Bug 500430

Summary: Feature: Support SASL on inter-broker links
Product: Red Hat Enterprise MRG Reporter: Gordon Sim <gsim>
Component: qpid-cppAssignee: mick <mgoulish>
Status: CLOSED ERRATA QA Contact: ppecka <ppecka>
Severity: medium Docs Contact:
Priority: high    
Version: 1.1.1CC: aconway, freznice, iboverma, jneedle, kgiusti, mgoulish, mhusnain, ppecka, tross
Target Milestone: 2.0Keywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: qpid-cpp-mrg-0.9.1079953-1.el5 Doc Type: Enhancement
Doc Text:
Although we have long had the ability to connect from a client to a broker using SASL, and using SSL as the 'external' SASL mechanism, it was not possible to do likewise with the link between two brokers of a federation. To make this work, one broker in a federation has to behave as the SASL server, while the other acts as the SASL client. Some SASL-related code needed to be moved from the client library into the common library, so that it could be used by both brokers and clients. It was also necessary to modify qpid-config so that it can set the SASL mechanism when it creates a federation (inter-broker) link. Federated links can now be SASLized, with an external mechanism of SSL. There is a test at cpp/src/tests/sasl_fed_ex to demonstrate. Technical Notes Entry: Previously, the messaging-broker connected successfully from a client to a broker using SASL as well as via SSL as the external SASL mechanism but a similar connection between two brokers of a federation was not possible. Changes have been made to qpid-config and the location of some SASL-related code to allow one federation broker to act as an SASL server while the other acts as an SASL client. Federated links can now be connected with SASL, with the external mechanism of SSL. A test that demonstrates this new connectivity is available at cpp/src/tests/sasl_fed_ex.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2011-06-23 15:45:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
to be applied from trunk/qpid mgoulish: review+, mgoulish: review+

Description Gordon Sim 2009-05-12 16:46:21 UTC 
To this feature we need to be able to configure inter-broker links to use SASL for  authentication and encryption. As well as picking up prefered mechanism it should be possible for the mechanism to be overridden. The principal to authenticate as will also need to be configured and (depending on mechanism) there will need to be some way to specify the password.
Comment 2 ppecka 2010-03-23 15:16:36 UTC 
Could you please summarize the way how to validate it?
Comment 3 Gordon Sim 2010-04-01 18:06:51 UTC 
See also: https://issues.apache.org/jira/browse/QPID-1672
Comment 4 Gordon Sim 2010-04-01 18:08:02 UTC 
To validate this you would setup a broker to only allow mechanisms other than PLAIN/ANONYMOUS, and make sure that this broker could be both the source and destination for inter-broker links.
Comment 7 Alan Conway 2010-06-08 14:34:59 UTC 
A fix to this bug also needs to be tested with a cluster at either end of the connection.
Comment 10 mick 2010-09-24 17:42:56 UTC 
Created attachment 449476 [details]
to be applied from trunk/qpid

In trunk/qpid dir
after applying this patch, do this:

      rm ./cpp/src/qpid/client/Sasl.h   ./cpp/src/qpid/client/SaslFactory.*
Comment 11 mick 2010-09-24 17:47:34 UTC 
This is not my final patch -- just here to help getting it reviewed.
I will mark BZ MODI after that review, and then attach final patch.
Comment 12 mick 2010-10-20 08:37:11 UTC 
Fixed by checkin 1024541 .
Comment 13 mick 2010-10-21 09:13:44 UTC 
Can't mark as "modified" yet, because there is no packagae to test in.
Comment 16 Ken Giusti 2011-01-20 19:52:33 UTC 
Note: 

This fix modified qpid-tool.  The fix is also in the qpid-tools package:

Moved to mrg_1.3.0.x branch.
Released in qpid-tools-0.7.946106-12

http://mrg1.lab.bos.redhat.com/cgit/qpid.git/tag/?id=qpid-tools-0.7.946106-12
Comment 17 mick 2011-01-25 14:02:15 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Although we have long had the ability to connect from a client to a broker using SASL, and using SSL as the 'external' SASL mechanism, it was not possible to do likewise with the link between two brokers of a federation.

