| Summary: | CRAM-MD5 authentication method not supported | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise MRG | Reporter: | Leonid Zhaldybin <lzhaldyb> | ||||||
| Component: | python-qpid | Assignee: | messaging-bugs <messaging-bugs> | ||||||
| Status: | NEW --- | QA Contact: | Messaging QE <messaging-qe-bugs> | ||||||
| Severity: | high | Docs Contact: | |||||||
| Priority: | medium | ||||||||
| Version: | 2.1.2 | CC: | iboverma, jross, mgoulish, mtessun, pematous, pmoravec | ||||||
| Target Milestone: | 3.3 | Keywords: | TestCaseProvided | ||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | Type: | --- | |||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Bug Depends On: | 1099891 | ||||||||
| Bug Blocks: | |||||||||
| Attachments: |
|
||||||||
*** Bug 823802 has been marked as a duplicate of this bug. *** The work here is to establish that it is working on 0.22/2.4. Works on 0.22 2013-04-25 11:28:16 [Security] info qpid/broker/SaslAuthenticator.cpp:415: SASL: Starting authentication with mechanism: CRAM-MD5 ...and perftest connects & runs to completion. nihil obstat - imprimatur. Sorry to say, I need to return to ASSIGNED as this defect looks in the same state as in time of defect filling:
...
dur:16, tst_cnt:15, err_cnt:0, ecodes:(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)
================== tstbatch localhost guest guest CRAM-MD5 True ==================
1579 24.2455 751.736 0.734117
Failed: ConnectionError - connection-forced: Authentication failed(320)
Failed: ConnectionError: connection-forced: Authentication failed(320)
Failed: ConnectionFailed - (None, 'connection-forced: Authentication failed')
Message(properties={'spout-id': '8e52ebba-cb30-40ac-bcc3-0b749f11ed05:0'}, content_type='t
ext/plain')
===---=== SUMMARY ===---===
dur:17, tst_cnt:20, err_cnt:3, ecodes:(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)(1)(1)(1)(0)
...
Which means qpid-perftest and python spout are and were functional, however qpid-tools (here qpid-stat and qpid-config) are still failing.
-> ASSIGNED
Component corrected to qpid-tools + summary tuned. Mick, please look at this one again. (In reply to Frantisek Reznicek from comment #6) > Sorry to say, I need to return to ASSIGNED as this defect looks in the same > state as in time of defect filling: > ... > dur:16, tst_cnt:15, err_cnt:0, > ecodes:(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)(0) > ================== tstbatch localhost guest guest CRAM-MD5 True > ================== > 1579 24.2455 751.736 0.734117 > Failed: ConnectionError - connection-forced: Authentication failed(320) > Failed: ConnectionError: connection-forced: Authentication failed(320) > Failed: ConnectionFailed - (None, 'connection-forced: Authentication failed') > Message(properties={'spout-id': '8e52ebba-cb30-40ac-bcc3-0b749f11ed05:0'}, > content_type='t > ext/plain') > ===---=== SUMMARY ===---=== > dur:17, tst_cnt:20, err_cnt:3, > ecodes:(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)(0)(1)(1)(1)(0) > ... > > Which means qpid-perftest and python spout are and were functional, however > qpid-tools (here qpid-stat and qpid-config) are still failing. > > > -> ASSIGNED Yes, sorry -- I tested with wrong tools before.
