Qpid authenticated user passed to message recipients

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Qpid authenticated user passed to message recipients

rherbert
I'm using the Qpid C++ broker, version 1.37.0.  I'm authenticating to the
broker using certificates. In the service listening for messages,  I was
hoping to use the user field from the message to check if the user is
authorized to take the action specified.

However, it looks like the user field is not being set. The documentation
describes how the user is mangled from the certificate DN, etc. - is that
only accessible inside the broker read/wire permissions for the exchange?

The use case I'm trying to solve is that the permissions are defined
granularly inside Active Directory. Putting the authorization logic inside
the service is the easiest way to integrate that - also, I need to log which
user requested the action.

Is there any way to make this work? My fallback plan is to sign the messages
with the certificate, but this will add a lot of overheard to each message.



--
Sent from: http://qpid.2158936.n2.nabble.com/Apache-Qpid-users-f2158936.html

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Qpid authenticated user passed to message recipients

Gordon Sim
On 19/05/2019 7:02 pm, rherbert wrote:
> I'm using the Qpid C++ broker, version 1.37.0.  I'm authenticating to the
> broker using certificates. In the service listening for messages,  I was
> hoping to use the user field from the message to check if the user is
> authorized to take the action specified.
>
> However, it looks like the user field is not being set. The documentation
> describes how the user is mangled from the certificate DN, etc. - is that
> only accessible inside the broker read/wire permissions for the exchange?

The sender needs to set the userid field on the message explicitly. By
default the broker will then ensure that the value specified matches the
authenticated identity, so the receiver can trust that value.

(With the qpid::messaging c++ API there is a getAuthenticatedUser()
method on Connection that should retrieve the userid in the correct form.)

> The use case I'm trying to solve is that the permissions are defined
> granularly inside Active Directory. Putting the authorization logic inside
> the service is the easiest way to integrate that - also, I need to log which
> user requested the action.
>
> Is there any way to make this work? My fallback plan is to sign the messages
> with the certificate, but this will add a lot of overheard to each message.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]