科技改变生活-雨落星辰 - 所有的伟大,都源于一个勇敢的开始

    最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客
    你的位置: 首页>programmer>azure active directory - RabbitMQ - vhost permissions for AD? - Stack Overflow

    azure active directory - RabbitMQ - vhost permissions for AD? - Stack Overflow

    programmeradmin8浏览0评论

    I have a rabbit instance that multiple teams needs to access. Each team has their own vhost to manage their queues in and are not allowed in other vhosts. I got AD login working through the rabbitmq_auth_backend_oauth2 plugin.

    What I can't find a solution to is how I now tie the AD to a specific vhost. Would it be possible to do it through what groups that exists in the jwt token when users log in?

    Relevent part of my helmchart:

    advancedConfig: |
  [
    {rabbit, [
      {auth_backends, [rabbit_auth_backend_oauth2, rabbit_auth_backend_internal]}
    ]},
    {rabbitmq_management, [
      {oauth_enabled, true},
      {oauth_client_id, "<id>"},
      {oauth_provider_url, "<url>"}
    ]},
    {rabbitmq_auth_backend_oauth2, [
      {resource_server_id, <<"<id>">>},
      {extra_scopes_source, <<"roles">>},
      {key_config, [
        {jwks_url, <<"<url>/discovery/v2.0/keys">>}
      ]}
    ]}
  ].

    I have a rabbit instance that multiple teams needs to access. Each team has their own vhost to manage their queues in and are not allowed in other vhosts. I got AD login working through the rabbitmq_auth_backend_oauth2 plugin.

    What I can't find a solution to is how I now tie the AD to a specific vhost. Would it be possible to do it through what groups that exists in the jwt token when users log in?

    Relevent part of my helmchart:

    advancedConfig: |
  [
    {rabbit, [
      {auth_backends, [rabbit_auth_backend_oauth2, rabbit_auth_backend_internal]}
    ]},
    {rabbitmq_management, [
      {oauth_enabled, true},
      {oauth_client_id, "<id>"},
      {oauth_provider_url, "<url>"}
    ]},
    {rabbitmq_auth_backend_oauth2, [
      {resource_server_id, <<"<id>">>},
      {extra_scopes_source, <<"roles">>},
      {key_config, [
        {jwks_url, <<"<url>/discovery/v2.0/keys">>}
      ]}
    ]}
  ].
    • azure-active-directory
    • active-directory
    • rabbitmq
    Share Improve this question edited Mar 21 at 12:49 David S asked Mar 14 at 12:19 David SDavid S 1876 silver badges24 bronze badges
    Add a comment  | 

    1 Answer 1

    Reset to default 0

    After a lot of testing with configuration of the plugin and customizing the JWT token to create more dynamic roles I ended up having to write a custom version of the 'rabbit_auth_backend_oauth2' plugin to have full control over roles-to-vhost permissions.

    Frustrating Azure doesn't allow for more customization as claims mapping would've worked if not for only being allowed one transformation expression/claim.

    与本文相关的文章

    发布评论

    评论列表(0)

    1. 暂无评论