To make this work, one broker in a federation has to behave as the SASL server, while the other acts as the SASL client.  Some SASL-related code needed to be moved from the client library into the common library, so that it could be used by both brokers and clients.

It was also necessary to modify qpid-config so that it can set the SASL mechanism when it creates a federation (inter-broker) link.

Federated links can now be SASLized, with an external mechanism of SSL.  There is a test at cpp/src/tests/sasl_fed_ex to demonstrate.
Comment 19 ppecka 2011-02-07 18:56:55 UTC 
Can anyone explain, what's happening on DEST BROKER?(very bottom log in of this post)


/usr/bin/qpid-config -a hp-xw9400-01.rhts.eng.bos.redhat.com:5673   add exchange  direct exc_tstid01_base00_ext00

/usr/bin/qpid-config -a hp-xw9400-01.rhts.eng.bos.redhat.com:5673   add queue  que_tstid01_base00_ext00

/usr/bin/qpid-config -a hp-xw9400-01.rhts.eng.bos.redhat.com:5673   bind   exc_tstid01_base00_ext00 que_tstid01_base00_ext00 bnd_tstid01_base00_ext00

/usr/bin/qpid-config -a hp-xw9400-01.rhts.eng.bos.redhat.com:5674   add exchange  direct exc_tstid01_base00_ext00

/usr/bin/qpid-config -a hp-xw9400-01.rhts.eng.bos.redhat.com:5674   add queue  que_tstid01_base00_ext00

/usr/bin/qpid-config -a hp-xw9400-01.rhts.eng.bos.redhat.com:5674   bind   exc_tstid01_base00_ext00 que_tstid01_base00_ext00 bnd_tstid01_base00_ext00


/usr/bin/qpid-route  queue add tester.eng.bos.redhat.com:5674 tester.eng.bos.redhat.com:5673  exc_tstid01_base00_ext00 que_tstid01_base00_ext00 --sasl-mechanism=GSSAPI




SOURCE QPIDD log
2011-02-07 13:38:44 debug RECV [10.16.65.4:48043] INIT(0-10)
2011-02-07 13:38:44 debug External ssf=0 and auth=
2011-02-07 13:38:44 debug min_ssf: 0, max_ssf: 256, external_ssf: 0
2011-02-07 13:38:44 info SASL: Mechanism list: GSSAPI
2011-02-07 13:38:44 debug Management object (V1) added: org.apache.qpid.broker:connection:10.16.65.4:48043
2011-02-07 13:38:44 warning Client closed connection with 541: internal-error: interaction disallowed
2011-02-07 13:38:44 debug SEND raiseEvent (v1) class=org.apache.qpid.broker.clientDisconnect







