Bug 750315

Summary: Sesame still authenticates using PLAIN/guest by default, should be anonymous
Product: Red Hat Enterprise MRG Reporter: Trevor McKay <tmckay>
Component: sesameAssignee: Trevor McKay <tmckay>
Status: CLOSED ERRATA QA Contact: Daniel Horák <dahorak>
Severity: high Docs Contact:
Priority: high    
Version: 2.0CC: dahorak, jneedle, jross, matt, mgoulish, sgraf
Target Milestone: 2.1   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sesame-1.0-1 Doc Type: Bug Fix
Doc Text:
Previously, the sesame system agent authenticated to the qpidd broker as a guest user by default. In Red Hat Enterprise Linux 6, the guest SASL account is not present out-of-the-box in an installation of the "MRG Messaging" group. Consequently, sesame could not to connect to the broker without additional configuration. With this update, sesame uses anonymous authentication by default. Anonymous authentication is enabled by the qpidd broker by default on both Red Hat Enterprise Linux 5 and 6. Now, sesame is able to connect to the qpidd broker without additional configuration.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2012-01-23 17:29:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 743350    
Attachments:
Description Flags
Proposed patch for default ANONYMOUS authentication none

Description Trevor McKay 2011-10-31 17:03:53 UTC 
Description of problem:

When sasldb was removed from the base for RHEL 6, iirc a decision was made to make sesame authenticate as "anonymous" by default (like grid).  The MCIG is claiming this as a default currently.

Currently, sesame is still using PLAIN out of the box.

Version-Release number of selected component (if applicable):

sesame-0.10-1.el6.x86_64

How reproducible:

100%

Steps to Reproduce:
1.  Install a broker on a new system.
2.  Install sesame
3.  Start the service
4.  Use qpid-stat -c to look at connections (no sesame)
5.  Change /etc/sesame.conf to specify "mech: ANONYMOUS"
6.  Restart sesame
7.  qpid-stat -c will show sesame authenticated as ANONYMOUS
  
Actual results:


Expected results:


Additional info:

Also, running the broker with --trace gives this when sesame is started.

011-10-31 13:02:12 trace SENT [127.0.0.1:5672-127.0.0.1:43823]: Frame[BEbe; channel=0; {ConnectionStartBody: server-properties={qpid.federation_tag:V2:36:str16(cd2491b0-3b1a-413e-88af-d66eb2766d9d)}; mechanisms=str16{V2:5:str16(LOGIN), V2:5:str16(PLAIN), V2:9:str16(ANONYMOUS)}; locales=str16{V2:5:str16(en_US)}; }]
2011-10-31 13:02:12 trace RECV [127.0.0.1:5672-127.0.0.1:43823]: Frame[BEbe; channel=0; {ConnectionStartOkBody: client-properties={qpid.client_pid:F4:int32(2848),qpid.client_ppid:F4:int32(1),qpid.client_process:V2:6:str16(sesame),qpid.session_flow:F4:int32(1)}; mechanism=LOGIN; response=xxxxxx; locale=en_US; }]
2011-10-31 13:02:12 debug SASL: Starting authentication with mechanism: LOGIN
2011-10-31 13:02:12 debug SASL: sending challenge to client
2011-10-31 13:02:12 trace SENT [127.0.0.1:5672-127.0.0.1:43823]: Frame[BEbe; channel=0; {ConnectionSecureBody: challenge=Username:; }]
2011-10-31 13:02:12 trace RECV [127.0.0.1:5672-127.0.0.1:43823]: Frame[BEbe; channel=0; {ConnectionSecureOkBody: response=guest; }]
2011-10-31 13:02:12 debug SASL: sending challenge to client
2011-10-31 13:02:12 trace SENT [127.0.0.1:5672-127.0.0.1:43823]: Frame[BEbe; channel=0; {ConnectionSecureBody: challenge=Password:; }]
2011-10-31 13:02:12 trace RECV [127.0.0.1:5672-127.0.0.1:43823]: Frame[BEbe; channel=0; {ConnectionSecureOkBody: response=guest; }]
2011-10-31 13:02:12 info SASL: Authentication failed for guest@QPID:SASL(-13): user not found: checkpass failed
2011-10-31 13:02:12 debug Exception constructed: Authentication failed
Comment 1 Trevor McKay 2011-10-31 17:14:29 UTC 
This could be fixed by changing the default sesame.conf file to specify 

