tuples {tag, [<<"ip/mask">>, ...]}. The tag corresponds to one of user Tags; the ip/mask is a permitted network mask of remote (client) address.

default_masks -- Default IP network mask [<<"ip/mask">>, ...] used when the user has none of the listed tags. Set this to [<<"::0/0">>] to accept untagged users (default behaviour), or to [<<"::0/127">>] to reject untagges users.

For example:

{rabbitmq_auth_backend_ip_range, [
    {tag_masks,
        [{'ip-private', [<<"::FFFF:192.168.0.0/112">>]}]},
    {default_masks, [<<"::0/0">>]}
]},

This will allow users with the tag ip-private to login from private networks only. Other users will be able to login from any network.

The IPv4 mask (e.g. 192.168.0.0) will match an IPv4 address only. The IPv4-mapped IPv6 mask (e.g. ::FFFF:192.168.0.0) will match both IPv4 and IPv6 addresses.

Build Instructions

This plug-in requires a supported RabbitMQ release series. Build the plug-in following the standard Plugin Development Guide.

History

Please see the Releases page for binary downloads.

Version	Date	Erlang	Notes
`2.0.0+rmq-39`	`2022-02-15`	`23.2`	Compatible with RabbitMQ 3.9.0 or later
`2.0.0`	`2019-10-24`	`21.3`	Compatible with RabbitMQ 3.8.0 or later
`1.0.0`	`2019-10-24`	`20.3`	Compatible with RabbitMQ 3.7.x
`3.7.14`	`2019-04-03`	`20.3`	Tag and release are deleted, use version `1.0.0`
`3.7.0`	`2018-08-01`	`19.3`	Compatible with RabbitMQ 3.7.x. Tag and release are deleted. Use this commit and build with Erlang 19.3 if you need this version
`0.2.0`	`2015-12-22`		Compatible with RabbitMQ 3.6.x. Implement RabbitMQ Issue 109 fix for authorization of MQTT/STOMP connections.
`0.1.1`	`2015-10-27`		Bugfix release. IPv4-mapped IPv6 addresses now match the respective IPv4 address. Added some debug logs to hunt the Issue #2. Authenticate against remote (client) address instead of local (server) address.
`0.1.0`	`2014-11-14`		First release. Compatible with RabbitMQ 3.5.x only.

rabbitmq-auth-backend-ip-range's People

Contributors

Stargazers

Watchers

Forkers

hairyhum youngj dcorbacho kabdelkareem

rabbitmq-auth-backend-ip-range's Issues

New releases for 3.6.16 and 3.7.13

On the https://github.com/gotthardp/rabbitmq-auth-backend-ip-range/releases page, the last release is v0.2.0 in Dec. 2015. This release does not contain a pre-built .ez file, unlike the v0.1.1 release (https://github.com/gotthardp/rabbitmq-auth-backend-ip-range/releases/download/v0.1.1/rabbitmq_auth_backend_ip_range-0.1.1-rmq3.5.6.ez).

Since the v0.2.0 release there has been at least one additional version bump (v3.0.7) according to the history listed in README.md:

3.7.0 (August 1, 2018). Compatible with RabbitMQ 3.7.x.
0.2.0 (Dec 22, 2015). Compatible with RabbitMQ 3.6.x.
Implement RabbitMQ Issue 109 fix for authorization of MQTT/STOMP connections.
0.1.1 (Oct 27, 2015) Bugfix release.
IPv4-mapped IPv6 addresses now match the respective IPv4 address.
Added some debug logs to hunt the Issue #2.
Authenticate against remote (client) address instead of local (server) address.
0.1.0 (Nov 14, 2014) First release. Compatible with RabbitMQ 3.5.x only.

Example:

v0.2.0
@gotthardp gotthardp released this on Dec 22, 2015 · 20 commits to master since this release

Implement RabbitMQ Issue 109
Compatibility changes for RabbitMQ 3.6.x
Assets 2
Source code (zip)
Source code (tar.gz)

To make this plugin more accessible, it would make sense to produce binary distributions in .ez format rather than leave this task to the user.

Unable to block IP

I am a little confused about the usage of this plugin. I read in the documentation that it should only be used for authorization and not authentication, but I also read the below:

"This will allow users with the tag ip-private to login from private networks only. Other users will be able to login from any network."

The above seems like it would block authentication from IP addresses as well. My config is as below:

[ {rabbit, [ {auth_backends, [{rabbit_auth_backend_internal, [rabbit_auth_backend_internal, rabbit_auth_backend_ip_range] }]},{loopback_users, [test]} ]}, {rabbitmq_auth_backend_ip_range, [ {tag_masks, [{'test', [<<"::FFFF:192.168.30.156">>]}] } ]} ].

Based on this, any user tagged with test should only be able to login if accessing from the IP: 192.168.30.156. This doesn't seem to be true as we are able to access and login from other servers.

Integration tests

This plugin uses a homegrown way of setting up a node with a certain config and users/permissions. There is no reason to do this.

I also don't think the suite can pass on every host/network as is but that's potentially unavoidable since IP addressees cannot be temporarily tweaked.