DESTINATION QPIDD log
2011-02-07 13:38:44 debug Inter-broker link connecting to hp-xw9400-01.rhts.eng.bos.redhat.com:5673
2011-02-07 13:38:44 info Inter-broker link established to hp-xw9400-01.rhts.eng.bos.redhat.com:5673
2011-02-07 13:38:44 debug SEND raiseEvent (v1) class=org.apache.qpid.broker.brokerLinkUp
2011-02-07 13:38:44 debug Management object (V1) added: org.apache.qpid.broker:connection:hp-xw9400-01.rhts.eng.bos.redhat.com:5673
2011-02-07 13:38:44 debug SENT [hp-xw9400-01.rhts.eng.bos.redhat.com:5673] INIT(0-10)
2011-02-07 13:38:44 debug CyrusSasl::start(PLAIN)
2011-02-07 13:38:44 debug min_ssf: 0, max_ssf: 256
2011-02-07 13:38:44 debug getUserFromSettings(): tester
2011-02-07 13:38:44 debug Exception constructed: interaction disallowed
2011-02-07 13:38:44 debug DISCONNECTED [hp-xw9400-01.rhts.eng.bos.redhat.com:5673]
2011-02-07 13:38:44 info Inter-broker link disconnected from hp-xw9400-01.rhts.eng.bos.redhat.com:5673 Closed by peer
2011-02-07 13:38:44 warning Inter-broker link disconnected from hp-xw9400-01.rhts.eng.bos.redhat.com:5673
2011-02-07 13:38:44 debug SEND raiseEvent (v1) class=org.apache.qpid.broker.brokerLinkDown
2011-02-07 13:38:46 debug Inter-broker link connecting to hp-xw9400-01.rhts.eng.bos.redhat.com:5673
2011-02-07 13:38:46 info Inter-broker link established to hp-xw9400-01.rhts.eng.bos.redhat.com:5673
2011-02-07 13:38:46 debug SEND raiseEvent (v1) class=org.apache.qpid.broker.brokerLinkUp
2011-02-07 13:38:46 debug Management object (V1) added: org.apache.qpid.broker:connection:hp-xw9400-01.rhts.eng.bos.redhat.com:5673
2011-02-07 13:38:46 debug SENT [hp-xw9400-01.rhts.eng.bos.redhat.com:5673] INIT(0-10)
2011-02-07 13:38:46 debug CyrusSasl::start(PLAIN)
2011-02-07 13:38:46 debug min_ssf: 0, max_ssf: 256
2011-02-07 13:38:46 debug getUserFromSettings(): tester
2011-02-07 13:38:46 debug Exception constructed: interaction disallowed
2011-02-07 13:38:46 debug DISCONNECTED [hp-xw9400-01.rhts.eng.bos.redhat.com:5673]
2011-02-07 13:38:46 info Inter-broker link disconnected from hp-xw9400-01.rhts.eng.bos.redhat.com:5673 Closed by peer
2011-02-07 13:38:46 warning Inter-broker link disconnected from hp-xw9400-01.rhts.eng.bos.redhat.com:5673
2011-02-07 13:38:46 debug SEND raiseEvent (v1) class=org.apache.qpid.broker.brokerLinkDown
2011-02-07 13:38:48 debug Inter-broker link connecting to hp-xw9400-01.rhts.eng.bos.redhat.com:5673
2011-02-07 13:38:48 info Inter-broker link established to hp-xw9400-01.rhts.eng.bos.redhat.com:5673
2011-02-07 13:38:48 debug SEND raiseEvent (v1) class=org.apache.qpid.broker.brokerLinkUp
2011-02-07 13:38:48 debug Management object (V1) added: org.apache.qpid.broker:connection:hp-xw9400-01.rhts.eng.bos.redhat.com:5673
2011-02-07 13:38:48 debug SENT [hp-xw9400-01.rhts.eng.bos.redhat.com:5673] INIT(0-10)
Comment 20 Frantisek Reznicek 2011-02-08 08:38:16 UTC 
The above exception is thrown from src/qpid/SaslFactory.cpp:343 CyrusSasl::interact(...)

void CyrusSasl::interact(sasl_interact_t* client_interact)
{

    /*
      In some context console interaction cannot be allowed, such
      as when this code run as part of a broker, or as a some other
      daemon.   In those cases we will treat the attempt to
    */
    if ( ! allowInteraction ) {
        throw InternalErrorException("interaction disallowed");
    }

    if (client_interact->id == SASL_CB_PASS) {
        char* password = getpass(client_interact->prompt);
        input = std::string(password);
        client_interact->result = input.data();
        client_interact->len = input.size();
    } else {
        std::cout << client_interact->prompt;
        if (client_interact->defresult) std::cout << " (" << client_interact->defresult << ")";
        std::cout << ": ";
        if (std::cin >> input) {
            client_interact->result = input.data();
            client_interact->len = input.size();
        }
    }