mech: ANONYMOUS

rather than a code change.  However, doing this would require a new doc BZ for the MCIG that says to comment out the "mech" setting when creating sasl users and setting uid/pwd.
Comment 2 Trevor McKay 2011-10-31 17:21:26 UTC 
Another option here would be to leave it as is and change the MCIG, make creation of SASL user for Sesame required.  But, that's a config change on every node in the pool out of the box, seems bad.  Mentioned for completeness.
Comment 3 Trevor McKay 2011-10-31 18:39:36 UTC 
Created attachment 531014 [details]
Proposed patch for default ANONYMOUS authentication
Comment 4 Trevor McKay 2011-10-31 18:43:57 UTC 
Fixed on trunk, revision 5101.

Changed config parameter "mech" default to ANONYMOUS from PLAIN, uid and pwd to empty string from "guest".  Changed comments in sesame.conf to reflect.(In reply to comment #3)


> Created attachment 531014 [details]
> Proposed patch for default ANONYMOUS authentication

Patch uploaded for QE inspection
Comment 5 Matthew Farrellee 2011-10-31 18:44:43 UTC 
FYI -

0) qpidd(ANONYMOUS, DIGEST-MD5) + sesame(ANONYMOUS) -> ANONYMOUS and success

1) qpidd(ANONYMOUS, DIGEST-MD5) + sesame(ANONYMOUS, DIGEST-MD5) -> DIGEST-MD5 and success requires uid/pwd credentials

2) qpidd(ANONYMOUS) + sesame(ANONYMOUS, DIGEST-MD5) -> ANONYMOUS

Problem with (2) is installation of cyrus-sasl-md5 on qpidd box results (standard recommendation) in (1) and will require a sesame config change to provide valid uid/pwd credentials.
Comment 10 Trevor McKay 2011-11-04 16:51:35 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause
    Sesame defaulted to authenticating to the qpidd broker as user 'guest' by default.

Consequence
    On RHEL 6, the guest SASL account is not present out of the box in an installation of the "MRG Messaging" group.  This means that sesame will not be able to connect to the broker out of the box without additional configuration.

Fix
    Sesame was changed to use anonymous authentication by default.  Anonymous authentication is enabled by the qpidd broker by default on both RHEL 5 and RHEL 6.

Result
    Sesame will not be able to connect to the qpidd broker out of the box without additional configuration on both RHEL 5 and RHEL 6.
Comment 11 Trevor McKay 2011-11-04 16:53:11 UTC 
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1,11 +1,11 @@
 Cause
-    Sesame defaulted to authenticating to the qpidd broker as user 'guest' by default.
+    Sesame authenticated to the qpidd broker as user 'guest' by default.
 
 Consequence
-    On RHEL 6, the guest SASL account is not present out of the box in an installation of the "MRG Messaging" group.  This means that sesame will not be able to connect to the broker out of the box without additional configuration.
+    On RHEL 6, the guest SASL account is not present out of the box in an installation of the "MRG Messaging" group.  This means that sesame will not be able to connect to the broker without additional configuration.
 
 Fix
     Sesame was changed to use anonymous authentication by default.  Anonymous authentication is enabled by the qpidd broker by default on both RHEL 5 and RHEL 6.
 
