对适用于 RabbitMQ 的 Amazon MQ 使用 LDAP 身份验证和授权 - Amazon MQ
配置 LDAP 身份验证和授权的先决条件使用 CLI 在 RabbitMQ 中配置 LDAP Amazon
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

对适用于 RabbitMQ 的 Amazon MQ 使用 LDAP 身份验证和授权

本教程介绍如何使用为 Amazon MQ 的 RabbitMQ 代理配置 LDAP 身份验证和授权。 Amazon Managed Microsoft AD

配置 LDAP 身份验证和授权的先决条件

您可以通过部署适用于 RabbitMQ 的 Amazon MQ 的Amazon CDK 堆栈来设置本教程中所需的 Amazon 资源。 Amazon Managed Microsoft AD

此 CDK 堆栈会自动创建所有必要的 Amazon 资源 Amazon Managed Microsoft AD,包括 LDAP 用户和群组、Network Load Balancer、证书和 IAM 角色。有关堆栈创建的资源的完整列表,请参阅软件包自述文件。

如果您是手动设置资源而不是使用 CDK 堆栈,请确保在您的 Amazon MQ 上为 RabbitMQ 代理配置 LDAP 之前,请确保您有同等的基础架构。

设置 Amazon MQ 的先决条件

Amazon CLI 版本 >= 2.28.23,使得在创建代理期间添加用户名和密码成为可选的。

使用 CLI 在 RabbitMQ 中配置 LDAP Amazon

此过程使用 Amazon CLI 来创建和配置必要的资源。在以下过程中,请确保将占位符值(例如 ConfigurationID 和 Revision 和)替换为它们的实际值。<c-fa3390a5-7e01-4559-ae0c-eb15b38b22ca> <2>

  1. 使用 create-configuration Amazon CLI 命令创建新配置,如以下示例所示。

    
aws mq create-configuration \
  --name "rabbitmq-ldap-config" \
  --engine-type "RABBITMQ" \
  --engine-version "3.13"

    此命令返回类似于以下示例的响应。

    
{
"Arn": "arn:aws:mq:us-west-2:123456789012:configuration:c-fa3390a5-7e01-4559-ae0c-eb15b38b22ca",
    "AuthenticationStrategy": "simple",
    "Created": "2025-07-17T16:03:01.759943+00:00",
    "Id": "c-fa3390a5-7e01-4559-ae0c-eb15b38b22ca",
    "LatestRevision": {
"Created": "2025-07-17T16:03:01.759000+00:00",
    "Description": "Auto-generated default for rabbitmq-ldap-config on RabbitMQ 3.13",
    "Revision": 1
    },
    "Name": "rabbitmq-ldap-config"
}

  2. 创建一个名为的配置文件rabbitmq.conf以使用 LDAP 作为身份验证和授权方法,如以下示例所示。将模板中的所有占位符值(标有${RabbitMqLdapTestStack.*})替换为已部署的 Amazon CDK 先决条件堆栈输出或等效基础架构中的实际值。

    
auth_backends.1 = ldap

# LDAP authentication settings - For more information,
# see https://www.rabbitmq.com/docs/ldap#basic

# FIXME: Replace the ${RabbitMqLdapTestStack.*} placeholders with actual values
# from your deployed prerequisite CDK stack outputs.
auth_ldap.servers.1 = ${RabbitMqLdapTestStack.NlbDnsName}
auth_ldap.dn_lookup_bind.user_dn = ${RabbitMqLdapTestStack.DnLookupUserDn}
auth_ldap.dn_lookup_base = ${RabbitMqLdapTestStack.DnLookupBase}
auth_ldap.dn_lookup_attribute = ${RabbitMqLdapTestStack.DnLookupAttribute}
auth_ldap.port = 636
auth_ldap.use_ssl = true
auth_ldap.ssl_options.verify = verify_peer
auth_ldap.log = network

# AWS integration for secure credential retrieval
# - see: https://github.com/amazon-mq/rabbitmq-aws
# The aws plugin allows RabbitMQ to securely retrieve credentials and certificates
# from AWS services.

# Replace the ${RabbitMqLdapTestStack.*} placeholders with actual ARN values
# from your deployed prerequisite CDK stack outputs.
aws.arns.auth_ldap.ssl_options.cacertfile = ${RabbitMqLdapTestStack.CaCertArn}
aws.arns.auth_ldap.dn_lookup_bind.password = ${RabbitMqLdapTestStack.DnLookupUserPasswordArn}
aws.arns.assume_role_arn = ${RabbitMqLdapTestStack.AmazonMqAssumeRoleArn}

# LDAP authorization queries - For more information,
# see: https://www.rabbitmq.com/docs/ldap#authorisation

# FIXME: Replace the ${RabbitMqLdapTestStack.*} placeholders with actual group DN
# values from your deployed prerequisite CDK stack outputs
# Uses Active Directory groups created by the prerequisite CDK stack
auth_ldap.queries.tags = '''
[{administrator, {in_group, "${RabbitMqLdapTestStack.RabbitMqAdministratorsGroupDn}"}},
{management,    {in_group, "${RabbitMqLdapTestStack.RabbitMqMonitoringUsersGroupDn}"}}]
'''

