| Summary: | qpid-tools can get NOT functional by presence of cyrus-sasl-gssapi package (if kerberos is not configured) | ||
|---|---|---|---|
| Product: | Red Hat Enterprise MRG | Reporter: | Frantisek Reznicek <freznice> |
| Component: | python-qpid | Assignee: | messaging-bugs <messaging-bugs> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | MRG Quality Engineering <mrgqe-bugs> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | Development | CC: | esammons, gsim, iboverma, jross |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-03-21 12:24:12 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
Frantisek Reznicek
2011-04-05 17:44:45 UTC
RHEL 5.6 i386 case:
--- auth=yes, no cyrus-sasl-gssapi ---
[root@mrg-qe-01 ~]# rpm -e cyrus-sasl-gssapi
[root@mrg-qe-01 ~]# vi /etc/qpidd.conf
[root@mrg-qe-01 ~]# # auth=yes
[root@mrg-qe-01 ~]# service qpidd restart
Stopping Qpid AMQP daemon: [ OK ]
Starting Qpid AMQP daemon: [ OK ]
[root@mrg-qe-01 ~]# qpid-config
Total Exchanges: 8
...
non-durable: 6
[root@mrg-qe-01 ~]# qpid-config -a guest/guest@localhost
Total Exchanges: 8
...
non-durable: 6
[root@mrg-qe-01 ~]# qpid-perftest --count 10 -s
Please enter your password
connection-forced: Authentication failed
2011-04-05 13:25:18 warning Broker closed connection: 320, connection-forced: Authentication failed
[root@mrg-qe-01 ~]# qpid-perftest --count 10 -s --username guest --password guest
246.908 130.366 179.266 0.175064
[root@mrg-qe-01 ~]# qpid-perftest --count 10 -s --username guest --password guest --mechanism PLAIN
247.329 130.89 273.204 0.266801
[root@mrg-qe-01 ~]# qpid-stat -b
Brokers
broker cluster uptime conn sess exch queue
===============================================================
localhost:5672 <standalone> 20s 2 2 8 18
[root@mrg-qe-01 ~]#
--- auth=yes, with cyrus-sasl-gssapi ---
[root@mrg-qe-01 ~]#
[root@mrg-qe-01 ~]# yum install cyrus-sasl-gssapi
...
Installed:
cyrus-sasl-gssapi.i386 0:2.1.22-5.el5_4.3
Complete!
[root@mrg-qe-01 ~]#
[root@mrg-qe-01 ~]# service qpidd restart
Stopping Qpid AMQP daemon: [ OK ]
Starting Qpid AMQP daemon: [ OK ]
[root@mrg-qe-01 ~]# qpid-config
Failed: ConnectionFailed: (None, 'SASL error: Error in sasl_client_start (-1) SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)')
[root@mrg-qe-01 ~]# qpid-config -a guest/guest@localhost
Failed: ConnectionFailed: (None, 'SASL error: Error in sasl_client_start (-1) SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)')
[root@mrg-qe-01 ~]# qpid-config -a guest/guest@localhost --sasl-mechanism=PLAIN
Total Exchanges: 8
...
non-durable: 6
[root@mrg-qe-01 ~]# qpid-perftest --count 10 -s
2011-04-05 13:27:12 warning Closing connection due to internal-error: Sasl error: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found) (qpid/SaslFactory.cpp:279)
internal-error: Sasl error: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found) (qpid/SaslFactory.cpp:279)
[root@mrg-qe-01 ~]# qpid-perftest --count 10 -s --username guest --password guest
2011-04-05 13:27:18 warning Closing connection due to internal-error: Sasl error: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found) (qpid/SaslFactory.cpp:279)
internal-error: Sasl error: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found) (qpid/SaslFactory.cpp:279)
[root@mrg-qe-01 ~]# qpid-perftest --count 10 -s --username guest --password guest --mechanism PLAIN
8842.2 114.655 459.637 0.448864
[root@mrg-qe-01 ~]# qpid-stat -b
Failed: ConnectionFailed - (None, 'SASL error: Error in sasl_client_start (-1) SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found)')
[root@mrg-qe-01 ~]# qpid-stat -b --sasl-mechanism=PLAIN
Failed: ConnectionFailed - (None, 'SASL error: Error in sasl_client_start (-4) SASL(-4): no mechanism available: No worthy mechs found')
[root@mrg-qe-01 ~]# qpid-stat -b --sasl-mechanism=ANONYMOUS
Brokers
broker cluster uptime conn sess exch queue
===============================================================
localhost:5672 <standalone> 1m 31s 2 2 8 18
[root@mrg-qe-01 ~]#
[root@mrg-qe-01 ~]#
--- auth=no, no cyrus-sasl-gssapi ---
[root@mrg-qe-01 ~]#
[root@mrg-qe-01 ~]# vi /etc/qpidd.conf
[root@mrg-qe-01 ~]# # auth=no
[root@mrg-qe-01 ~]# rpm -e cyrus-sasl-gssapi
[root@mrg-qe-01 ~]# service qpidd restart
Stopping Qpid AMQP daemon: [ OK ]
Starting Qpid AMQP daemon: [ OK ]
[root@mrg-qe-01 ~]# qpid-config
Total Exchanges: 8
...
