使用 ExternalCredentials 对 rabbitmq 进行身份验证

本文介绍了使用 ExternalCredentials 对 rabbitmq 进行身份验证的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

我有一个 rabbitmq 服务器并使用带有 Python 的 pika 库来生成/使用消息.出于开发目的，我只是使用

I have a rabbitmq server and use the pika library with Python to produce/consume messages. For development purposes, I was simply using

credentials = pika.PlainCredentials(, )

我想将其更改为使用 pika.ExternalCredentials 或 TLS.

I want to change that to use pika.ExternalCredentials or TLS.

我已设置我的 rabbitmq 服务器以在端口 5671 上侦听 TLS，并已正确配置它.我能够从本地主机与rabbitmq 通信，但是当我尝试从本地主机外部与它通信时，它不喜欢那样.我有一种感觉我的凭证"以客人"为基础RabbitMQ 中的用户.

I have set up my rabbitmq server to listen for TLS on port 5671, and have configured it correctly. I am able to communicate with rabbitmq from localhost, but the moment I try to communicate with it from outside the localhost it doesn't like that. I have a feeling my "credentials" are based on the "guest" user in rabbitmq.

%% -*- mode: erlang -*- [ {rabbit, [ {ssl_listeners, [5671]}, {auth_mechanisms, ['PLAIN', 'AMQPLAIN', 'EXTERNAL']}, {ssl_options, [{cacertfile,"~/tls-gen/basic/result/ca_certificate.pem"}, {certfile,"~/tls-gen/basic/result/server_certificate.pem"}, {keyfile,"~/tls-gen/basic/result/server_key.pem"}, {verify,verify_none}, {ssl_cert_login_from, common_name}, {fail_if_no_peer_cert,false}]} ]} ].

我可以确认这是有效的，因为在我的 rabbitmq 日志中我看到:

I can confirm this works, since in my logs for rabbitmq I see:

2019-08-21 15:34:47.663 [info] <0.442.0> started TLS (SSL) listener on [::]:5671

服务器端的一切似乎都设置好了，我还生成了证书和所需的所有 .pem 文件.

Server-side everything seems to be set up, I have also generated certificates and all the .pem files required.

import pika import ssl from pika.credentials import ExternalCredentials context = ssl.create_default_context(cafile="~/tls-gen/basic/result/ca_certificate.pem") context.load_cert_chain("~/tls-gen/basic/result/client_certificate.pem", "~/tls-gen/basic/result/client_key.pem") ssl_options = pika.SSLOptions(context, "10.154.0.27") params = pika.ConnectionParameters(port=5671,ssl_options=ssl_options, credentials = ExternalCredentials()) connection = pika.BlockingConnection(params) channel = connection.channel()

当我在本地运行脚本时

(<Basic.GetOk(['delivery_tag=1', 'exchange=', 'message_count=0', 'redelivered=False', 'routing_key=foobar'])>, <BasicProperties>, b'Hello, world!')

当我从另一个实例运行脚本时

Traceback (most recent call last): File "pbbarcode.py", line 200, in <module> main() File "pbbarcode.py", line 187, in main connection = pika.BlockingConnection(params) File "/usr/local/lib/python3.7/site-packages/pika/adapters/blocking_connection.py", line 359, in __init__ self._impl = self._create_connection(parameters, _impl_class) File "/usr/local/lib/python3.7/site-packages/pika/adapters/blocking_connection.py", line 450, in _create_connection raise self._reap_last_connection_workflow_error(error) pika.exceptions.AMQPConnectionError

当我在本地运行脚本时，删除guest用户

Traceback (most recent call last): File "test_mq.py", line 12, in <module> with pika.BlockingConnection(conn_params) as conn: File "/home/daudn/.local/lib/python3.7/site-packages/pika/adapters/blocking_connection.py", line 359, in __init__ self._impl = self._create_connection(parameters, _impl_class) File "/home/daudn/.local/lib/python3.7/site-packages/pika/adapters/blocking_connection.py", line 450, in _create_connection raise self._reap_last_connection_workflow_error(error) pika.exceptions.ProbableAuthenticationError: ConnectionClosedByBroker: (403) 'ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.'

似乎 SSL 是使用用户guest"配置的并且rabbitmq 不允许连接到本地主机之外的访客.如何对不同的用户使用 SSL?当我删除来宾用户时，rabbitmq 日志是这样写的:

It seems like SSL is configured with the user "guest" and rabbitmq doesn't allow connections to guest outside of localhost. How can I use SSL with a different user? When I delete the guest user, this is what the rabbitmq log says:

2019-08-22 10:14:40.054 [info] <0.735.0> accepting AMQP connection <0.735.0> (127.0.0.1:59192 -> 127.0.0.1:5671) 2019-08-22 10:14:40.063 [error] <0.735.0> Error on AMQP connection <0.735.0> (127.0.0.1:59192 -> 127.0.0.1:5671, state: starting): PLAIN login refused: user 'guest' - invalid credentials 2019-08-22 10:14:40.063 [warning] <0.735.0> closing AMQP connection <0.735.0> (127.0.0.1:59192 -> 127.0.0.1:5671): client unexpectedly closed TCP connection 2019-08-22 10:15:12.613 [info] <0.743.0> Creating user 'guest' 2019-08-22 10:15:28.370 [info] <0.750.0> Setting user tags for user 'guest' to [administrator] 2019-08-22 10:15:51.352 [info] <0.768.0> Setting permissions for 'guest' in '/' to '.*', '.*', '.*' 2019-08-22 10:15:54.237 [info] <0.774.0> accepting AMQP connection <0.774.0> (127.0.0.1:59202 -> 127.0.0.1:5671) 2019-08-22 10:15:54.243 [info] <0.774.0> connection <0.774.0> (127.0.0.1:59202 -> 127.0.0.1:5671): user 'guest' authenticated and granted access to vhost '/'

这也很明显意味着SSL还在使用用户名和密码连接rabbitmq?帮助！

This also clearly means the SSL is still using the username and password to connect to rabbitmq? HELP!

参考文献:

tls_official_example

pika_official_tls_docs

added_authentication_external

推荐答案

留在这里以备将来参考

ssl_options = pika.SSLOptions(context, "rabbitmq-node-name") params = pika.ConnectionParameters(host="rabbitmq-node-name",port=5671,ssl_options=ssl_options, credentials = ExternalCredentials())

令人困惑的是，我认为在执行 SSLOptions(context, "rabbitmq-node-name") 时，我以为我已经在这里提供了主机，而不必在 ConnectionParameters() 的参数中再次提供它.但事实证明这是不正确的，如果没有提供主机，它默认为 localhost.这就是脚本在本地运行而不是在本地网络之外运行的原因.

The confusion was that I believed when doing SSLOptions(context, "rabbitmq-node-name") I thought I had supplied the host here and did not have to supply it again in the args for ConnectionParameters(). But turns out that's incorrect, if no host is supplied, it defaults to localhost. Which is why the script ran locally and not outside of the local network.