Bug 585866
| Summary: | qpid python client hangs in connection_start() when GSSAPI authentication fails because of invalid krb ticket | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise MRG | Reporter: | Frantisek Reznicek <freznice> | ||||
| Component: | python-qpid | Assignee: | Gordon Sim <gsim> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Frantisek Reznicek <freznice> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | Development | CC: | esammons, gsim | ||||
| Target Milestone: | 1.3 | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | Type: | --- | |||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Issue seen on packages: [root@mrg-qe-02 qpid_ptest_authentication_krb5]# [root@mrg-qe-02 1]# rpm -qa | grep -E '(qpid|sasl)' | sort -u cyrus-sasl-2.1.22-5.el5_4.3 cyrus-sasl-devel-2.1.22-5.el5_4.3 cyrus-sasl-gssapi-2.1.22-5.el5_4.3 cyrus-sasl-lib-2.1.22-5.el5_4.3 cyrus-sasl-plain-2.1.22-5.el5_4.3 python-qpid-0.7.934605-1.el5 python-saslwrapper-0.1.934605-1.el5 qpid-cpp-client-0.7.935473-1.el5 qpid-cpp-client-devel-0.7.935473-1.el5 qpid-cpp-client-devel-docs-0.7.935473-1.el5 qpid-cpp-client-ssl-0.7.935473-1.el5 qpid-cpp-mrg-debuginfo-0.7.935473-1.el5 qpid-cpp-server-0.7.935473-1.el5 qpid-cpp-server-cluster-0.7.935473-1.el5 qpid-cpp-server-devel-0.7.935473-1.el5 qpid-cpp-server-ssl-0.7.935473-1.el5 qpid-cpp-server-store-0.7.935473-1.el5 qpid-cpp-server-xml-0.7.935473-1.el5 qpid-java-client-0.7.934605-1.el5 qpid-java-common-0.7.934605-1.el5 qpid-tests-0.7.930108-1.el5 qpid-tools-0.7.934605-2.el5 ruby-qpid-0.7.935473-1.el5 ruby-saslwrapper-0.1.934605-1.el5 saslwrapper-0.1.934605-1.el5 saslwrapper-devel-0.1.934605-1.el5 Created attachment 409130 [details]
The testing client
Fixed in r938558. The issue has been fixed, tested on RHEL 5.5 i386 / x86_64 on packages: python-qpid-0.7.946106-1.el5 qpid-cpp-client-0.7.946106-2.el5 qpid-cpp-client-devel-0.7.946106-2.el5 qpid-cpp-client-devel-docs-0.7.946106-2.el5 qpid-cpp-client-ssl-0.7.946106-2.el5 qpid-cpp-mrg-debuginfo-0.7.946106-1.el5 qpid-cpp-server-0.7.946106-2.el5 qpid-cpp-server-cluster-0.7.946106-2.el5 qpid-cpp-server-devel-0.7.946106-2.el5 qpid-cpp-server-ssl-0.7.946106-2.el5 qpid-cpp-server-store-0.7.946106-2.el5 qpid-cpp-server-xml-0.7.946106-2.el5 qpid-java-client-0.7.946106-3.el5 qpid-java-common-0.7.946106-3.el5 qpid-tests-0.7.946106-1.el5 qpid-tools-0.7.946106-4.el5 ruby-qpid-0.7.946106-1.el5 -> VERIFIED |
Description of problem: There are observed issues with qpid python client trying to authenticate using GSSAPI method when GSSAPI/kerberos ticket is not available/valid. More precisely the observation proves that GSSAP authentication passes when kerberos ticket is available and valid, but when the same command == authentication test is re-run after kdestroy (kerberos ticket cache cleared) then qpid python client hangs in connection_start(): qc_client.py --conn-auth-mechanism GSSAPI -p 43942 --user 0K1TJvtuRzC8n4QjUKSparV --broker mrg-qe-02.lab.eng.brq.redhat.com Exception in thread Thread-1: Traceback (most recent call last): File "/usr/lib64/python2.4/threading.py", line 442, in __bootstrap self.run() File "/usr/lib64/python2.4/threading.py", line 422, in run self.__target(*self.__args, **self.__kwargs) File "/usr/lib/python2.4/site-packages/qpid/connection.py", line 179, in run self.delegate.received(op) File "/usr/lib/python2.4/site-packages/qpid/delegates.py", line 52, in received getattr(self, op.NAME)(ch, op) File "/usr/lib/python2.4/site-packages/qpid/delegates.py", line 213, in connection_start raise Closed("SASL error: %s" % self.sasl.getError()) Closed: SASL error: Error in sasl_client_start (-1) SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide mor e information (Unknown code krb5 195) I believe message might be correct, but client then stops operation and hangs, even the connection timeout does not end this. Above behavior was detected on both RHEL 5.5. i386 and x86_64. Version-Release number of selected component (if applicable): How reproducible: 100% Steps to Reproduce: 1. set-up kerberos 2. run broker with authentication (--auth yes) 3. perform kinit <user> 4. perform client test qc_client.py --conn-auth-mechanism GSSAPI -p 35585 --user <existing-user> --broker <broker-host> expect everything ok 5. perform kdestroy 6. perform client test the same as in point 4. behavior - hang in connection_start() Actual results: qpid python client hangs in connection_start() when GSSAPI authentication fails because of invalid krb ticket. Expected results: qpid python client should not hang when GSSAPI authentication fails because of invalid krb ticket. Additional info: Example of client run: qc_client.py --conn-auth-mechanism GSSAPI -p 35585 --user KPml54FCRyIL6GByY --broker mrg-qe-01.lab.eng.brq.redhat.com qc_client.py --conn-auth-mechanism GSSAPI -p 35585 --user KPml54FCRyIL6GByY --broker mrg-qe-01.lab.eng.brq.redhat.com Exception in thread Thread-1: Traceback (most recent call last): File "/usr/lib/python2.4/threading.py", line 442, in __bootstrap self.run() File "/usr/lib/python2.4/threading.py", line 422, in run self.__target(*self.__args, **self.__kwargs) File "/usr/lib/python2.4/site-packages/qpid/connection.py", line 179, in run self.delegate.received(op) File "/usr/lib/python2.4/site-packages/qpid/delegates.py", line 52, in received getattr(self, op.NAME)(ch, op) File "/usr/lib/python2.4/site-packages/qpid/delegates.py", line 213, in connection_start raise Closed("SASL error: %s" % self.sasl.getError()) Closed: SASL error: Error in sasl_client_start (-1) SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide mor e information (No credentials cache found) qc_client.py --conn-auth-mechanism GSSAPI -p 35585 --user KPml54FCRyIL6GByY --broker mrg-qe-01.lab.eng.brq.redhat.com