}


It seems that CyrusSasl class gets allowInteraction equal to false from src/qpid/broker/ConnectionHandler.cpp
ConnectionHandler::Handler::start(...) [the allowInteraction is by default true]

249     if ( connection.getBroker().isAuthenticating() ) {
250         sasl = SaslFactory::getInstance().create( username,
251                                                   password,
252                                                   service,
253                                                   host,
254                                                   0,   // TODO -- mgoulish Fri Sep 24 2010
255                                                   256,
256                                                   false ); // disallow interaction
Comment 21 ppecka 2011-02-08 09:45:40 UTC 
I'll try to add additional information to comment #19:
I'm trying to create "queue" type federation link over GSSAPI. Host setup was reduced to single host. Source broker runs port 5673, Destination 5674. Utility qpid-route(log below) shows link as established. 
 Log in comment #19 shows that source broker tries to establish connection over GSSAPI every 2 seconds with the same result (interaction disallowed).
 On the Destination Broker there is raiseEvent:

debug SEND raiseEvent (v1) class=org.apache.qpid.broker.brokerLinkUp
...
debug SEND raiseEvent (v1) class=org.apache.qpid.broker.brokerLinkDown

Then I'm trying to send messages into previously created queues on source broker, and read them on destination broker. The result is that messages can be found only on source broker - so messages are not passing to destination queue over federation link when using external auth mechanism GSSAPI.





qpid-route route map $(uname -n):5674

Finding Linked Brokers:
    hp-xw9400-01.rhts.eng.bos.redhat.com:5674... Ok
    hp-xw9400-01.rhts.eng.bos.redhat.com:5673... Ok

Dynamic Routes:
  none found

Static Routes:

  hp-xw9400-01.rhts.eng.bos.redhat.com:5674(ex=exc_tstid01_base00_ext00) <= hp-xw9400-01.rhts.eng.bos.redhat.com:5673(queue=que_tstid01_base00_ext00)



SOURCE>>
2011-02-08 04:20:33 debug RECV [10.16.65.4:50430] INIT(0-10)
2011-02-08 04:20:33 debug External ssf=0 and auth=
2011-02-08 04:20:33 debug min_ssf: 0, max_ssf: 256, external_ssf: 0
2011-02-08 04:20:33 info SASL: Mechanism list: GSSAPI
2011-02-08 04:20:33 debug Management object (V1) added: org.apache.qpid.broker:connection:10.16.65.4:50430
2011-02-08 04:20:33 warning Client closed connection with 541: internal-error: interaction disallowed
2011-02-08 04:20:33 debug SEND raiseEvent (v1) class=org.apache.qpid.broker.clientDisconnect



DEST>>
2011-02-08 04:22:37 debug Inter-broker link connecting to hp-xw9400-01.rhts.eng.bos.redhat.com:5673
2011-02-08 04:22:37 info Inter-broker link established to hp-xw9400-01.rhts.eng.bos.redhat.com:5673
2011-02-08 04:22:37 debug SEND raiseEvent (v1) class=org.apache.qpid.broker.brokerLinkUp
2011-02-08 04:22:37 debug Management object (V1) added: org.apache.qpid.broker:connection:hp-xw9400-01.rhts.eng.bos.redhat.com:5673
2011-02-08 04:22:37 debug SENT [hp-xw9400-01.rhts.eng.bos.redhat.com:5673] INIT(0-10)
2011-02-08 04:22:37 debug CyrusSasl::start(PLAIN)
2011-02-08 04:22:37 debug min_ssf: 0, max_ssf: 256
2011-02-08 04:22:37 debug Exception constructed: interaction disallowed
2011-02-08 04:22:37 debug DISCONNECTED [hp-xw9400-01.rhts.eng.bos.redhat.com:5673]
2011-02-08 04:22:37 info Inter-broker link disconnected from hp-xw9400-01.rhts.eng.bos.redhat.com:5673 Closed by peer
2011-02-08 04:22:37 warning Inter-broker link disconnected from hp-xw9400-01.rhts.eng.bos.redhat.com:5673
2011-02-08 04:22:37 debug SEND raiseEvent (v1) class=org.apache.qpid.broker.brokerLinkDown






klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: tester

Valid starting     Expires            Service principal
02/07/11 14:26:04  02/08/11 14:26:04  krbtgt/PEPE.COM
02/07/11 14:26:04  02/08/11 14:26:04  qpidd/hp-xw9400-01.rhts.eng.bos.redhat.com






