Description of problem: HA does not work with SASL security enabled. Version-Release number of selected component (if applicable): up to 0-22.mrg commit ce156de bz1088003: QPID-5700: ensure interleaved segments on different tracks do not get confused How reproducible: always Steps to Reproduce: Yes, I have the cyrus packages installed on the nodes. # rpm -qa | grep cyrus cyrus-sasl-plain-2.1.23-13.el6_3.1.x86_64 cyrus-sasl-lib-2.1.23-13.el6_3.1.x86_64 cyrus-sasl-md5-2.1.23-13.el6_3.1.x86_64 cyrus-sasl-gssapi-2.1.23-13.el6_3.1.x86_64 cyrus-sasl-devel-2.1.23-13.el6_3.1.x86_64 cyrus-sasl-2.1.23-13.el6_3.1.x86_64 To narrow down, I've simplified the configuration without HA, see below ===configuration=== i) version 0.26 (built from source) ii) /etc/qpid/qpidd.conf acl-file=/etc/qpid/qpidd.acl auth=yes realm=QPID no-data-dir=yes sasl-config=/etc/sasl2/ log-to-stderr=no log-enable=debug+ log-to-syslog=yes # /etc/init.d/qpidd start Starting Qpid AMQP daemon: [ OK ] # qpid-config queues -a test/test.10.211:5672 --sasl-mechanism=PLAIN Queue Name Attributes ================================================================= 5b1b0c2e-bc6f-431b-b955-83ce5680d4ac:0.0 auto-del excl and things work as expected. However when I enable HA and when the brokers try to communicate among themselves I get the following error. ===error=== Promoting qpid daemon to cluster primary: Error in sasl_client_start (-4) SASL(-4): no mechanism available: No worthy mechs found Actual results: error Expected results: no error
Fixed on trunk ------------------------------------------------------------------------ r1589391 | aconway | 2014-04-23 08:42:35 -0400 (Wed, 23 Apr 2014) | 10 lines QPID-5711: HA cannot promote primary if SASL security is enabled. Updated the qpid-ha tool and qpidd init scripts to handle SASL authentication. The qpid-ha script as as called by the qpidd-primary init script now reads authentication settings from the qpidd.conf file and uses them to connect to the local broker. - qpidd-primary script respects prefix: use installed location for qpidd script, not "service" call - qpid-ha added --config option qpid-ha options to use qpidd.conf for local broker connection. - qpid-ha --all use user/pass for each broker. ------------------------------------------------------------------------
Should also include the following doc clarification ------------------------------------------------------------------------ r1589403 | aconway | 2014-04-23 09:22:13 -0400 (Wed, 23 Apr 2014) | 2 lines QPID-5711: HA doc clarifications on security. ------------------------------------------------------------------------
Backmerged to 0.22-mrg branch on: http://git.app.eng.bos.redhat.com/git/rh-qpid.git/log/?h=0.22-mrg-aconway-bz1086638-bz1061736 Required to complete 2 other backmerges, the branch contains: 7041626 Bug 1089353 - QPID-5711: HA cannot promote primary if SASL security is enabled. 7f8f8d9 Bug 1086638 - QPID-5719: HA becomes unresponsive once any of the brokers are SIGSTOPed 7cfbd72 Bug 1061736 - NO-JIRA: HA minor cleanup of qpid-ha tool
Tested on RHEL6.5 (both i386 and x86_64). HA cluster is functional if SASL authentication is enabled, promoting a broker using the command "service qpidd-primary start" works just fine. This issue has been fixed. Packages used for testing: python-qpid-0.22-17.el6 python-qpid-qmf-0.22-38.el6 qpid-cpp-0.22-47.el6 qpid-proton-c-0.7-3.el6 qpid-qmf-0.22-38.el6 qpid-qmf-devel-0.22-38.el6 qpid-tests-0.22-16.el6 qpid-tools-0.22-14.el6 -> VERIFIED