Bug 801047

Summary: [RFE] Change default value of sasl-mech-list to 'ANONYMOUS' or 'PLAIN DIGEST-MD5' with credentials
Product: Red Hat Enterprise MRG Reporter: Trevor McKay <tmckay>
Component: cuminAssignee: Trevor McKay <tmckay>
Status: CLOSED ERRATA QA Contact: Stanislav Graf <sgraf>
Severity: medium Docs Contact:
Priority: medium    
Version: DevelopmentCC: dryan, matt, mkudlej, rrati, sgraf, tkatarki
Target Milestone: 2.3Keywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: cumin-0.1.5251-1 Doc Type: Enhancement
Doc Text:
Cause The default value for the sasl-mech-list configuration parameter allows Cumin to use "all available SASL mechanisms" for authentication to the broker. The MCIG advises users to set this value manually to disallow ANONYMOUS authentication from Cumin, thereby ensuring full operability. Consequence Having to set the sasl-mech-list configuration parameter manually provides an extra step during set up. Setting this value automatically would cover most user cases, eliminate the extra step, and ease maintenance. Change The default value for sasl-mech-list has been changed. For broker addresses which specify user/password in the URL (known as "credentials"), sasl-mech-list will be set to the list of recommended password authentication mechanisms for Cumin (currently PLAIN and DIGEST-MD5). For broker addresses which do not contain credentials, sasl-mech-list will be set to ANONYMOUS. The old default behavior of allowing "all available mechanisms" may be chose by setting sasl-mech-list to AVAILABLE. Result These changes automatically handle most configurations. Existing installations that set a sasl-mech-list value explicitly will continue to use that value. Installations that use the old default value and really intend to allow "all available mechanisms" may set the sasl-mech-list value to AVAILABLE to retain current behavior.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-03-06 18:42:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 850563, 754228    

Description Trevor McKay 2012-03-07 14:57:58 UTC 
Description of problem:

Sane defaults for the sasl-mech-list parameter will ease configuration and make the MCIG easier to maintain.

The current Cumin default for sasl-mech-list is None which indicates "all available mechanisms" to the QMF console pieces.  Users must change the value to restrict ANONYMOUS access, and this is called out in the MCIG.

Change the default value to be context sensitive -- "ANONYMOUS" for a broker address that does not contain credentials and "PLAIN DIGEST-MD5" for a broker address that does contain credentials.  Users may still override the value, but this will make Cumin work out of the box with a default broker and in harmony with the MCIG scenarios, no user action required to change sasl-mech-list.

Additionally, the "all available mechanisms" current default can still be indicated by setting sasl-mech-list to "AVAILABLE" (case insensitve).

As we add supported mechanisms to Cumin, we can extend the default list for authentication with credentials.  SASL will always choose the most secure available mechanism so listing multiples is not a problem.  Currently Cumin has been or is being testing with PLAIN and DIGEST-MD5.

See also Bug 754228 (doc changes)

Suggestions on how to test:

Run Cumin with the sasl-mech-list parameter set to the following values and check the log files for "Adding QMF broker at..." messages that show the selected mechanism.  Verify connection to the broker with qpid-stat -c.  Restrict mechanisms allowed by the broker in /etc/sasl2/qpidd.conf to create cases where Cumin will not connect.

The broker list may contain multiple brokers.  The sasl mech list will be determined for each broker.  

Scenario 1:  sasl-mech-list commented out in cumin.conf, 1 broker with credentials and one without (or run the test twice and change the URL if you only have 1 broker)

#sasl-mech-list 
brokers: localhost, cumin/cumin.com

web.log and data*.log should show mech_list of ANONYMOUS used for localhost and mech_list of PLAIN DIGEST-MD5 for my_other_broker.redhat.com

Secnario 2: (set mech_list explicitly, pick supported value(s))
sasl-mech-list: DIGEST-MD5
brokers: localhost, cumin/cumin.com

web.log and data*.log should show explicit mech_list used.  Obviously localhost wouldn't connect here because we didn't give credentials (user error)

Scenario 3:
sasl-mech-list: available
brokers: localhost, cumin/cumin.com

web.log and data*.log should show mech_list of None.  This corresponds to the old default behavior, when sasl-mech-list was left unset.
Comment 1 Trevor McKay 2012-03-07 15:04:11 UTC 
Note, also make sure that Cumin connects to Wallaby.  The Wallaby connection is a separate connection to the broker, and the mech_list is parsed in wallabyoperations.py as well.

Fixed in revision 5244
Comment 2 Trevor McKay 2012-03-07 15:28:09 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause
  The default value for the sasl-mech-list configuration parameter allows Cumin to use "all available SASL mechanisms" for authentication to the broker.  The MCIG advises users to set this value manually to disallow ANONYMOUS authentication from Cumin, thereby ensuring full operability.

Consequence
    Having to set the sasl-mech-list configuration parameter manually provides an extra step during set up.
Setting this value automatically would cover most user cases, eliminate the extra step, and ease maintenance.

Change
    The default value for sasl-mech-list has been changed.  For broker addresses which specify user/password in the URL (known as "credentials"), sasl-mech-list will be set to the list of recommended password authentication mechanisms for Cumin (currently PLAIN and DIGEST-MD5).  For broker addresses which do not contain credentials, sasl-mech-list will be set to ANONYMOUS.  The old default behavior of allowing "all available mechanisms" may be chose by setting sasl-mech-list to AVAILABLE.

Result
    These changes automatically handle most configurations.  Existing installations that set a sasl-mech-list value explicitly will continue to use that value.  Installations that use the old default value and really intend to allow "all available mechanisms" may set the sasl-mech-list value to AVAILABLE to retain current behavior.
Comment 7 Trevor McKay 2012-10-03 18:00:53 UTC 
Suggestions for Testing that Wallaby also connects (log entries, qpid-stat, and Inventory), re Comment 1, since I mentioned it.