non-durable: 6
[root@mrg-qe-01 ~]# qpid-config -a guest/guest@localhost
Total Exchanges: 8
...
non-durable: 6
[root@mrg-qe-01 ~]# qpid-config -a guest/guest@localhost --sasl-mechanism=PLAIN
Total Exchanges: 8
...
non-durable: 6
[root@mrg-qe-01 ~]# qpid-perftest --count 10 -s
245.909 60.442 468.518 0.457537
[root@mrg-qe-01 ~]# qpid-perftest --count 10 -s --username guest --password guest
241.427 118.068 241.715 0.23605
[root@mrg-qe-01 ~]# qpid-perftest --count 10 -s --username guest --password guest --mechanism PLAIN
245.884 60.8487 243.475 0.237769
[root@mrg-qe-01 ~]# qpid-stat -b
Brokers
broker cluster uptime conn sess exch queue
===============================================================
localhost:5672 <standalone> 10s 2 2 8 18
[root@mrg-qe-01 ~]# qpid-stat -b --sasl-mechanism=PLAIN
Failed: ConnectionFailed - (None, 'SASL error: Error in sasl_client_start (-4) SASL(-4): no mechanism available: No worthy mechs found')
[root@mrg-qe-01 ~]# qpid-stat -b --sasl-mechanism=ANONYMOUS
Brokers
broker cluster uptime conn sess exch queue
===============================================================
localhost:5672 <standalone> 20s 2 2 8 18
--- auth=no, with cyrus-sasl-gssapi ---
[root@mrg-qe-01 ~]# yum install cyrus-sasl-gssapi
...
Installed:
cyrus-sasl-gssapi.i386 0:2.1.22-5.el5_4.3
Complete!
[root@mrg-qe-01 ~]# service qpidd restart
Stopping Qpid AMQP daemon: [ OK ]
Starting Qpid AMQP daemon: [ OK ]
[root@mrg-qe-01 ~]# qpid-config
Total Exchanges: 8
...
non-durable: 6
[root@mrg-qe-01 ~]# qpid-config -a guest/guest@localhost
Total Exchanges: 8
...
non-durable: 6
[root@mrg-qe-01 ~]# qpid-config -a guest/guest@localhost --sasl-mechanism=PLAIN
Total Exchanges: 8
...
non-durable: 6
[root@mrg-qe-01 ~]# qpid-perftest --count 10 -s
246.305 60.4863 465.092 0.454191
[root@mrg-qe-01 ~]# qpid-perftest --count 10 -s --username guest --password guest
245.36 116.908 468.649 0.457665
[root@mrg-qe-01 ~]# qpid-perftest --count 10 -s --username guest --password guest --mechanism PLAIN
247.055 84.5712 264.17 0.257978
[root@mrg-qe-01 ~]# qpid-stat -b
Brokers
broker cluster uptime conn sess exch queue
===============================================================
localhost:5672 <standalone> 10s 2 2 8 18
[root@mrg-qe-01 ~]# qpid-stat -b --sasl-mechanism=PLAIN
Failed: ConnectionFailed - (None, 'SASL error: Error in sasl_client_start (-4) SASL(-4): no mechanism available: No worthy mechs found')
[root@mrg-qe-01 ~]# qpid-stat -b --sasl-mechanism=ANONYMOUS
Brokers
broker cluster uptime conn sess exch queue
===============================================================
localhost:5672 <standalone> 20s 2 2 8 18
RHEL 5.6 x86_64 case:
--- auth=yes, no cyrus-sasl-gssapi ---
[root@mrg-qe-02 ~]# rpm -e cyrus-sasl-gssapi --allmatches
[root@mrg-qe-02 ~]#
[root@mrg-qe-02 ~]# vi /etc/qpidd.conf
[root@mrg-qe-02 ~]# service qpidd restart
Stopping Qpid AMQP daemon: [ OK ]
Starting Qpid AMQP daemon: [ OK ]
[root@mrg-qe-02 ~]#
[root@mrg-qe-02 ~]# qpid-config
Total Exchanges: 12
...