@dumbbell @lukebakken how do you think we should test this plugin?

update config without restart server

hi guys, is there has any solution update ip range config without restart server?

management API return status code 500

rabbitmq version 3.7
plugin: rabbitmq-auth-backend-ip-range
config file:
[
{rabbit, [
{auth_backends, [{rabbit_auth_backend_ip_range}]}
]},
{rabbitmq_auth_backend_ip_range, [
{tag_masks,
[{'administrator', [<<"::FFFF:172.xx.xx.xxx/112">>>>]}]
},
{default_masks, [<<"::0/0">>]}
]}
].
Problem: If I am logging to management UI using user credentials of some other tags, login is failing with error management app return 500. The above configuration file state that an administrator user will be allowed to login from a particular API and all other users except administrator user is allowed to log in.

Is it possible to use IP authz combined with internal authz

This doesn't appear to work:
auth_backends.1.authn = ldap
auth_backends.1.authz = rabbit_auth_backend_ip_range
auth_backends.2.authz = internal

I get not a management user in logs - I guess it is not checking the internal db

advanced.config looks like this:
[
{rabbitmq_auth_backend_ip_range, [
{tag_masks,
[{'dotnetclient', [<<"::FFFF:192.168.0.0/112">>]}]},
{default_masks, [<<"::0/127">>]}
]}
].

Please provide an example to configure the plugin with new Configuration format

Can you provide an example that uses new config format for the plugin ?

Which ip address should be compared to the network mask in config file?

I found this plugin on https://www.rabbitmq.com/community-plugins.html.

rabbitmq_auth_backend_ip_range
Provides the ability for your RabbitMQ server to perform authorisation based on the client IP address.
Download: rabbitmq_auth_backend_ip_range-0.1.0-rmq3.5.x-9884a34d.ez
Authors: Petr Gotthard
Github: gotthardp/rabbitmq-auth-backend-ip-range

I think the IP address which is compared to the network mask should be client IP address but I found that it doesn't work correctly.

Here's my infrastructure.

Rabbitmq server: 192.168.0.144
My client application: 192.168.0.107

rabbitmq.config

   {tag_masks, [{'private', [<<"192.168.0.107">>]}]}

My client could not access to resources (vhosts, exchange, queue) on rabbitmq so I checked log file and found this.

Address 192.168.0.114 not matching any of [ 192.168.0.107 ]

Should IP address on the left side be client or rabbitmq server?

Support ini-style configuration format

Fixes #11

Heads-up: RabbitMQ 3.7.0 authz behaviour changes

This is not really an issue but a heads-up: in 3.7.0, we've added a couple new functions to the authorization backend behaviour, see rabbitmq/rabbitmq-server#505 and rabbitmq/rabbitmq-server#1085.

"unknown" peer host value not taken into account

Reported here: comment

Settings in rabbitmq.config seem to be ignored

Settings in rabbitmq.config seem to be ignored. For example, I have installed the plug-in, and edited my configuration like so:

{auth_backends, [{rabbit_auth_backend_internal, [rabbit_auth_backend_internal, rabbit_auth_backend_ip_range]}]},
{rabbitmq_auth_backend_ip_range, [{tag_masks, [{'ip-private', [<<"::FFFF:127.0.0.1/128">>]}]}, {default_masks, [<<"::0/0">>]}]}

Then I have tried sending a message as a user tagged with 'ip-private' from 127.0.0.1 to RabbitMQ. I see the following error message in the log file.

=WARNING REPORT==== 20-Oct-2015::15:26:32 ===
Address 127.0.0.1 not matching any of [ 192.168.0.0/16 ::FFFF:192.168.0.0/112 ]

Those IP ranges listed are the ones present in the rabbitmq_auth_backend_ip_range.app file within the plugin.

I also tried creating some tags other than "ip-private" - these seems to have no effect at all.

No matter what I do, it seems as if the plugin is using the IP range settings in the rabbitmq_auth_backend_ip_range.app file.

I have tried reinstalling the rabbit server to make sure the config is reloaded.

Any idea what is wrong?

Fix description in rabbit_auth_backend_ip_range.erl

description() ->
[{name, <<"IP_Range">>},
{description, <<"LDAP authentication / authorisation">>}]. <------*******

IP range setting is not correct

I do some test on this plugin. Using rabbitmq 3.8.8 with erlang 21.3

Following is my IP:
IPv4 Address. . . . . . . . . . . : 10.196.33.53
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : 10.196.32.1

I set following content in the advanced.config:
[
{rabbit, [
{tcp_listeners, [5672]},
{auth_backends, [
{rabbit_auth_backend_internal,
[rabbit_auth_backend_internal, rabbit_auth_backend_ip_range]
}
]
}
]},
{rabbitmq_auth_backend_ip_range, [
{tag_masks,
[{'ip-private', [<<"::FFFF:10.196.33.100/114">>]}]},
{default_masks, [<<"::0/0">>]}
]}
].

user is tester1 with the ip-private tag.
I think i should not able to check the exchanges. but actrully i can check it in my computer.

then i change the line to [{'ip-private', [<<"::FFFF:10.196.33.100/220">>]}]
I can't get the exchange information now.

I really don't know how the "::FFFF:10.196.33.100/220" works.
Why 100/114 will not block my IP and 100/220 block it? I think all of them should block my IP.