By default the wallaby-broker setting will be the same as the first item in the "brokers:" list.  All of the same considerations for sasl credentials will apply to the second broker connection that Cumin makes for Wallaby data.  If the primary connection works, the wallaby connection is also sure to work.

To actually verify the wallaby connection, there are few things that can be done.

logging
--------

(remember to set this in the cumin.conf file)
[common]
log-level: debug

There is not much in the way of logging for the WallabyOperations module in Cumin that explicitly notes a connection failure.  It is bascially a negative test.  If WallabyOperations connects successfully, this debug level log entry will be present (if debug logging is on and there is no message, there is no connection):

5724 2012-10-03 13:31:35,295 DEBUG WallabyOperations: found wallaby store object

Also, if Wallaby is working there will be entries like these

6026 2012-10-03 13:55:19,297 DEBUG WallabyOperations: refreshing nodes
6026 2012-10-03 13:55:19,657 DEBUG WallabyOperations: 0.359168052673 seconds to refresh nodes
6026 2012-10-03 13:55:19,657 DEBUG WallabyOperations: nodes list updated (1 items)
6026 2012-10-03 13:55:19,658 DEBUG WallabyOperations: refreshing features
6026 2012-10-03 13:55:20,732 DEBUG WallabyOperations: 1.07410001755 seconds to refresh features
6026 2012-10-03 13:55:20,734 DEBUG WallabyOperations: features list updated (55 items)
6026 2012-10-03 13:55:20,735 DEBUG WallabyOperations: refreshing groups
6026 2012-10-03 13:55:21,055 DEBUG WallabyOperations: 0.319417953491 seconds to refresh groups
6026 2012-10-03 13:55:21,055 DEBUG WallabyOperations: groups list updated (5 items)
6026 2012-10-03 13:55:21,056 DEBUG WallabyOperations: refreshing tags
6026 2012-10-03 13:55:21,191 DEBUG WallabyOperations: tags list updated (1 items)


using qpid-stat
---------------

A better way to confirm the WallabyOperations connection is to use qpid-stat -c.  For every cumin-web instance that is running with wallaby connectivity enabled (the default), there should be 2 connections to the broker, like so (Cumin running with a single cumin-web instance)

# qpid-stat -c cumin/cumin@localhost | grep cumin-web
  127.0.0.1:5672-127.0.0.1:53991  cumin-web        5724  cumin@QPID      8m 22s     0s     639   1.47k
  127.0.0.1:5672-127.0.0.1:53992  cumin-web        5724  cumin@QPID      8m 22s     0s    2.03k  3.85k

using qpid-stat with another sasl user
--------------------------------------

Notice that you can't really tell the connections apart if they both authenticate as "cumin".  As an option, you can use saslpasswd2 to define a sasl user for wallaby and modify the wallaby-broker setting in /etc/cumin/cumin.conf to authenticate as the other user:

(I used "wallaby" as the password when prompted)
# sudo -u qpidd /usr/sbin/saslpasswd2 -f /var/lib/qpidd/qpidd.sasldb -u QPID wallaby

Edit the cumin.conf file:

[common]
wallaby-broker: wallaby/wallaby@localhost:5672

# service cumin restart

# qpid-stat -c cumin/cumin@localhost | grep cumin-web
  127.0.0.1:5672-127.0.0.1:54005  cumin-web        6026  cumin@QPID      1s          0s     268    357
  127.0.0.1:5672-127.0.0.1:54006  cumin-web        6026  wallaby@QPID    1s          0s     268    357


Looking at the Inventory Page
------------------------------

And of course, if wallaby is working there will be entries on the Inventory page with "Last checkin" values


(In reply to comment #1)
> Note, also make sure that Cumin connects to Wallaby.  The Wallaby connection
> is a separate connection to the broker, and the mech_list is parsed in
> wallabyoperations.py as well.
> 
> Fixed in revision 5244
Comment 11 Stanislav Graf 2013-01-11 11:15:06 UTC 
Tested on RHEL 5/6 i386/x86_64
cumin-0.1.5648-1

I'm using DIGEST-MD5 

(1)
cumin and qpidd default:
cumin.conf: # sasl-mech-list: [default, 'anonymous' or 'plain digest-md5' with usr/passw]
qpidd.conf: mech_list: ANONYMOUS DIGEST-MD5 EXTERNAL PLAIN

cumin uses DIGEST-MD5 if usr/passw provided
cumin uses ANONYMOUS if usr/passw not provided

(2)
cumin 'available' and qpidd default:
cumin.conf: sasl-mech-list: available
cumin uses DIGEST-MD5 if usr/passw provided

(3)
cumin.conf: # sasl-mech-list: [default, 'anonymous' or 'plain digest-md5' with usr/passw]
qpidd.conf: # mech_list: ANONYMOUS DIGEST-MD5 EXTERNAL PLAIN
cumin uses DIGEST-MD5 if usr/passw provided

(4)
cumin.conf: sasl-mech-list: DIGEST-MD5
qpidd.conf: mech_list: PLAIN DIGEST-MD5
cumin uses DIGEST-MD5 if usr/passw provided

(5)
cumin.conf: sasl-mech-list: PLAIN
qpidd.conf: mech_list: PLAIN DIGEST-MD5
cumin uses PLAIN if usr/passw provided

Wallaby connections works in those cases.

Cumin uses DIGEST-MD5 if usr/passw provided unless it is forced to use other mechanism.

--> VERIFIED
Comment 13 errata-xmlrpc 2013-03-06 18:42:28 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0564.html