non-durable: 6
[root@mrg-qe-02 ~]# qpid-config -a guest/guest@localhost
Total Exchanges: 12
...
non-durable: 6
[root@mrg-qe-02 ~]# qpid-perftest --count 10 -s
Please enter your password
2011-04-05 13:19:00 warning Broker closed connection: 320, connection-forced: Authentication failed
connection-forced: Authentication failed
[root@mrg-qe-02 ~]# qpid-perftest --count 10 -s --username guest --password guest
4743.83 274.997 455.892 0.445207
[root@mrg-qe-02 ~]# qpid-perftest --count 10 -s --username guest --password guest --mechanism PLAIN
247.752 85.1288 177.699 0.173534
[root@mrg-qe-02 ~]# qpid-stat -b
Brokers
broker cluster uptime conn sess exch queue
===============================================================
localhost:5672 <standalone> 57s 2 2 12 76
--- auth=yes, with cyrus-sasl-gssapi ---
[root@mrg-qe-02 ~]# yum install cyrus-sasl-gssapi
...
Installed:
cyrus-sasl-gssapi.i386 0:2.1.22-5.el5_4.3 cyrus-sasl-gssapi.x86_64 0:2.1.22-5.el5_4.3
Complete!
[root@mrg-qe-02 ~]#
[root@mrg-qe-02 ~]# service qpidd restart
Stopping Qpid AMQP daemon: [ OK ]
Starting Qpid AMQP daemon: [ OK ]
[root@mrg-qe-02 ~]# qpid-config
Failed: ConnectionFailed: (None, 'SASL error: Error in sasl_client_start (-1) SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Unknown code krb5 195)')
[root@mrg-qe-02 ~]# qpid-config -a guest/guest@localhost
Total Exchanges: 12
...
non-durable: 6
[root@mrg-qe-02 ~]# qpid-perftest --count 10 -s
Please enter your password
2011-04-05 13:20:08 warning Broker closed connection: 320, connection-forced: Authentication failed
connection-forced: Authentication failed
[root@mrg-qe-02 ~]# qpid-perftest --count 10 -s --username guest --password guest
5211.05 127.118 458.127 0.44739
[root@mrg-qe-02 ~]# qpid-perftest --count 10 -s --username guest --password guest --mechanism PLAIN
243.481 79.0645 240.558 0.23492
[root@mrg-qe-02 ~]# qpid-stat -b
Failed: ConnectionFailed - (None, 'SASL error: Error in sasl_client_start (-1) SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Unknown code krb5 195)')
[root@mrg-qe-02 ~]# --sasl-mechanism=ANONYMOUS
-bash: --sasl-mechanism=ANONYMOUS: command not found
[root@mrg-qe-02 ~]# qpid-stat -b --sasl-mechanism=ANONYMOUS
Brokers
broker cluster uptime conn sess exch queue
===============================================================
localhost:5672 <standalone> 56s 2 2 12 76
[root@mrg-qe-02 ~]# qpid-config --sasl-mechanism=ANONYMOUS
Total Exchanges: 12
...
non-durable: 10
[root@mrg-qe-02 ~]#
--- auth=no, no cyrus-sasl-gssapi ---
[root@mrg-qe-02 ~]# vi /etc/qpidd.conf
[root@mrg-qe-02 ~]# # auth=no
[root@mrg-qe-02 ~]# rpm -e cyrus-sasl-gssapi --allmatches
[root@mrg-qe-02 ~]# service qpidd restart
Stopping Qpid AMQP daemon: [ OK ]
Starting Qpid AMQP daemon: [ OK ]
[root@mrg-qe-02 ~]# qpid-config
Total Exchanges: 12
...
non-durable: 6
[root@mrg-qe-02 ~]# qpid-config -a guest/guest@localhost
Total Exchanges: 12
...
non-durable: 6
[root@mrg-qe-02 ~]# qpid-perftest --count 10 -s
244.768 60.9983 240.512 0.234875
[root@mrg-qe-02 ~]# qpid-perftest --count 10 -s --username guest --password guest
239.555 48.2716 238.515 0.232925
[root@mrg-qe-02 ~]# qpid-perftest --count 10 -s --username guest --password guest --mechanism PLAIN
240.246 79.7709 237.535 0.231968
[root@mrg-qe-02 ~]# qpid-stat -b
Brokers
broker cluster uptime conn sess exch queue
===============================================================
localhost:5672 <standalone> 16s 2 2 12 76
[root@mrg-qe-02 ~]# yum install cyrus-sasl-gssapi
...