I see the problem now, with latest packages (see list below )
on both qpid-tool and qpid-config
Both of them succeed when using DIGEST-MD5, and both fail when using CRAM-MD5
This was on RHEL 6.4
packages
{
cyrus-sasl-2.1.23-13.el6_3.1.x86_64
cyrus-sasl-devel-2.1.23-13.el6_3.1.x86_64
cyrus-sasl-gssapi-2.1.23-13.el6_3.1.x86_64
cyrus-sasl-lib-2.1.23-13.el6_3.1.x86_64
cyrus-sasl-md5-2.1.23-13.el6_3.1.x86_64
cyrus-sasl-plain-2.1.23-13.el6_3.1.x86_64
python-qpid-0.22-4.el6.noarch
python-qpid-qmf-0.22-7.el6.x86_64
python-saslwrapper-0.22-3.el6.x86_64
qpid-cpp-client-0.22-8.el6.x86_64
qpid-cpp-client-devel-0.22-8.el6.x86_64
qpid-cpp-client-devel-docs-0.22-8.el6.noarch
qpid-cpp-client-rdma-0.22-8.el6.x86_64
qpid-cpp-client-ssl-0.22-8.el6.x86_64
qpid-cpp-debuginfo-0.22-8.el6.x86_64
qpid-cpp-server-0.22-8.el6.x86_64
qpid-cpp-server-devel-0.22-8.el6.x86_64
qpid-cpp-server-ha-0.22-8.el6.x86_64
qpid-cpp-server-rdma-0.22-8.el6.x86_64
qpid-cpp-server-ssl-0.22-8.el6.x86_64
qpid-cpp-server-store-0.22-8.el6.x86_64
qpid-cpp-server-xml-0.22-8.el6.x86_64
qpid-cpp-tar-0.22-8.el6.noarch
qpid-java-client-0.22-5.el6.noarch
qpid-java-common-0.22-5.el6.noarch
qpid-java-example-0.22-5.el6.noarch
qpid-proton-c-0.4-2.2.el6.x86_64
qpid-proton-c-devel-0.4-2.2.el6.x86_64
qpid-proton-debuginfo-0.4-2.2.el6.x86_64
qpid-qmf-0.22-7.el6.x86_64
qpid-qmf-debuginfo-0.22-7.el6.x86_64
qpid-qmf-devel-0.22-7.el6.x86_64
qpid-snmpd-1.0.0-12.el6.x86_64
qpid-snmpd-debuginfo-1.0.0-12.el6.x86_64
qpid-tests-0.22-4.el6.noarch
qpid-tools-0.22-3.el6.noarch
saslwrapper-0.22-3.el6.x86_64
saslwrapper-devel-0.22-3.el6.x86_64
}
Whole python client does not support CRAM-MD5 authentication mechanism; try to run the attached client example to reproduce the issue, please. Created attachment 823997 [details]
Python client CRAM-MD5 issue reproducer
Try to run the qmf2_qpid_ctrl.py client, please: # ./qmf2_qpid_ctrl.py --broker guest/guest@<hostname>:5672 --sasl-mechanisms CRAM-MD5 query type=queue name=q The example works with PLAIN, ANONYMOUS and DIGEST-MD5 mechanisms well, but does not work with CRAM-MD5 mechanism. |
Created attachment 571109 [details] Broker's log file. Description of problem: According to the documentation (MIG and MUG), broker should support CRAM-MD5 authentication method. I was unable to connect to the broker using qpid-stat: [root@lzhaldyb-rhel62i ~]# cat /etc/sasl2/qpidd.conf ... mech_list: CRAM-MD5 DIGEST-MD5 ... [root@lzhaldyb-rhel62i ~]# sasldblistusers2 -f /var/lib/qpidd/qpidd.sasldb john@QPID: userPassword user@QPID: userPassword [root@lzhaldyb-rhel62i ~]# qpid-stat -q --sasl-mechanism=DIGEST-MD5 john/secret@localhost:5672 Queues queue dur autoDel excl msg msgIn msgOut bytes bytesIn bytesOut cons bind ==================================================================================================================== qmfc-v2-hb-lzhaldyb-rhel62i.30399.1 Y Y 0 0 0 0 0 0 1 2 qmfc-v2-lzhaldyb-rhel62i.30399.1 Y Y 0 11 11 0 8.16k 8.16k 1 2 qmfc-v2-ui-lzhaldyb-rhel62i.30399.1 Y Y 0 0 0 0 0 0 1 1 reply-lzhaldyb-rhel62i.30399.1 Y Y 0 71 71 0 32.6k 32.6k 1 2 topic-lzhaldyb-rhel62i.30399.1 Y Y 0 0 0 0 0 0 1 4 [root@lzhaldyb-rhel62i ~]# echo $? 