Bug 801047
Summary: | [RFE] Change default value of sasl-mech-list to 'ANONYMOUS' or 'PLAIN DIGEST-MD5' with credentials | ||
---|---|---|---|
Product: | Red Hat Enterprise MRG | Reporter: | Trevor McKay <tmckay> |
Component: | cumin | Assignee: | Trevor McKay <tmckay> |
Status: | CLOSED ERRATA | QA Contact: | Stanislav Graf <sgraf> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | Development | CC: | dryan, matt, mkudlej, rrati, sgraf, tkatarki |
Target Milestone: | 2.3 | Keywords: | FutureFeature |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | cumin-0.1.5251-1 | Doc Type: | Enhancement |
Doc Text: |
Cause
The default value for the sasl-mech-list configuration parameter allows Cumin to use "all available SASL mechanisms" for authentication to the broker. The MCIG advises users to set this value manually to disallow ANONYMOUS authentication from Cumin, thereby ensuring full operability.
Consequence
Having to set the sasl-mech-list configuration parameter manually provides an extra step during set up.
Setting this value automatically would cover most user cases, eliminate the extra step, and ease maintenance.
Change
The default value for sasl-mech-list has been changed. For broker addresses which specify user/password in the URL (known as "credentials"), sasl-mech-list will be set to the list of recommended password authentication mechanisms for Cumin (currently PLAIN and DIGEST-MD5). For broker addresses which do not contain credentials, sasl-mech-list will be set to ANONYMOUS. The old default behavior of allowing "all available mechanisms" may be chose by setting sasl-mech-list to AVAILABLE.
Result
These changes automatically handle most configurations. Existing installations that set a sasl-mech-list value explicitly will continue to use that value. Installations that use the old default value and really intend to allow "all available mechanisms" may set the sasl-mech-list value to AVAILABLE to retain current behavior.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2013-03-06 18:42:28 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 850563, 754228 |
Description
Trevor McKay
2012-03-07 14:57:58 UTC
Note, also make sure that Cumin connects to Wallaby. The Wallaby connection is a separate connection to the broker, and the mech_list is parsed in wallabyoperations.py as well. Fixed in revision 5244 Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Cause The default value for the sasl-mech-list configuration parameter allows Cumin to use "all available SASL mechanisms" for authentication to the broker. The MCIG advises users to set this value manually to disallow ANONYMOUS authentication from Cumin, thereby ensuring full operability. Consequence Having to set the sasl-mech-list configuration parameter manually provides an extra step during set up. Setting this value automatically would cover most user cases, eliminate the extra step, and ease maintenance. Change The default value for sasl-mech-list has been changed. For broker addresses which specify user/password in the URL (known as "credentials"), sasl-mech-list will be set to the list of recommended password authentication mechanisms for Cumin (currently PLAIN and DIGEST-MD5). For broker addresses which do not contain credentials, sasl-mech-list will be set to ANONYMOUS. The old default behavior of allowing "all available mechanisms" may be chose by setting sasl-mech-list to AVAILABLE. Result These changes automatically handle most configurations. Existing installations that set a sasl-mech-list value explicitly will continue to use that value. Installations that use the old default value and really intend to allow "all available mechanisms" may set the sasl-mech-list value to AVAILABLE to retain current behavior. Suggestions for Testing that Wallaby also connects (log entries, qpid-stat, and Inventory), re Comment 1, since I mentioned it. By default the wallaby-broker setting will be the same as the first item in the "brokers:" list. All of the same considerations for sasl credentials will apply to the second broker connection that Cumin makes for Wallaby data. If the primary connection works, the wallaby connection is also sure to work. To actually verify the wallaby connection, there are few things that can be