Bug 519505
Summary: | Broker strips domain from userID, causes mismatch on GSSAPI id checking | ||
---|---|---|---|
Product: | Red Hat Enterprise MRG | Reporter: | Ted Ross <tross> |
Component: | qpid-cpp | Assignee: | Ken Giusti <kgiusti> |
Status: | CLOSED ERRATA | QA Contact: | Martin Kudlej <mkudlej> |
Severity: | medium | Docs Contact: | |
Priority: | high | ||
Version: | 1.1.6 | CC: | kgiusti, mkudlej, rattapat+nobody, tross |
Target Milestone: | 1.3 | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
Due to incorrect stripping of a domain from the "userId" string, connecting to a broker using Kerberos authentication may have caused the messages sent to the broker to be rejected as unauthorized. With this update, the broker was adjusted to store the entire "userID", so that the value can be correctly compared with the string that is sent by a client.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2010-10-14 16:07:52 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Ted Ross
2009-08-26 21:13:25 UTC
See QPID-943 upstream. *** Bug 531844 has been marked as a duplicate of this bug. *** Bugfix committed upstream: svn r819819 http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/broker/SemanticState.cpp?revision=819819&view=markup I've got version from 20091016 from candidate(ruby-qpid-0.4.749380-2.el5) and there is nothing to uncomment on line 1557. Is this proper version to reproduce this issue? Which line should I uncomment/comment, please write here context of those lines? Is there any other reproducer for this issue, please? The line is now at 1530. Here is the context: def message(body, routing_key="broker", ttl=nil) dp = @amqp_session.delivery_properties dp.routing_key = routing_key dp.ttl = ttl if ttl mp = @amqp_session.message_properties mp.content_type = "x-application/qmf" mp.reply_to = amqp_session.reply_to("amq.direct", @reply_name) #mp.user_id = @user_id if @user_id <===== !!! return Qpid::Message.new(dp, mp, body) end def emit(msg, dest="qpid.management") Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: * Cause: connecting to the broker using kerberos authentication. * Consequence: Messages sent to the broker are rejected as Unauthorized. * Fix: the broker stores the entire userId string for the connection rather than truncating off the "@domain" portion. * Result: the broker's stored user id will correctly match full user id strings sent by clients. Technical note updated. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -1,4 +1 @@ -* Cause: connecting to the broker using kerberos authentication. +Due to incorrect stripping of a domain from the "userId" string, connecting to a broker using Kerberos authentication may have caused the messages sent to the broker to be rejected as unauthorized. With this update, the broker was adjusted to store the entire "userID", so that the value can be correctly compared with the string that is sent by a client.-* Consequence: Messages sent to the broker are rejected as Unauthorized. -* Fix: the broker stores the entire userId string for the connection rather than truncating off the "@domain" portion. -* Result: the broker's stored user id will correctly match full user id strings sent by clients. Reproduced in ruby-qpid-0.4.749380-2.el5 qpidc-0.5.752581-28.el5 qpidd-0.5.752581-28.el5 and it doesn't work. Tested in qpid-java-client-0.7.946106-10.el5 ruby-qpid-0.7.946106-2.el5 qpid-cpp-server-0.7.946106-17.el5 qpid-java-common-0.7.946106-10.el5 qpid-cpp-client-devel-0.7.946106-17.el5 qpid-cpp-client-0.7.946106-17.el5 and it works. --> VERIFIED An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2010-0773.html |