Merge pull request #1961 from rabbitmq/rabbitmq-auth-backend-cache-20

Cache vhost access requests using client IP address only
author: D Corbacho <diana@rabbitmq.com> 2019-03-31 23:23:14 +0100
committer: GitHub <noreply@github.com> 2019-03-31 23:23:14 +0100
commit: 2997bc4f072cf4755a2069bab5a0b246c726a70c (patch)
tree: 9bb2fe6250502e5756ff37a98a125607945bffdf /src
parent: 388704e1131274037f6818aa1720a698f4469873 (diff)
parent: f5fb70b47ce2f508cea95b1c09e1adeaab70f3fc (diff)
download: rabbitmq-server-git-2997bc4f072cf4755a2069bab5a0b246c726a70c.tar.gz
4 files changed, 23 insertions, 16 deletions
diff --git a/src/rabbit_access_control.erl b/src/rabbit_access_control.erl
index 984ee5371d..954d003991 100644
--- a/src/rabbit_access_control.erl
+++ b/src/rabbit_access_control.erl
@@ -125,20 +125,30 @@ check_user_loopback(Username, SockOrAddr) ->
         false -> not_allowed
     end.
 
--spec check_vhost_access
-        (rabbit_types:user(), rabbit_types:vhost(),
-         rabbit_net:socket() | #authz_socket_info{}) ->
-            'ok' | rabbit_types:channel_exit().
-
+get_authz_data_from({ip, Address}) ->
+    #{peeraddr => Address};
+get_authz_data_from({socket, Sock}) ->
+    {ok, {Address, _Port}} = rabbit_net:peername(Sock),
+    #{peeraddr => Address};
+get_authz_data_from(undefined) ->
+    undefined.
+
+% Note: ip can be either a tuple or, a binary if reverse_dns_lookups
+% is enabled and it's a direct connection.
+-spec check_vhost_access(User :: rabbit_types:user(),
+                         VHostPath :: rabbit_types:vhost(),
+                         AuthzRawData :: {socket, rabbit_net:socket()} | {ip, inet:ip_address() | binary()} | undefined) ->
+    'ok' | rabbit_types:channel_exit().
 check_vhost_access(User = #user{username       = Username,
-                                authz_backends = Modules}, VHostPath, Sock) ->
+                                authz_backends = Modules}, VHostPath, AuthzRawData) ->
+    AuthzData = get_authz_data_from(AuthzRawData),
     lists:foldl(
       fun({Mod, Impl}, ok) ->
               check_access(
                 fun() ->
                         rabbit_vhost:exists(VHostPath) andalso
                             Mod:check_vhost_access(
-                              auth_user(User, Impl), VHostPath, Sock)
+                              auth_user(User, Impl), VHostPath, AuthzData)
                 end,
                 Mod, "access to vhost '~s' refused for user '~s'",
                 [VHostPath, Username], not_allowed);
diff --git a/src/rabbit_auth_backend_internal.erl b/src/rabbit_auth_backend_internal.erl
index 417f0d6374..2f8e85f0f3 100644
--- a/src/rabbit_auth_backend_internal.erl
+++ b/src/rabbit_auth_backend_internal.erl
@@ -113,7 +113,7 @@ internal_check_user_login(Username, Fun) ->
             Refused
     end.
 
-check_vhost_access(#auth_user{username = Username}, VHostPath, _Sock) ->
+check_vhost_access(#auth_user{username = Username}, VHostPath, _AuthzData) ->
     case mnesia:dirty_read({rabbit_user_permission,
                             #user_vhost{username     = Username,
                                         virtual_host = VHostPath}}) of
diff --git a/src/rabbit_direct.erl b/src/rabbit_direct.erl
index 696b25f5e4..6a3cafbc28 100644
--- a/src/rabbit_direct.erl
+++ b/src/rabbit_direct.erl
@@ -181,14 +181,11 @@ notify_auth_result(Username, AuthResult, ExtraProps) ->
                  ExtraProps,
     rabbit_event:notify(AuthResult, [P || {_, V} = P <- EventProps, V =/= '']).
 
-authz_socket_info_direct(Infos) ->
-    #authz_socket_info{sockname={proplists:get_value(host, Infos),
-                                 proplists:get_value(port, Infos)},
-                       peername={proplists:get_value(peer_host, Infos),
-                                 proplists:get_value(peer_port, Infos)}}.
-
 connect1(User, VHost, Protocol, Pid, Infos) ->
-    try rabbit_access_control:check_vhost_access(User, VHost, authz_socket_info_direct(Infos)) of
+    % Note: peer_host can be either a tuple or
+    % a binary if reverse_dns_lookups is enabled
+    PeerHost = proplists:get_value(peer_host, Infos),
+    try rabbit_access_control:check_vhost_access(User, VHost, {ip, PeerHost}) of
         ok -> ok = pg_local:join(rabbit_direct, Pid),
 	      rabbit_core_metrics:connection_created(Pid, Infos),
               rabbit_event:notify(connection_created, Infos),
diff --git a/src/rabbit_reader.erl b/src/rabbit_reader.erl
index 4aea1495a4..aa26cf5482 100644
--- a/src/rabbit_reader.erl
+++ b/src/rabbit_reader.erl
@@ -1229,7 +1229,7 @@ handle_method0(#'connection.open'{virtual_host = VHost},
                            throttle         = Throttle}) ->
 
     ok = is_over_connection_limit(VHost, User),
-    ok = rabbit_access_control:check_vhost_access(User, VHost, Sock),
+    ok = rabbit_access_control:check_vhost_access(User, VHost, {socket, Sock}),
     ok = is_vhost_alive(VHost, User),
     NewConnection = Connection#connection{vhost = VHost},
     ok = send_on_channel0(Sock, #'connection.open_ok'{}, Protocol),
author	D Corbacho <diana@rabbitmq.com>	2019-03-31 23:23:14 +0100
committer	GitHub <noreply@github.com>	2019-03-31 23:23:14 +0100
commit	2997bc4f072cf4755a2069bab5a0b246c726a70c (patch)
tree	9bb2fe6250502e5756ff37a98a125607945bffdf /src
parent	388704e1131274037f6818aa1720a698f4469873 (diff)
parent	f5fb70b47ce2f508cea95b1c09e1adeaab70f3fc (diff)
download	rabbitmq-server-git-2997bc4f072cf4755a2069bab5a0b246c726a70c.tar.gz