0 [root@lzhaldyb-rhel62i ~]# qpid-stat -q --sasl-mechanism=CRAM-MD5 john/secret@localhost:5672 Failed: ConnectionFailed - (None, 'connection-forced: Authentication failed') [root@lzhaldyb-rhel62i ~]# echo $? 1 [root@lzhaldyb-rhel62i ~]# qpid-stat -q --sasl-mechanism=DIGEST-MD5 user/password@localhost:5672 Queues queue dur autoDel excl msg msgIn msgOut bytes bytesIn bytesOut cons bind ==================================================================================================================== qmfc-v2-lzhaldyb-rhel62i.30423.1 Y Y 0 11 11 0 8.16k 8.16k 1 2 qmfc-v2-ui-lzhaldyb-rhel62i.30423.1 Y Y 0 0 0 0 0 0 1 1 qmfc-v2-hb-lzhaldyb-rhel62i.30423.1 Y Y 0 0 0 0 0 0 1 2 topic-lzhaldyb-rhel62i.30423.1 Y Y 0 0 0 0 0 0 1 4 reply-lzhaldyb-rhel62i.30423.1 Y Y 0 71 71 0 32.6k 32.6k 1 2 [root@lzhaldyb-rhel62i ~]# echo $? 0 [root@lzhaldyb-rhel62i ~]# qpid-stat -q --sasl-mechanism=CRAM-MD5 user/password@localhost:5672 Failed: ConnectionFailed - (None, 'connection-forced: Authentication failed') [root@lzhaldyb-rhel62i ~]# echo $? 1 Version-Release number of selected component (if applicable): RHEL5: python-qpid-0.14-3.el5 python-qpid-qmf-0.14-3.el5 qpid-cpp-client-0.14-10.el5 qpid-cpp-client-devel-0.14-10.el5 qpid-cpp-client-devel-docs-0.14-10.el5 qpid-cpp-client-ssl-0.14-10.el5 qpid-cpp-server-0.14-10.el5 qpid-cpp-server-cluster-0.14-10.el5 qpid-cpp-server-devel-0.14-10.el5 qpid-cpp-server-ssl-0.14-10.el5 qpid-cpp-server-store-0.14-10.el5 qpid-cpp-server-xml-0.14-10.el5 qpid-java-client-0.14-3.el5 qpid-java-common-0.14-3.el5 qpid-java-example-0.14-3.el5 qpid-qmf-0.14-3.el5 qpid-qmf-devel-0.14-3.el5 qpid-tools-0.14-1.el5 RHEL6: python-qpid-0.14-6.el6.noarch python-qpid-qmf-0.14-5.el6.i686 qpid-cpp-client-0.14-12.el6.i686 qpid-cpp-client-devel-0.14-12.el6.i686 qpid-cpp-client-devel-docs-0.14-12.el6.noarch qpid-cpp-server-0.14-12.el6.i686 qpid-cpp-server-devel-0.14-12.el6.i686 qpid-cpp-server-store-0.14-12.el6.i686 qpid-cpp-server-xml-0.14-12.el6.i686 qpid-java-client-0.14-3.el6.noarch qpid-java-common-0.14-3.el6.noarch qpid-java-example-0.14-3.el6.noarch qpid-qmf-0.14-5.el6.i686 qpid-tools-0.14-1.el6.noarch How reproducible: always Steps to Reproduce: 1. Configure broker to use CRAM-MD5 authentication mechanism 2. Try to connect to broker using qpid-stat tool. 3. Actual results: authentication failure Expected results: authentication successful Additional info: Cpp clients seem to be working: [root@lzhaldyb-rhel62i qpidd]# qpid-perftest --count=100 -s --mechanism=CRAM-MD5 --username=user --password=password 2327.52 1044.24 2287.98 2.23436 [root@lzhaldyb-rhel62i qpidd]# echo $? 0