Bug 1089353

Summary: QPID-5711: HA cannot promote primary if SASL security is enabled.
Product: Red Hat Enterprise MRG Reporter: Alan Conway <aconway>
Component: qpid-cppAssignee: Alan Conway <aconway>
Status: CLOSED CURRENTRELEASE QA Contact: Eric Sammons <esammons>
Severity: high Docs Contact:
Priority: high    
Version: 3.0CC: esammons, iboverma, jross, zkraus
Target Milestone: 3.0   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: qpid-cpp-0.22-42 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-01-21 12:54:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alan Conway 2014-04-18 13:42:44 UTC 
Description of problem: HA does not work with SASL security enabled.


Version-Release number of selected component (if applicable): 
up to 0-22.mrg commit 
  ce156de bz1088003: QPID-5700: ensure interleaved segments on different tracks do not get confused

How reproducible: always


Steps to Reproduce:


  Yes, I have the cyrus packages installed on the nodes.

# rpm -qa | grep cyrus
cyrus-sasl-plain-2.1.23-13.el6_3.1.x86_64
cyrus-sasl-lib-2.1.23-13.el6_3.1.x86_64
cyrus-sasl-md5-2.1.23-13.el6_3.1.x86_64
cyrus-sasl-gssapi-2.1.23-13.el6_3.1.x86_64
cyrus-sasl-devel-2.1.23-13.el6_3.1.x86_64
cyrus-sasl-2.1.23-13.el6_3.1.x86_64

To narrow down, I've simplified the configuration without HA, see below

===configuration===
i) version 0.26 (built from source)

ii) /etc/qpid/qpidd.conf
acl-file=/etc/qpid/qpidd.acl
auth=yes
realm=QPID
no-data-dir=yes
sasl-config=/etc/sasl2/
log-to-stderr=no
log-enable=debug+
log-to-syslog=yes

# /etc/init.d/qpidd start
Starting Qpid AMQP daemon:                                 [  OK ]

# qpid-config queues -a test/test.10.211:5672 --sasl-mechanism=PLAIN
Queue Name                                Attributes
=================================================================
5b1b0c2e-bc6f-431b-b955-83ce5680d4ac:0.0  auto-del excl

and things work as expected. However when I enable HA and when the 
brokers try to communicate among themselves
I get the following error.

===error===
Promoting qpid daemon to cluster primary: Error in sasl_client_start 
(-4) SASL(-4): no mechanism available: No worthy mechs found

Actual results: error


Expected results: no error
Comment 1 Alan Conway 2014-04-23 12:47:50 UTC 
Fixed on trunk 
------------------------------------------------------------------------
r1589391 | aconway | 2014-04-23 08:42:35 -0400 (Wed, 23 Apr 2014) | 10 lines

QPID-5711: HA cannot promote primary if SASL security is enabled.

Updated the qpid-ha tool and qpidd init scripts to handle SASL authentication.
The qpid-ha script as as called by the qpidd-primary init script now reads
authentication settings from the qpidd.conf file and uses them to connect to the local broker.

- qpidd-primary script respects prefix: use installed location for qpidd script, not "service" call
- qpid-ha added --config option qpid-ha options to use qpidd.conf for local broker connection.
- qpid-ha --all use user/pass for each broker.

------------------------------------------------------------------------
Comment 2 Alan Conway 2014-04-23 13:23:21 UTC 
Should also include the following doc clarification

------------------------------------------------------------------------
r1589403 | aconway | 2014-04-23 09:22:13 -0400 (Wed, 23 Apr 2014) | 2 lines

QPID-5711: HA doc clarifications on security.

------------------------------------------------------------------------
Comment 3 Alan Conway 2014-04-25 17:13:14 UTC 
Backmerged to 0.22-mrg branch on:

http://git.app.eng.bos.redhat.com/git/rh-qpid.git/log/?h=0.22-mrg-aconway-bz1086638-bz1061736

Required to complete 2 other backmerges, the branch contains:

7041626 Bug 1089353 - QPID-5711: HA cannot promote primary if SASL security is enabled.
7f8f8d9 Bug 1086638 - QPID-5719: HA becomes unresponsive once any of the brokers are SIGSTOPed
7cfbd72 Bug 1061736 - NO-JIRA: HA minor cleanup of qpid-ha tool
Comment 4 Leonid Zhaldybin 2014-08-27 07:33:07 UTC 
Tested on RHEL6.5 (both i386 and x86_64). HA cluster is functional if SASL authentication is enabled, promoting a broker using the command "service qpidd-primary start" works just fine. This issue has been fixed.

Packages used for testing:
python-qpid-0.22-17.el6
python-qpid-qmf-0.22-38.el6
qpid-cpp-0.22-47.el6
qpid-proton-c-0.7-3.el6
qpid-qmf-0.22-38.el6
qpid-qmf-devel-0.22-38.el6
qpid-tests-0.22-16.el6
qpid-tools-0.22-14.el6

-> VERIFIED