/usr/sbin/qpidd -d --data-dir /tmp/5673 --port 5673 --log-to-stderr no --log-to-stdout no --log-enable debug+ --log-to-file /tmp/5673/qpidd.log --auth yes --realm PEPE.COM

/usr/sbin/qpidd -d --data-dir /tmp/5674 --port 5674 --log-to-stderr no --log-to-stdout no --log-enable debug+ --log-to-file /tmp/5674/qpidd.log --auth yes --realm PEPE.COM
Comment 22 mick 2011-02-09 08:40:02 UTC 
It looks like the tool qpid-route can be used in more than one way to create a route between two brokers.

But I only extended one of those ---    "qpid-route route add"   --- to have the new "external" flag.

The QE script that is being used to test this feature is using a different method:  "qpid-route queue add".   That has not been extended, and so the broker is not being told to use SASL EXTERNAL.

Please see my test script cpp/src/tests/sasl_fed_ex

Also, the help message in qpid-route says that the flag "--sasl-mechanism"  is  "not for authentication between the source and destination brokers"  --- but that flag is being used in the script.
Comment 23 ppecka 2011-02-09 10:17:44 UTC 
I can verify, that creating of federation link of type "exchange-to-exchange" works and for such federation link type user can specify preferred mechanism. As i tried to propose above it does not work (or it's unclear) how user can create link for "queue-to-exchange" and "dynamic-exchange links" federation link types (via qpid-route tool it's "qpid-route  queue add" and "qpid-route  dynamic add" )
Comment 24 ppecka 2011-04-19 09:19:16 UTC 
Verified with SSL on RHEL4, RHEL5, RHEL6 (both i386 x86_64):
  - as passing ssl credentials among server-broker and client-broker is still not supported by python api there is
 https://bugzilla.redhat.com/show_bug.cgi?id=694762

Verified with GSSAPI mechanism on RHEL5, RHEL6 (i386, x86_64)

VERIFIED
Comment 25 Misha H. Ali 2011-05-31 01:24:08 UTC 
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -4,4 +4,8 @@
 
 It was also necessary to modify qpid-config so that it can set the SASL mechanism when it creates a federation (inter-broker) link.
 
-Federated links can now be SASLized, with an external mechanism of SSL.  There is a test at cpp/src/tests/sasl_fed_ex to demonstrate.+Federated links can now be SASLized, with an external mechanism of SSL.  There is a test at cpp/src/tests/sasl_fed_ex to demonstrate.
+
+Technical Notes Entry:
+
+Previously, the messaging-broker connected successfully from a client to a broker using SASL as well as via SSL as the external SASL mechanism but a similar connection between two brokers of a federation was not possible. Changes have been made to qpid-config and the location of some SASL-related code to allow one federation broker to act as an SASL server while the other acts as an SASL client. Federated links can now be connected with SASL, with the external mechanism of SSL. A test that demonstrates this new connectivity is available at cpp/src/tests/sasl_fed_ex.
Comment 26 Misha H. Ali 2011-06-06 03:13:47 UTC 
Technical note can be viewed in the release notes for 2.0 at the documentation stage here:

http://documentation-stage.bne.redhat.com/docs/en-US/Red_Hat_Enterprise_MRG/2.0/html-single/MRG_Release_Notes/index.html#tabl-MRG_Release_Notes-RHM_Update_Notes-RHM_Update_Notes
Comment 27 errata-xmlrpc 2011-06-23 15:45:51 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2011-0890.html