Installed:
cyrus-sasl-gssapi.i386 0:2.1.22-5.el5_4.3 cyrus-sasl-gssapi.x86_64 0:2.1.22-5.el5_4.3
Complete!
[root@mrg-qe-02 ~]# service qpidd restart
Stopping Qpid AMQP daemon: [ OK ]
Starting Qpid AMQP daemon: [ OK ]
[root@mrg-qe-02 ~]# qpid-config
Total Exchanges: 12
...
non-durable: 5
[root@mrg-qe-02 ~]# qpid-config -a guest/guest@localhost
Total Exchanges: 12
...
non-durable: 5
[root@mrg-qe-02 ~]# qpid-perftest --count 10 -s
242.154 125.557 260.831 0.254718
[root@mrg-qe-02 ~]# qpid-perftest --count 10 -s --username guest --password guest
246.731 48.7052 241.039 0.23539
[root@mrg-qe-02 ~]# qpid-perftest --count 10 -s --username guest --password guest --mechanism PLAIN
246.609 79.5108 240.52 0.234883
[root@mrg-qe-02 ~]# qpid-stat -b
Brokers
broker cluster uptime conn sess exch queue
===============================================================
localhost:5672 <standalone> 17s 2 2 12 76
[root@mrg-qe-02 ~]# rpm -qa | egrep '(qpid|qmf|sasl)' | sort
cyrus-sasl-2.1.22-5.el5_4.3.i386
cyrus-sasl-2.1.22-5.el5_4.3.x86_64
cyrus-sasl-devel-2.1.22-5.el5_4.3.i386
cyrus-sasl-devel-2.1.22-5.el5_4.3.x86_64
cyrus-sasl-gssapi-2.1.22-5.el5_4.3.i386
cyrus-sasl-gssapi-2.1.22-5.el5_4.3.x86_64
cyrus-sasl-lib-2.1.22-5.el5_4.3.i386
cyrus-sasl-lib-2.1.22-5.el5_4.3.x86_64
cyrus-sasl-md5-2.1.22-5.el5_4.3.i386
cyrus-sasl-md5-2.1.22-5.el5_4.3.x86_64
cyrus-sasl-plain-2.1.22-5.el5_4.3.i386
cyrus-sasl-plain-2.1.22-5.el5_4.3.x86_64
python-qpid-0.10-1.el5.noarch
python-qpid-qmf-0.10-2.el5.x86_64
python-saslwrapper-0.1.934605-2.el5.x86_64
qpid-cpp-client-0.10-1.el5.x86_64
qpid-cpp-client-devel-0.10-1.el5.x86_64
qpid-cpp-client-devel-docs-0.10-1.el5.x86_64
qpid-cpp-client-rdma-0.10-1.el5.x86_64
qpid-cpp-client-ssl-0.10-1.el5.x86_64
qpid-cpp-mrg-debuginfo-0.10-1.el5.x86_64
qpid-cpp-server-0.10-1.el5.x86_64
qpid-cpp-server-cluster-0.10-1.el5.x86_64
qpid-cpp-server-devel-0.10-1.el5.x86_64
qpid-cpp-server-rdma-0.10-1.el5.x86_64
qpid-cpp-server-ssl-0.10-1.el5.x86_64
qpid-cpp-server-store-0.10-1.el5.x86_64
qpid-cpp-server-xml-0.10-1.el5.x86_64
qpid-dotnet-0.4.738274-2.el5.x86_64
qpid-java-client-0.10-1.el5.noarch
qpid-java-common-0.10-1.el5.noarch
qpid-java-example-0.10-1.el5.noarch
qpid-qmf-0.10-2.el5.x86_64
qpid-qmf-debuginfo-0.10-2.el5.x86_64
qpid-qmf-devel-0.10-2.el5.x86_64
qpid-tests-0.9.1073306-1.el5.noarch
qpid-tools-0.10-1.el5.noarch
rh-qpid-cpp-tests-0.10-1.el5.x86_64
ruby-qpid-qmf-0.10-2.el5.x86_64
ruby-saslwrapper-0.1.934605-2.el5.x86_64
saslwrapper-0.1.934605-2.el5.x86_64
saslwrapper-devel-0.1.934605-2.el5.x86_64
RHEL 6.1 i686 case:
--- auth=yes, no cyrus-sasl-gssapi ---
[root@mrg-qe-07 ~]# service qpidd start
Starting Qpid AMQP daemon: [ OK ]
[root@mrg-qe-07 ~]#
[root@mrg-qe-07 ~]# qpid-config
Total Exchanges: 8
...
