Bug 902319

Summary: Qpid authentication error '...no mechanism available: No worthy mechs found' is in some situations misleading
Product: Red Hat Enterprise MRG Reporter: Frantisek Reznicek <freznice>
Component: qpid-cppAssignee: mick <mgoulish>
Status: CLOSED ERRATA QA Contact: Michal Toth <mtoth>
Severity: medium Docs Contact:
Priority: medium    
Version: DevelopmentCC: esammons, jross, mgrigull, mtoth
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-15 10:44:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Frantisek Reznicek 2013-01-21 11:26:33 UTC 
Description of problem:

Even after qpid authentication clean-up (bug 846465) there is situation when qpidd produce misleading error:

  from c++ client
    warning Closing connection due to internal-error: Sasl error: SASL(-4): no mechanism available: No worthy mechs found (qpid/SaslFactory.cpp:280)

  from python client
    Failed: AuthenticationFailure - Error in sasl_client_start (-4) SASL(-4): no mechanism available: No worthy mechs found


This message seems to be general SASL client error also shown in case when some authentication mechanisms are restricted in /etc/sasl2/qpidd.conf:
  /etc/sasl2/qpidd.conf:mech_list: DIGEST-MD5 PLAIN

and client ommited to specify user credentials:
  qpid-send --content-string "A" --connection-options "{sasl_mechanisms:DIGEST-MD5}" -a "myq;{create: sender, delete:sender}"
  qpid-stat -g [--sasl-mechanism=DIGEST-MD5]

Error message above listed refer to situation when there is no common authentication mechanism on server and client side.
But as seen above and also below same error is reported when there is common uthentication mechanism on server and client side but just credentials are not supplied.

Version-Release number of selected component (if applicable):
  python-qpid-0.18-4.el6.noarch
  python-qpid-qmf-0.18-13.el6.x86_64
  qpid-cpp-client-0.18-13.el6.x86_64
  qpid-cpp-client-devel-0.18-13.el6.x86_64
  qpid-cpp-client-devel-docs-0.18-13.el6.noarch
  qpid-cpp-client-rdma-0.18-13.el6.x86_64
  qpid-cpp-client-ssl-0.18-13.el6.x86_64
  qpid-cpp-debuginfo-0.18-13.el6.x86_64
  qpid-cpp-server-0.18-13.el6.x86_64
  qpid-cpp-server-cluster-0.18-13.el6.x86_64
  qpid-cpp-server-devel-0.18-13.el6.x86_64
  qpid-cpp-server-ha-0.18-13.el6.x86_64
  qpid-cpp-server-rdma-0.18-13.el6.x86_64
  qpid-cpp-server-ssl-0.18-13.el6.x86_64
  qpid-cpp-server-store-0.18-13.el6.x86_64
  qpid-cpp-server-xml-0.18-13.el6.x86_64
  qpid-java-client-0.18-6.el6.noarch
  qpid-java-common-0.18-6.el6.noarch
  qpid-java-example-0.18-6.el6.noarch
  qpid-jca-0.18-7.el6.noarch
  qpid-jca-xarecovery-0.18-7.el6.noarch
  qpid-jca-zip-0.18-7.el6.noarch
  qpid-qmf-0.18-13.el6.x86_64
  qpid-qmf-debuginfo-0.18-13.el6.x86_64
  qpid-qmf-devel-0.18-13.el6.x86_64
  qpid-tests-0.18-2.el6.noarch
  qpid-tools-0.18-7.el6_3.noarch
  rh-qpid-cpp-tests-0.18-13.el6.x86_64
  ruby-qpid-qmf-0.18-13.el6.x86_64


How reproducible:
100%

Steps to Reproduce:
1. change mech_list: /etc/sasl2/qpidd.conf:mech_list: DIGEST-MD5 PLAIN
   make sure auth=yes is in place for /etc/qpidd.conf
   make sure cyrus-sasl-md5 is installed
2. service qpidd restart
3. qpid-stat -g --sasl-mechanism=DIGEST-MD5
   pid-send --connection-options "{sasl_mechanisms:DIGEST-MD5}" -a "Q;{create: sender, delete:sender}"
4. error should not be misleading
See below transcript for details...

