1124589 – python-kombu does not work with Qpid unless the user adjusts qpidd.conf

Bug 1124589 - python-kombu does not work with Qpid unless the user adjusts qpidd.conf

Summary: python-kombu does not work with Qpid unless the user adjusts qpidd.conf

Keywords:
Status:	CLOSED UPSTREAM
Alias:	None
Product:	Pulp
Classification:	Retired
Component:	user-experience
Sub Component:
Version:	2.4 Beta
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	unspecified
Target Milestone:	---
Target Release:	2.6.0
Assignee:	Chris Duryee
QA Contact:	Preethi Thomas
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-07-29 21:01 UTC by Brian Bouterse
Modified:	2015-02-28 22:14 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-02-28 22:14:03 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Pulp Redmine	477	0	None	None	None	Never

Description Brian Bouterse 2014-07-29 21:01:52 UTC

Currently, the python-kombu behavior only works if the user does 1 of 2 things.

a) Disable authentication by putting 'auth=no' in qpidd.conf
b) Properly configures SASL by installing packages and configuring them

This is a barrier to using Pulp right away because the python-kombu does not align with the vanilla configuration Qpid has out of the box.

The root cause is that the Qpid transport only supports PLAIN authentication instead of ANONYMOUS. To fix this I propose the following:

1) Add ANONYMOUS as a default authentication type in addition to PLAIN in python-kombu
2) Test the adjusted python-kombu with a vanilla, unconfigured Qpid install
3) Update the tests to match this change
4) Update the Pulp docs some so they identify that the default setup uses ANONYMOUS auth, but that the user can also configure SASL for username/password auth.

Comment 1 Brian Bouterse 2014-09-04 14:53:11 UTC

Two users on the mailing list indicated they spent a lot of time as a result of this not being fixed. I'm moving it to 2.5.1 with high priority.

Comment 2 Brian Bouterse 2014-09-10 17:39:00 UTC

After looking more into this, this should work today if the user makes no changes to the qpidd.conf and has cyrus-sasl-plain installed, except that Qpid doesn't create the SASL DB with guest/guest as it says it does.

I've filed an upstream issue [0] with Qpid on this, but we should still enable ANONYMOUS auth. The reasons I have are these:

1) a SASL auth that uses guest/guest is no more secure than ANONYMOUS auth
2) ANONYMOUS achieves the out of the box experience we are looking for
3) upstream kombu doesn't have a mechanism to bundle cyrus-sasl-plain automatically so their unboxing experience will still require thought, reading, and effort

Comment 3 Brian Bouterse 2014-09-10 18:05:59 UTC

Through discussion in IRC, upstream Qpid will likely remove the docs statements that claim that they configure a simple SASL DB for the users. That double-ly supports the idea of us allowing ANONYMOUS because Qpid literally only works with ANONYMOUS out of the box.

Comment 4 Chris Duryee 2014-09-11 20:41:11 UTC

https://github.com/pulp/pulp/pull/1153

Comment 5 Chris Duryee 2014-09-19 17:03:45 UTC

merged to pulp/kombu and pulp/pulp (2.5-dev and master)

Comment 6 Brian Bouterse 2014-09-26 14:10:23 UTC

The actual PR for this was made later, and is:  https://github.com/pulp/pulp/pull/1165

Comment 7 Chris Duryee 2014-12-23 20:52:49 UTC

fixed in pulp 2.6.0-0.2.beta

Comment 8 Preethi Thomas 2015-01-29 21:21:45 UTC

verified
pulp server works without having to make auth=no ins qpidd.conf
Tested in el6 & el7

Comment 9 Brian Bouterse 2015-02-28 22:14:03 UTC

Moved to https://pulp.plan.io/issues/477

Note You need to log in before you can comment on or make changes to this bug.