Can federation link passwords be secured?
Article ID: 297332
Updated On:
Products
Support Only for OpenSource RabbitMQ
Issue/Introduction
The password used in creating federated links via the rabbitmqctl set-parameter command is in plain-text format and will be exposed via the rabbitmqctl list_ parameter command.
For example,
rabbitmqctl set_parameter federation-upstream node01 '{"uri":"amqp://user:password@server/%2F","ack-mode":"on-publish"}'
rabbitmqctl list_parameters
Listing runtime parameters for vhost "/" ...
component name value
federation-upstream node01 {"ack-mode":"on-publish","uri":"amqp://user:password@server/%2F”}
There is no command, configuration, or process to secure or encode the password when running these commands. However, the risk here is limited as only an operator will have the privileges to run these commands.
This is by design and will not be changed in upcoming releases.
For example,
rabbitmqctl set_parameter federation-upstream node01 '{"uri":"amqp://user:password@server/%2F","ack-mode":"on-publish"}'
rabbitmqctl list_parameters
Listing runtime parameters for vhost "/" ...
component name value
federation-upstream node01 {"ack-mode":"on-publish","uri":"amqp://user:password@server/%2F”}
There is no command, configuration, or process to secure or encode the password when running these commands. However, the risk here is limited as only an operator will have the privileges to run these commands.
This is by design and will not be changed in upcoming releases.
Resolution
If this is insufficient for your security requirements, our recommendation is to use client certificates instead of passwords. Refer to https://www.rabbitmq.com/ssl.html for more information.
Feedback
Yes
No
Powered by