Actual results:
Misleading authentication error when credentials are not provided (but mechanism can be used).

Expected results:
Corrent and clear authentication error when credentials are not provided (but mechanism can be used).

Additional info:

# server machine (check on the same machine)

[root@dhcp-37-178 ~]# grep ^mech_list $(rpm -qlc qpid-cpp-server)
/etc/sasl2/qpidd.conf:mech_list: DIGEST-MD5 PLAIN
[root@dhcp-37-178 ~]# sasldblistusers2 -f /var/lib/qpidd/qpidd.sasldb
guest@QPID: userPassword
[root@dhcp-37-178 ~]# grep = /etc/qpidd.conf
mgmt-pub-interval=5
cluster-name=mycluster_X.178_X.179_X.181_X.192
log-enable=debug+
log-to-file=/var/lib/qpidd/qpidd.log
auth=yes
max-negotiate-time=60000
[root@dhcp-37-178 ~]# rpm -qa | grep cyrus-sasl
cyrus-sasl-lib-2.1.23-13.el6_3.1.x86_64
cyrus-sasl-2.1.23-13.el6_3.1.x86_64
cyrus-sasl-md5-2.1.23-13.el6_3.1.x86_64
cyrus-sasl-plain-2.1.23-13.el6_3.1.x86_64
[root@dhcp-37-178 ~]# qpid-stat -g 
Failed: AuthenticationFailure - Error in sasl_client_start (-4) SASL(-4): no mechanism available: No worthy mechs found
[root@dhcp-37-178 ~]# qpid-stat -g --sasl-mechanism=DIGEST-MD5
Failed: AuthenticationFailure - Error in sasl_client_start (-4) SASL(-4): no mechanism available: No worthy mechs found
[root@dhcp-37-178 ~]# qpid-stat -g -b guest/guest@localhost --sasl-mechanism=DIGEST-MD5 
Broker Summary:
  uptime   cluster                                                                connections  sessions  exchanges  queues
  ==========================================================================================================================
  10m 24s  mycluster_X.178_X.179_X.181_X.192<ACTIVE>                              1            1         9          10


