Bug 472519

For oVirt GSSAPI support needs to be added to the C++ and Ruby clients as well as qpidd.

Created attachment 326785 [details]
Initial patch for qpidd and qpic c++ client

Created attachment 327139 [details]
SASL authentication and encryption for qpidd and c++ client

Includes support for security layer over RDMA. There are new min/max ssf (security strength factor) options for the client to control the strength of the negotiated security layer.

Support from ruby client tracked by dependent BZ476716.

*** Bug 445747 has been marked as a duplicate of this bug. ***

*** Bug 453528 has been marked as a duplicate of this bug. ***

Committed as r732093.

Note to use gssapi you need to install the cyrus-sasl-gssapi package (and make sure your configured mech-list if any does not exclude gssapi).

Then you need to have a kdc configured for use with the qpidd service. Below are some notes on what I did to set up a simple test environment (on mrg15). I am not very knowledgeable about kerberos admin so this shouldn't be read as best practice, but may be useful to QE etc. Most of what I found out came from: http://tldp.org/HOWTO/Kerberos-Infrastructure-HOWTO/

Broadly, the steps are: install the packages, edit the config file, create an admin account, start the services, add the user principal(s), add a service principal for qpidd, create a key tab for the service principal, ensure that your qpidd instance can read the key tab, kinit the client shell and then specify --mechanism GSSAPI to any of the tests (you also probably need to specify the --broker to match the hostname your service principal is configured with).

In a bit more detail:

The package you need for a kdc is krb5-server (you also need krb5-libs but that is included by default I think in most cases).

Then you edit the /ect/krb5.conf file (e.g. see the one I used on mrg15) and add an entry to /var/Kerberos/krb5kdc/kadm5.acl to grant administrative access. I simply added the following line:

*/admin@QPID_TEST       *

which I believe grants all rights to any account that ends with '/admin'. 

You then create that admin user, e.g.:

/usr/Kerberos/sbin/kadmin.local -q "addprinc admin/admin"

Then you start the services krb5kdc and kadmin.

Then you create (a) user account(s) using the kadmin.local tool. This starts an interactive 'shell' and the command to do so is: addprinc <username>.

You also need a principal for the qpidd service. I used: addprinc -randkey qpidd/mrg15.lab.bos.redhat.com for that. Then you export a keytab entry for that principal with the ktadd command, e.g.: ktadd qpidd/mrg15.lab.bos.redhat.com. This is /etc/krb5.keytab by default and the qpidd server must be able to access it (I ran my qpidd as root for this).

Verified on RHEL5.i386,
qpidd-0.4.744917-1.el5,
qpidc-perftest-0.4.744917-1.el5

Will verify on X86_64 soon, so far
full script follows:
------------------------------------------------------------------
# make sure you have everything installed -
# yum install krb5-server krb5-workstation qpidd qpidc-perftest

FQDN="dhcp-0-137.brq.redhat.com"
USERNAME="testuser"
REALM="EXAMPLE.COM"

cat > /etc/krb5.conf <<EOF
[libdefaults]
    default_realm = $REALM

[realms]
    $REALM = {
        kdc = $FQDN
        admin_server = $FQDN
    }

[domain_realm]
    .redhat.com = $REALM

[logging]
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmin.log
    default = FILE:/var/log/krb5lib.log
EOF
cat > /var/kerberos/krb5kdc/kdc.conf <<EOF
[kdcdefaults]
 v4_mode = nopreauth
 kdc_tcp_ports = 88

[realms]
 $REALM = {
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
 }
EOF
cat > /var/kerberos/krb5kdc/kadm5.acl <<EOF
*/admin@$REALM       *
EOF
kdb5_util create -s
kadmin.local -q 'addprinc admin/admin'
/etc/init.d/krb5kdc start
/etc/init.d/kadmin start
kinit admin/admin
kadmin -q "addprinc -randkey qpidd/$FQDN"
kadmin -q "ktadd qpidd/$FQDN"
kadmin -q "addprinc $USERNAME"
kinit $USERNAME
qpidd --auth yes --realm $REALM &
perftest -b $FQDN --mechanism GSSAPI --username $USERNAME --tx 1
------------------------------------------------------------------

and the clean-up:
-----------------------------------------
pkill qpidd
/etc/init.d/krb5kdc stop
/etc/init.d/kadmin stop
rm -rfv /etc/krb5*
rm -rfv /var/kerberos/krb5kdc/{.k*,*}
-----------------------------------------

Verified on both i386 and x86_64, both RHEL4.7 and RHEL5.3,

The package cyrus-sasl-gssapi as also vital and I did not
mention it earlier.

RHEL4:
  qpidd-0.4.744917-1.el4
  qpidc-perftest-0.4.744917-1.el4

RHEL5:
  qpidd-0.4.744917-1.el5
  qpidc-perftest-0.4.744917-1.el5

Created attachment 339507 [details]
Automated test

Something like this will be added to RHTS soon.
Tested on both RHELs (4 and 5).