Bug 1089353 - QPID-5711: HA cannot promote primary if SASL security is enabled.
Summary: QPID-5711: HA cannot promote primary if SASL security is enabled.
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: qpid-cpp
Version: 3.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: 3.0
: ---
Assignee: Alan Conway
QA Contact: Eric Sammons
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-04-18 13:42 UTC by Alan Conway
Modified: 2015-01-21 12:54 UTC (History)
4 users (show)

Fixed In Version: qpid-cpp-0.22-42
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-01-21 12:54:55 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Apache JIRA QPID-5711 None None None Never

Description Alan Conway 2014-04-18 13:42:44 UTC
Description of problem: HA does not work with SASL security enabled.


Version-Release number of selected component (if applicable): 
up to 0-22.mrg commit 
  ce156de bz1088003: QPID-5700: ensure interleaved segments on different tracks do not get confused

How reproducible: always


Steps to Reproduce:


  Yes, I have the cyrus packages installed on the nodes.

# rpm -qa | grep cyrus
cyrus-sasl-plain-2.1.23-13.el6_3.1.x86_64
cyrus-sasl-lib-2.1.23-13.el6_3.1.x86_64
cyrus-sasl-md5-2.1.23-13.el6_3.1.x86_64
cyrus-sasl-gssapi-2.1.23-13.el6_3.1.x86_64
cyrus-sasl-devel-2.1.23-13.el6_3.1.x86_64
cyrus-sasl-2.1.23-13.el6_3.1.x86_64

To narrow down, I've simplified the configuration without HA, see below

===configuration===
i) version 0.26 (built from source)

ii) /etc/qpid/qpidd.conf
acl-file=/etc/qpid/qpidd.acl
auth=yes
realm=QPID
no-data-dir=yes
sasl-config=/etc/sasl2/
log-to-stderr=no
log-enable=debug+
log-to-syslog=yes

# /etc/init.d/qpidd start
Starting Qpid AMQP daemon:                                 [  OK ]

# qpid-config queues -a test/test@192.168.10.211:5672 --sasl-mechanism=PLAIN
Queue Name                                Attributes
=================================================================
5b1b0c2e-bc6f-431b-b955-83ce5680d4ac:0.0  auto-del excl

and things work as expected. However when I enable HA and when the 
brokers try to communicate among themselves
I get the following error.

===error===
Promoting qpid daemon to cluster primary: Error in sasl_client_start 
(-4) SASL(-4): no mechanism available: No worthy mechs found

Actual results: error


Expected results: no error

Comment 1 Alan Conway 2014-04-23 12:47:50 UTC
Fixed on trunk 
------------------------------------------------------------------------
r1589391 | aconway | 2014-04-23 08:42:35 -0400 (Wed, 23 Apr 2014) | 10 lines

QPID-5711: HA cannot promote primary if SASL security is enabled.

Updated the qpid-ha tool and qpidd init scripts to handle SASL authentication.
The qpid-ha script as as called by the qpidd-primary init script now reads
authentication settings from the qpidd.conf file and uses them to connect to the local broker.

- qpidd-primary script respects prefix: use installed location for qpidd script, not "service" call
- qpid-ha added --config option qpid-ha options to use qpidd.conf for local broker connection.
- qpid-ha --all use user/pass for each broker.

------------------------------------------------------------------------

Comment 2 Alan Conway 2014-04-23 13:23:21 UTC
Should also include the following doc clarification

------------------------------------------------------------------------
r1589403 | aconway | 2014-04-23 09:22:13 -0400 (Wed, 23 Apr 2014) | 2 lines

QPID-5711: HA doc clarifications on security.

------------------------------------------------------------------------

Comment 3 Alan Conway 2014-04-25 17:13:14 UTC
Backmerged to 0.22-mrg branch on:

http://git.app.eng.bos.redhat.com/git/rh-qpid.git/log/?h=0.22-mrg-aconway-bz1086638-bz1061736

Required to complete 2 other backmerges, the branch contains:

7041626 Bug 1089353 - QPID-5711: HA cannot promote primary if SASL security is enabled.
7f8f8d9 Bug 1086638 - QPID-5719: HA becomes unresponsive once any of the brokers are SIGSTOPed
7cfbd72 Bug 1061736 - NO-JIRA: HA minor cleanup of qpid-ha tool

Comment 4 Leonid Zhaldybin 2014-08-27 07:33:07 UTC
Tested on RHEL6.5 (both i386 and x86_64). HA cluster is functional if SASL authentication is enabled, promoting a broker using the command "service qpidd-primary start" works just fine. This issue has been fixed.

Packages used for testing:
python-qpid-0.22-17.el6
python-qpid-qmf-0.22-38.el6
qpid-cpp-0.22-47.el6
qpid-proton-c-0.7-3.el6
qpid-qmf-0.22-38.el6
qpid-qmf-devel-0.22-38.el6
qpid-tests-0.22-16.el6
qpid-tools-0.22-14.el6

-> VERIFIED


Note You need to log in before you can comment on or make changes to this bug.