# FIXME: This provides all authenticated users access to all vhosts
# - update to restrict access as required
auth_ldap.queries.vhost_access = '''
{constant, true}
'''

# FIXME: This provides all authenticated users full access to all
# queues and exchanges - update to restrict access as required
auth_ldap.queries.resource_access = '''
{for, [    {permission, configure, {constant, true}},
     {permission, write,
      {for, [{resource, queue,    {constant, true}},
             {resource, exchange, {constant, true}}]}},
     {permission, read,
      {for, [{resource, exchange, {constant, true}},
             {resource, queue,    {constant, true}}]}}
    ]
}
'''

# FIXME: This provides all authenticated users access to all topics
# - update to restrict access as required
auth_ldap.queries.topic_access = '''
{for, [{permission, write, {constant, true}},
     {permission, read,  {constant, true}}
    ]
}
'''

  3. 使用 update-configuration Amazon CLI 命令更新配置,如以下示例所示。在此命令中,添加您在本过程步骤 1 的响应中收到的配置 ID。例如 c-fa3390a5-7e01-4559-ae0c-eb15b38b22ca

    
aws mq update-configuration \
  --configuration-id "<c-fa3390a5-7e01-4559-ae0c-eb15b38b22ca>" \
  --data "$(cat rabbitmq.conf | base64 --wrap=0)"

    此命令返回类似于以下示例的响应。

    
{
    "Arn": "arn:aws:mq:us-west-2:123456789012:configuration:c-b600ac8e-8183-4f74-a713-983e59f30e3d",
    "Created": "2025-07-17T16:57:04.520931+00:00",
    "Id": "c-b600ac8e-8183-4f74-a713-983e59f30e3d",
    "LatestRevision": {
        "Created": "2025-07-17T16:57:39.172000+00:00",
        "Revision": 2
    },
    "Name": "rabbitmq-ldap-config",
    "Warnings": []
}

  4. 使用您在本过程的步骤 2 中创建的 LDAP 配置创建代理。为此,请使用 create-broker Amazon CLI 命令,如以下示例所示。在此命令中,分别提供您在步骤 1 和步骤 2 的响应中获得的配置 ID 和修订号。例如,c-fa3390a5-7e01-4559-ae0c-eb15b38b22ca2

    
aws mq create-broker \
 --broker-name "rabbitmq-ldap-test-1" \
 --engine-type "RABBITMQ" \
 --engine-version "3.13" \
 --host-instance-type "mq.m7g.large" \
 --deployment-mode "CLUSTER_MULTI_AZ" \
 --logs '{"General": true}' \
 --publicly-accessible \
 --configuration '{"Id": "<c-fa3390a5-7e01-4559-ae0c-eb15b38b22ca>","Revision": <2>}'

    此命令返回类似于以下示例的响应。

    
{
    "BrokerArn": "arn:aws:mq:us-west-2:123456789012:broker:rabbitmq-ldap-broker:b-2a1b5133-a10c-49d2-879b-8c176c34cf73",
    "BrokerId": "b-2a1b5133-a10c-49d2-879b-8c176c34cf73"
}
    经纪人命名限制

    由先决条件 CDK 堆栈创建的 IAM 角色将代理名称限制为开头。rabbitmq-ldap-test请确保您的代理名称遵循此模式,否则 IAM 角色将无权担任 ARN 解析的角色。

  5. 使用 describe-broker Amazon CLI 命令验证代理的状态是否从CREATION_IN_PROGRESS转换为RUNNING,如以下示例所示。在此命令中,提供您在上一步结果中获得的代理 ID,例如 b-2a1b5133-a10c-49d2-879b-8c176c34cf73

    
aws mq describe-broker \
 --broker-id "<b-2a1b5133-a10c-49d2-879b-8c176c34cf73>"

    此命令返回类似于以下示例的响应。以下响应是 describe-broker 命令返回的完整输出的缩写版本。此响应显示代理状态以及用于保护代理的认证策略。在这种情况下,config_managed身份验证策略表明代理使用 LDAP 身份验证方法。

    
{
"AuthenticationStrategy": "config_managed",
    ...,
    "BrokerState": "RUNNING",
    ...
}

  6. 使用先决条件 CDK 堆栈创建的测试用户之一验证 RabbitMQ 访问权限

    
# FIXME: Replace ${RabbitMqLdapTestStack.ConsoleUserPasswordArn} with the actual ARN from your deployed prerequisite CDK stack outputs
CONSOLE_PASSWORD=$(aws secretsmanager get-secret-value \
  --secret-id ${RabbitMqLdapTestStack.ConsoleUserPasswordArn} \
  --query 'SecretString' --output text)

# FIXME: Replace BrokerConsoleURL with the actual ConsoleURL retrieved by
# calling describe-broker for the broker created above
# Call management API /api/overview (should succeed)
curl -u RabbitMqConsoleUser:$CONSOLE_PASSWORD \
  https://${BrokerConsoleURL}/api/overview

# Try to create a user (should fail - console user only has monitoring permissions)
curl -u RabbitMqConsoleUser:$CONSOLE_PASSWORD \
  -X PUT https://${BrokerConsoleURL}/api/users/testuser \
  -H "Content-Type: application/json" \
  -d '{"password":"testpass","tags":"management"}'