SASL Authentication
RabbitMQ has pluggable support for various SASL authentication mechanisms. There are three such mechanisms built into the server: PLAIN, AMQPLAIN, and RABBIT-CR-DEMO, and one - EXTERNAL - available as a plugin. You can also implement your own authentication mechanism by implementing the rabbit_auth_mechanism behaviour in a plugin. See the plugin development guide for more information on general plugin development.
RabbitMQ 以插件的形式支持各种 SASL 鉴权机制。目前在 RabbitMQ 中存在 3 种内建的机制:PLAIN、AMQPLAIN、RABBIT-CR-DEMO 以及 一种 EXTERNAL 机制。你同样可以按照 rabbit_auth_mechanism 行为模式来实现自定义鉴权机制插件。具体可以参考 插件开发指南 获取更多通用插件开发的信息。
Built-in mechanisms
The three built-in mechanisms are:
3 中内置的机制如下:
SASL PLAIN authentication. This is enabled by default in the RabbitMQ server and clients, and is the default for most other clients.
SASL PLAIN 鉴权机制。默认被 RabbitMQ 服务器和客户端使能,并且也是大多数客户端的默认选择。
AMQPLAIN
Non-standard version of PLAIN as defined by the AMQP 0-8 specification. This is enabled by default in the RabbitMQ server, and is the default for QPid's Python client.
由 AMQP 0-8 标准文档定义的非标准版本 PLAIN 鉴权机制。该机制默认被 RabbitMQ 服务器使能,并且是 Python 客户端 QPid 的默认选择。
RABBIT-CR-DEMO
Non-standard mechanism which demonstrates challenge-response authentication. This mechanism has security equivalent to PLAIN, and is not enabled by default in the RabbitMQ server.
采用 challenge-response 鉴权机制的非标准机制。该机制在安全性上等价于 PLAIN 机制,但默认不被 RabbitMQ 服务器使能。
Server configuration
The configuration variable auth_mechanisms in the rabbit application determines which of the installed mechanisms are offered to connecting clients. This variable should be a list of atoms corresponding to mechanism names, for example ['PLAIN', 'AMQPLAIN'] by default. The server-side list is not considered to be in any particular order. See the configuration file documentation.
在 rabbit 应用中的配置变量 auth_mechanisms 决定了哪些鉴权机制可以提供给连接上来的 client 使用。该配置变量由 erlang 中的 atom 列表构成,内容对应了鉴权机制的名字。例如默认为 ['PLAIN', 'AMQPLAIN'] 。位于服务器端的这个列表中的内容无优先级顺序可言。具体参考 配置文件 文档。
Client configuration
Java
The Java client does not use the javax.security.sasl package by default since this can be unpredictable on non-Oracle JDKs and is missing entirely on Android. There is a RabbitMQ-specific SASL implementation, configured by the SaslConfig interface. A class DefaultSaslConfig is provided to make SASL configuration more convenient in the common case. A class JDKSaslConfig is provided to act as a bridge tojavax.security.sasl.
See ConnectionFactory.getSaslConfig() and ConnectionFactory.setSaslConfig(SaslConfig)
Erlang
The Erlang client provides its own SASL mechanism implementations in the amqp_auth_mechanisms module. The #amqp_params{} record can be provided with a list of authentication functions in preference order for network connections.
Erlang 客户端在模块 amqp_auth_mechanisms 中给出了其自身 SASL 鉴权机制实现。记录 #amqp_params{} 可被用于一系列就安全函数中,且记录中内容的顺寻决定了网络连接使用的鉴权机制的顺序。
.Net
The .Net client provides its own SASL mechanism implementations based on the AuthMechanism andAuthMechanismFactory interfaces. The ConnectionFactory.AuthMechanisms property is a list of authentication mechanism factories in preference order.