Bug 684458

Summary: Review QMF plugin defaults for secure broker auth
Product: Red Hat Enterprise MRG Reporter: Pete MacKinnon <pmackinn>
Component: condor-qmfAssignee: Robert Rati <rrati>
Status: CLOSED DUPLICATE QA Contact: MRG Quality Engineering <mrgqe-bugs>
Severity: high Docs Contact:
Priority: high    
Version: DevelopmentCC: matt
Target Milestone: 2.0   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-03-17 14:41:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Pete MacKinnon 2011-03-12 18:31:07 UTC 
Changes introduced in BZ 606391 have impacted the default OOTB SASL-based authorization for the condor qmf plugins. In the absence of the new configuration described in 606391, the plugins won't be able to connect to establish an authenticated connection to the broker when it has SASL turned on. Note that the schedd plugin relies on broker SASL auth in order to provide us with a userid string that is checked in the mgmt plugin. This is our only security safeguard for submissions from QMF at this time.

Some options:
1) revert defaults in plugins, etc. to use "guest/guest" identity when initializing the agent if it can't get condor params for same. The guest user is OOTB with the broker install IIRC.
2) doc updates that explicitly expand the broker auth setup instructions for secured submissions
 - broker & sasl config AND
 - condor user/password config from 606391
Comment 1 Pete MacKinnon 2011-03-15 15:30:53 UTC 
Looks like option #2 is really what is called for. We can no longer rely on the guest user id being an OOTB credential. The ACL file passed to the broker like this: 

sudo qpidd --load-module /usr/lib/qpid/daemon/acl.so --acl-file /full/path/to/qpidd.acl --auth=yes

should have lines like:

acl allow cumin@QPID all all
acl allow anonymous@QPID all all
acl deny all all
Comment 2 Robert Rati 2011-03-17 14:41:47 UTC 
This is really a documentation issue.

*** This bug has been marked as a duplicate of bug 687872 ***