non-durable: 5
[root@mrg-qe-07 ~]# qpid-config -a guest/guest@localhost
Total Exchanges: 8
...
non-durable: 5
[root@mrg-qe-07 ~]# qpid-perftest --count 10 -s --username guest --password guest
4261.36 132.647 308.127 0.300906
[root@mrg-qe-07 ~]# qpid-stat -b
Brokers
broker cluster uptime conn sess exch queue
===============================================================
localhost:5672 <standalone> 50s 1 1 8 10
--- auth=yes, with cyrus-sasl-gssapi ---
[root@mrg-qe-07 ~]# yum install cyrus-sasl-gssapi
...
Installed:
cyrus-sasl-gssapi.i686 0:2.1.23-8.el6
Complete!
[root@mrg-qe-07 ~]# service qpidd restart
Stopping Qpid AMQP daemon: [ OK ]
Starting Qpid AMQP daemon: [ OK ]
[root@mrg-qe-07 ~]# qpid-config
Failed: ConnectionFailed: (None, "SASL error: Error in sasl_client_start (-1) SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_0' not found)")
[root@mrg-qe-07 ~]# qpid-config -a guest/guest@localhost
Failed: ConnectionFailed: (None, "SASL error: Error in sasl_client_start (-1) SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_0' not found)")
[root@mrg-qe-07 ~]# qpid-perftest --count 10 -s --username guest --password guest
2011-04-05 13:10:20 warning Closing connection due to internal-error: Sasl error: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_0' not found) (qpid/SaslFactory.cpp:279)
internal-error: Sasl error: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_0' not found) (qpid/SaslFactory.cpp:279)
[root@mrg-qe-07 ~]# qpid-perftest --count 10 -s
2011-04-05 13:10:26 warning Closing connection due to internal-error: Sasl error: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_0' not found) (qpid/SaslFactory.cpp:279)
internal-error: Sasl error: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_0' not found) (qpid/SaslFactory.cpp:279)
[root@mrg-qe-07 ~]#
[root@mrg-qe-07 ~]# qpid-perftest --count 10 -s --username guest --password guest --mechanism PLAIN
251.096 59.5055 244.652 0.238918
[root@mrg-qe-07 ~]# qpid-config -a guest/guest@localhost --sasl-mechanism=PLAIN
Total Exchanges: 8
...
non-durable: 10
[root@mrg-qe-07 ~]# qpid-stat -b --sasl-mechanism=PLAIN
Failed: ConnectionFailed - (None, 'SASL error: Error in sasl_client_start (-4) SASL(-4): no mechanism available: No worthy mechs found')
[root@mrg-qe-07 ~]# qpid-stat -b --sasl-mechanism=ANONYMOUS
Brokers
broker cluster uptime conn sess exch queue
===============================================================
localhost:5672 <standalone> 2m 10s 1 1 8 10
[root@mrg-qe-07 ~]#
--- auth=no, with cyrus-sasl-gssapi ---
[root@mrg-qe-07 ~]# vi /etc/qpidd.conf
[root@mrg-qe-07 ~]# # auth=no
[root@mrg-qe-07 ~]# service qpidd restart
Stopping Qpid AMQP daemon: [ OK ]
Starting Qpid AMQP daemon: [ OK ]
[root@mrg-qe-07 ~]# qpid-stat -b
Brokers
broker cluster uptime conn sess exch queue
===============================================================
localhost:5672 <standalone> 0s 1 1 8 5
[root@mrg-qe-07 ~]# qpid-config
Total Exchanges: 8
...
non-durable: 14
[root@mrg-qe-07 ~]# qpid-perftest --count 100 -s
2261.17 786.665 2350.14 2.29506
The situation is certainly undesirable. Cyrus chooses between available mechanisms and appears to favour GSSAPI if available over PLAIN/ANONYMOUS. The mechanisms in use can be restricted by editing the sasl conf file (i.e. for the broker as a whole) or by the client further restricting the mechs (i.e. on a per connection basis). The question is whether there is anything that can be done to determine if GSSAPI is correctly configured in a given use case and disable it if not. Or whether it is right to automatically retry with a different choice of mechanism if authentication with the first choice fails. (IN general I am uncomfortable about this latter approach). Does this problem still occur? In bug 846465 we introduced a default mech list that excludes gssapi, but I don't know if it affects the tools in this instance. Issue is not seen anymore on latest stable packages (bug 846465, comment 17). Issue was resolved by bug 846465. -> VERIFIED |