# client machine (check client<->server)

[root@dhcp-37-181 ~]# rpm -qa | grep cyrus-sasl
cyrus-sasl-2.1.23-13.el6_3.1.x86_64
cyrus-sasl-md5-2.1.23-13.el6_3.1.x86_64
cyrus-sasl-gssapi-2.1.23-13.el6_3.1.x86_64
cyrus-sasl-lib-2.1.23-13.el6_3.1.x86_64
cyrus-sasl-plain-2.1.23-13.el6_3.1.x86_64
[root@dhcp-37-181 ~]# /opt/rh-qpid/clients/qpid-send --broker dhcp-37-178  --log-enable info+ --content-string "A" --connection-options "" -a "myq;{create: sender, delete:sender}" ; echo $?
2013-01-21 05:56:57 [Client] warning Closing connection due to internal-error: Sasl error: SASL(-4): no mechanism available: No worthy mechs found (qpid/SaslFactory.cpp:280)
qpid-send: internal-error: Sasl error: SASL(-4): no mechanism available: No worthy mechs found (qpid/SaslFactory.cpp:280)
1
[root@dhcp-37-181 ~]# /opt/rh-qpid/clients/qpid-send --broker dhcp-37-178  --log-enable info+ --content-string "A" --connection-options "{}" -a "myq;{create: sender, delete:sender}" ; echo $?
2013-01-21 05:57:04 [Client] info Trying to connect to dhcp-37-178...
2013-01-21 05:57:04 [Client] warning Closing connection due to internal-error: Sasl error: SASL(-4): no mechanism available: No worthy mechs found (qpid/SaslFactory.cpp:280)
qpid-send: internal-error: Sasl error: SASL(-4): no mechanism available: No worthy mechs found (qpid/SaslFactory.cpp:280)
1
[root@dhcp-37-181 ~]# /opt/rh-qpid/clients/qpid-send --broker dhcp-37-178  --log-enable info+ --content-string "A" --connection-options "{username:guest}" -a "myq;{create: sender, delete:sender}" ; echo $?
2013-01-21 05:57:15 [Client] info Trying to connect to dhcp-37-178...
Please enter your password
2013-01-21 05:57:17 [Security] info Installing security layer,  SSF: 128
2013-01-21 05:57:17 [Client] info Connected to dhcp-37-178
0
[root@dhcp-37-181 ~]# /opt/rh-qpid/clients/qpid-send --broker dhcp-37-178  --log-enable info+ --content-string "A" --connection-options "{username:guest, password:guest}" -a "myq;{create: sender, delete:sender}" ; echo $?
2013-01-21 05:57:26 [Client] info Trying to connect to dhcp-37-178...
2013-01-21 05:57:26 [Security] info Installing security layer,  SSF: 128
2013-01-21 05:57:26 [Client] info Connected to dhcp-37-178
0
[root@dhcp-37-181 ~]# /opt/rh-qpid/clients/qpid-send --broker dhcp-37-178  --log-enable info+ --content-string "A" --connection-options "{sasl_mechanisms:DIGEST-MD5}" -a "myq;{create: sender, delete:sender}" ; echo $?
2013-01-21 06:12:49 [Client] info Trying to connect to dhcp-37-178...
2013-01-21 06:12:49 [Client] warning Closing connection due to internal-error: Sasl error: SASL(-4): no mechanism available: No worthy mechs found (qpid/SaslFactory.cpp:280)
qpid-send: internal-error: Sasl error: SASL(-4): no mechanism available: No worthy mechs found (qpid/SaslFactory.cpp:280)
1
[root@dhcp-37-181 ~]# /opt/rh-qpid/clients/qpid-send --broker dhcp-37-178  --log-enable info+ --content-string "A" --connection-options "{sasl_mechanisms:DIGEST-MD5, username:guest}" -a "myq;{create: sender, delete:sender}" ; echo $?
2013-01-21 06:13:32 [Client] info Trying to connect to dhcp-37-178...
Please enter your password
2013-01-21 06:13:34 [Security] info Installing security layer,  SSF: 128
2013-01-21 06:13:34 [Client] info Connected to dhcp-37-178
0
[root@dhcp-37-181 ~]# /opt/rh-qpid/clients/qpid-send --broker dhcp-37-178  --log-enable info+ --content-string "A" --connection-options "{sasl_mechanisms:DIGEST-MD5, username:guest, password:guest}" -a "myq;{create: sender, delete:sender}" ; echo $?
2013-01-21 06:13:42 [Client] info Trying to connect to dhcp-37-178...
2013-01-21 06:13:42 [Security] info Installing security layer,  SSF: 128
2013-01-21 06:13:42 [Client] info Connected to dhcp-37-178
0
Comment 1 Frantisek Reznicek 2013-02-07 12:34:33 UTC 
Same problem appears in auth=no mode, see bug 908749 comment 0, specifically cases ABCD6 and ABCD9.
Comment 2 Michal Toth 2015-08-11 11:34:30 UTC 
Manually retested this forgotten bug using the latest 3.2.0 packages on both rhel6 archs, and rhel7.
"No worthy mechs found" is not always showing up. Instead, meaningful errors are reported like 
"qpid-send: Can't authenticate using PLAIN DIGEST-MD5"

Desired mechanism(s) not valid: CRAM-MD5 (supported: DIGEST-MD5 PLAIN) (/builddir/build/BUILD/qpid-cpp-0.34/src/qpid/client/ConnectionHandler.cpp:260)

Anonymous connections disabled, missing credentials

qpid-cpp-server-0.34-1.el6.i686
qpid-cpp-client-0.34-1.el6.i686
python-qpid-0.34-1.el6.noarch

Marking as verified
Comment 4 Sage Grigull 2018-03-12 00:42:21 UTC 
can this be marked as closed yet ?