 Result
-    Sesame will not be able to connect to the qpidd broker out of the box without additional configuration on both RHEL 5 and RHEL 6.+    Sesame will be able to connect to the qpidd broker out of the box without additional configuration on both RHEL 5 and RHEL 6.
Comment 12 Daniel Horák 2011-11-11 10:39:47 UTC 
Reproduced on RHEL 6.1 i386:

# rpm -q sesame
  sesame-0.10-1.el6.i686

# qpidd --trace
  2011-11-11 09:38:28 info SASL: Mechanism list: PLAIN ANONYMOUS LOGIN
  2011-11-11 09:38:28 debug Management object (V1) added: org.apache.qpid.broker:connection:127.0.0.1:5672-127.0.0.1:36666
  2011-11-11 09:38:28 trace SENT 127.0.0.1:5672-127.0.0.1:36666 INIT(0-10)
  2011-11-11 09:38:28 trace SENT [127.0.0.1:5672-127.0.0.1:36666]: Frame[BEbe; channel=0; {ConnectionStartBody: server-properties={qpid.federation_tag:V2:36:str16(7b602a53-d3a2-435a-abe4-003e9d845802)}; mechanisms=str16{V2:5:str16(PLAIN), V2:9:str16(ANONYMOUS), V2:5:str16(LOGIN)}; locales=str16{V2:5:str16(en_US)}; }]
  2011-11-11 09:38:28 trace RECV [127.0.0.1:5672-127.0.0.1:36666]: Frame[BEbe; channel=0; {ConnectionStartOkBody: client-properties={qpid.client_pid:F4:int32(20261),qpid.client_ppid:F4:int32(1),qpid.client_process:V2:6:str16(sesame),qpid.session_flow:F4:int32(1)}; mechanism=PLAIN; response=xxxxxx; locale=en_US; }]
  2011-11-11 09:38:28 debug SASL: Starting authentication with mechanism: PLAIN
  2011-11-11 09:38:28 info SASL: Authentication failed for guest@QPID:SASL(-13): user not found: Password verification failed
  2011-11-11 09:38:28 debug Exception constructed: Authentication failed
  2011-11-11 09:38:28 debug SEND raiseEvent (v1) class=org.apache.qpid.broker.clientConnectFail
  2011-11-11 09:38:28 debug SEND raiseEvent (v2) class=org.apache.qpid.broker.clientConnectFail
  2011-11-11 09:38:28 trace SENT [127.0.0.1:5672-127.0.0.1:36666]: Frame[BEbe; channel=0; {ConnectionCloseBody: reply-code=320; reply-text=connection-forced: Authentication failed; }]
  2011-11-11 09:38:28 debug DISCONNECTED [127.0.0.1:5672-127.0.0.1:36666]
  2011-11-11 09:38:28 trace Management object marked deleted: org.apache.qpid.broker:connection:127.0.0.1:5672-127.0.0.1:36666
  2011-11-11 09:38:28 debug SEND raiseEvent (v1) class=org.apache.qpid.broker.clientDisconnect
  2011-11-11 09:38:28 debug SEND raiseEvent (v2) class=org.apache.qpid.broker.clientDisconnect
  2011-11-11 09:38:30 debug RECV [127.0.0.1:5672-127.0.0.1:36667] INIT(0-10)
  2011-11-11 09:38:30 debug External ssf=0 and auth=
  2011-11-11 09:38:30 debug min_ssf: 0, max_ssf: 256, external_ssf: 0

# qpid-stat -c 
  Connections
    client-addr                     cproc      cpid   auth            connected  idle  msgIn  msgOut
    ==================================================================================================
    127.0.0.1:5672-127.0.0.1:46534  qpid-stat  20300  anonymous@QPID  1s         0s     208    263

Change mech to ANONYMOUS in sesame.conf
# vim /etc/sesame/sesame.conf 

# qpid-stat -c 
  Connections
    client-addr                     cproc      cpid   auth            connected  idle  msgIn  msgOut
    ==================================================================================================
    127.0.0.1:5672-127.0.0.1:37392  qpid-stat  20341  anonymous@QPID  0s         0s     213    270
    127.0.0.1:5672-127.0.0.1:37391  sesame     20336  anonymous@QPID  11s        0s      35     23



Verified on RHEL 6.2 i386:

# rpm -q sesame
  sesame-1.0-1.el6.i686

# qpidd --trace
  2011-11-11 11:02:32 info SASL: Mechanism list: PLAIN LOGIN ANONYMOUS
  2011-11-11 11:02:32 debug Management object (V1) added: org.apache.qpid.broker:connection:127.0.0.1:5672-127.0.0.1:48776
  2011-11-11 11:02:32 trace SENT 127.0.0.1:5672-127.0.0.1:48776 INIT(0-10)
  2011-11-11 11:02:32 trace SENT [127.0.0.1:5672-127.0.0.1:48776]: Frame[BEbe; channel=0; {ConnectionStartBody: server-properties={qpid.federation_tag:V2:36:str16(5c5f0a98-9fb2-496d-96ed-d11be8b5a428)}; mechanisms=str16{V2:5:str16(PLAIN), V2:5:str16(LOGIN), V2:9:str16(ANONYMOUS)}; locales=str16{V2:5:str16(en_US)}; }]
  2011-11-11 11:02:32 trace RECV [127.0.0.1:5672-127.0.0.1:48776]: Frame[BEbe; channel=0; {ConnectionStartOkBody: client-properties={qpid.client_pid:F4:int32(11209),qpid.client_ppid:F4:int32(1),qpid.client_process:V2:6:str16(sesame),qpid.session_flow:F4:int32(1)}; mechanism=ANONYMOUS; response=xxxxxx; locale=en_US; }]
  2011-11-11 11:02:32 debug SASL: Starting authentication with mechanism: ANONYMOUS
  2011-11-11 11:02:32 info 127.0.0.1:5672-127.0.0.1:48776 SASL: Authentication succeeded for: anonymous@QPID

# qpid-stat -c
  Connections
    client-addr                     cproc      cpid   auth            connected  idle  msgIn  msgOut
    ==================================================================================================
    127.0.0.1:5672-127.0.0.1:48779  sesame     11209  anonymous@QPID  14m 29s    0s     567    205
    127.0.0.1:5672-127.0.0.1:53814  qpid-stat  29655  anonymous@QPID  0s         0s     214    273

# cat /etc/sesame/sesame.conf 
    <<<<< truncated output >>>>>>
  ##======================
  ## Agent Authentication
  ##======================

  ##
  ## Set the SASL mechanism (ANONYMOUS by default), and the username and password
  ## to be used when authenticating to the broker.  If you wish to not store
  ## the password in this configuration file, you may use pwd-file to point
  ## to an access-restricted file containing the password.
  ##
  #mech=ANONYMOUS
  #uid=
  #pwd=
  #pwd-file=/etc/sesame/password
    <<<<< truncated output >>>>>>

Output on other platforms (RHEL 5.7 i386, RHEL 5.7 x86_64 and RHEL 6.2 x86_64) is similar.
Sesame is able to connect to the broker after fresh installation without additional configuration on both RHEL 5 and RHEL 6.


>>> VERIFIED
Comment 13 Tomas Capek 2011-11-16 13:43:57 UTC 
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1,11 +1 @@
-Cause
+Previously, the sesame system agent authenticated to the qpidd broker as a guest user by default. In Red Hat Enterprise Linux 6, the guest SASL account is not present out-of-the-box in an installation of the "MRG Messaging" group. Consequently, sesame could not to connect to the broker without additional configuration. With this update, sesame uses anonymous authentication by default. Anonymous authentication is enabled by the qpidd broker by default on both Red Hat Enterprise Linux 5 and 6. Now, sesame is able to connect to the qpidd broker without additional configuration.-    Sesame authenticated to the qpidd broker as user 'guest' by default.
-
-Consequence
-    On RHEL 6, the guest SASL account is not present out of the box in an installation of the "MRG Messaging" group.  This means that sesame will not be able to connect to the broker without additional configuration.
-
-Fix
-    Sesame was changed to use anonymous authentication by default.  Anonymous authentication is enabled by the qpidd broker by default on both RHEL 5 and RHEL 6.
-
-Result
-    Sesame will be able to connect to the qpidd broker out of the box without additional configuration on both RHEL 5 and RHEL 6.
Comment 14 errata-xmlrpc 2012-01-23 17:29:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2012-0045.html