done. logging -------- (remember to set this in the cumin.conf file) [common] log-level: debug There is not much in the way of logging for the WallabyOperations module in Cumin that explicitly notes a connection failure. It is bascially a negative test. If WallabyOperations connects successfully, this debug level log entry will be present (if debug logging is on and there is no message, there is no connection): 5724 2012-10-03 13:31:35,295 DEBUG WallabyOperations: found wallaby store object Also, if Wallaby is working there will be entries like these 6026 2012-10-03 13:55:19,297 DEBUG WallabyOperations: refreshing nodes 6026 2012-10-03 13:55:19,657 DEBUG WallabyOperations: 0.359168052673 seconds to refresh nodes 6026 2012-10-03 13:55:19,657 DEBUG WallabyOperations: nodes list updated (1 items) 6026 2012-10-03 13:55:19,658 DEBUG WallabyOperations: refreshing features 6026 2012-10-03 13:55:20,732 DEBUG WallabyOperations: 1.07410001755 seconds to refresh features 6026 2012-10-03 13:55:20,734 DEBUG WallabyOperations: features list updated (55 items) 6026 2012-10-03 13:55:20,735 DEBUG WallabyOperations: refreshing groups 6026 2012-10-03 13:55:21,055 DEBUG WallabyOperations: 0.319417953491 seconds to refresh groups 6026 2012-10-03 13:55:21,055 DEBUG WallabyOperations: groups list updated (5 items) 6026 2012-10-03 13:55:21,056 DEBUG WallabyOperations: refreshing tags 6026 2012-10-03 13:55:21,191 DEBUG WallabyOperations: tags list updated (1 items) using qpid-stat --------------- A better way to confirm the WallabyOperations connection is to use qpid-stat -c. For every cumin-web instance that is running with wallaby connectivity enabled (the default), there should be 2 connections to the broker, like so (Cumin running with a single cumin-web instance) # qpid-stat -c cumin/cumin@localhost | grep cumin-web 127.0.0.1:5672-127.0.0.1:53991 cumin-web 5724 cumin@QPID 8m 22s 0s 639 1.47k 127.0.0.1:5672-127.0.0.1:53992 cumin-web 5724 cumin@QPID 8m 22s 0s 2.03k 3.85k using qpid-stat with another sasl user -------------------------------------- Notice that you can't really tell the connections apart if they both authenticate as "cumin". As an option, you can use saslpasswd2 to define a sasl user for wallaby and modify the wallaby-broker setting in /etc/cumin/cumin.conf to authenticate as the other user: (I used "wallaby" as the password when prompted) # sudo -u qpidd /usr/sbin/saslpasswd2 -f /var/lib/qpidd/qpidd.sasldb -u QPID wallaby Edit the cumin.conf file: [common] wallaby-broker: wallaby/wallaby@localhost:5672 # service cumin restart # qpid-stat -c cumin/cumin@localhost | grep cumin-web 127.0.0.1:5672-127.0.0.1:54005 cumin-web 6026 cumin@QPID 1s 0s 268 357 127.0.0.1:5672-127.0.0.1:54006 cumin-web 6026 wallaby@QPID 1s 0s 268 357 Looking at the Inventory Page ------------------------------ And of course, if wallaby is working there will be entries on the Inventory page with "Last checkin" values (In reply to comment #1) > Note, also make sure that Cumin connects to Wallaby. The Wallaby connection > is a separate connection to the broker, and the mech_list is parsed in > wallabyoperations.py as well. > > Fixed in revision 5244 Tested on RHEL 5/6 i386/x86_64 cumin-0.1.5648-1 I'm using DIGEST-MD5 (1) cumin and qpidd default: cumin.conf: # sasl-mech-list: [default, 'anonymous' or 'plain digest-md5' with usr/passw] qpidd.conf: mech_list: ANONYMOUS DIGEST-MD5 EXTERNAL PLAIN cumin uses DIGEST-MD5 if usr/passw provided cumin uses ANONYMOUS if usr/passw not provided (2) cumin 'available' and qpidd default: cumin.conf: sasl-mech-list: available cumin uses DIGEST-MD5 if usr/passw provided (3) cumin.conf: # sasl-mech-list: [default, 'anonymous' or 'plain digest-md5' with usr/passw] qpidd.conf: # mech_list: ANONYMOUS DIGEST-MD5 EXTERNAL PLAIN cumin uses DIGEST-MD5 if usr/passw provided (4) cumin.conf: sasl-mech-list: DIGEST-MD5 qpidd.conf: mech_list: PLAIN DIGEST-MD5 cumin uses DIGEST-MD5 if usr/passw provided (5) cumin.conf: sasl-mech-list: PLAIN qpidd.conf: mech_list: PLAIN DIGEST-MD5 cumin uses PLAIN if usr/passw provided Wallaby connections works in those cases. Cumin uses DIGEST-MD5 if usr/passw provided unless it is forced to use other mechanism. --> VERIFIED Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0564.html |