Bug 476716 - Feature: GSSAPI support in ruby client
Feature: GSSAPI support in ruby client
Status: CLOSED ERRATA
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: qpid-sdk (Show other bugs)
1.1
All Linux
urgent Severity medium
: 1.1.1
: ---
Assigned To: Ted Ross
Frantisek Reznicek
:
Depends On: 472519
Blocks:
  Show dependency treegraph
 
Reported: 2008-12-16 13:14 EST by Gordon Sim
Modified: 2015-11-15 19:06 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-04-21 12:17:31 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Ruby code used to test (2.03 KB, text/plain)
2009-04-14 05:03 EDT, Jan Sarenik
no flags Details

  None (edit)
Description Gordon Sim 2008-12-16 13:14:39 EST
Authentication and encryption.
Comment 1 Ted Ross 2009-01-20 16:34:09 EST
This feature is now implemented upstream as of revision 736111.
Comment 2 Jan Sarenik 2009-02-19 05:45:22 EST
Which one is the ruby client please?
Comment 3 Jan Sarenik 2009-02-19 10:19:11 EST
It is in the package ruby-qpid (I would rather like qpid-ruby).
Comment 4 Jan Sarenik 2009-02-23 04:37:15 EST
But I have still no idea how to test GSSAPI auth as
I do not feel capable of writing my own ruby test
at the moment. Any hint please?
Comment 5 Jan Sarenik 2009-02-23 05:34:25 EST
See https://bugzilla.redhat.com/show_bug.cgi?id=472519
for more info on how I configure simple Kerberos5 testing
environment.

For testing ruby client's GSSAPI auth I am trying to use
qpid/ruby/examples/hello-world.rb but experiencing an issue
that the client does not auth using GSSAPI mechanism at all.

----------------------------------------------------------------
# ./hello-world.rb dhcp-0-137.brq.redhat.com
/usr/lib/ruby/site_ruby/1.8/qpid/connection.rb:143:in `start': Qpid::ConnectionFailed
        from ./hello-world.rb:32
----------------------------------------------------------------

while on console running 'qpidd --auth yes --realm EXAMPLE.COM -t'
I am getting this:
----------------------------------------------------------------
2009-feb-23 11:26:43 debug RECV [10.34.0.137:42225] INIT(0-10)
2009-feb-23 11:26:43 debug min_ssf: 0, max_ssf: 256
2009-feb-23 11:26:43 info SASL: Mechanism list: PLAIN ANONYMOUS GSSAPI LOGIN
2009-feb-23 11:26:43 trace SENT 10.34.0.137:42225 INIT(0-10)
2009-feb-23 11:26:43 trace SENT [10.34.0.137:42225]: Frame[BEbe; channel=0; {ConnectionStartBody: server-properties={qpid.federation_tag:V2:36:str16(2ff202c7-695f-4635-829d-7b71408c85cc)}; mechanisms=str16{V2:5:str16(PLAIN), V2:9:str16(ANONYMOUS), V2:6:str16(GSSAPI), V2:5:str16(LOGIN)}; locales=str16{V2:5:str16(en_US)}; }]
2009-feb-23 11:26:43 trace RECV [10.34.0.137:42225]: Frame[BEbe; channel=0; {ConnectionStartOkBody: client-properties={platform:V2:9:vbin16(linux-gnu),product:V2:18:vbin16(qpid python client),version:V2:11:vbin16(development)}; mechanism=PLAIN; response=xxxxxx; }]
2009-feb-23 11:26:43 info SASL: Starting authentication with mechanism: PLAIN
2009-feb-23 11:26:43 info SASL: Authentication failed: SASL(-13): user not found: Password verification failed
2009-feb-23 11:26:43 debug Exception constructed: Authentication failed
2009-feb-23 11:26:43 trace SENT [10.34.0.137:42225]: Frame[BEbe; channel=0; {ConnectionCloseBody: reply-code=320; reply-text=connection-forced: Authentication failed; }]
2009-feb-23 11:26:43 trace RECV [10.34.0.137:42225]: Frame[BEbe; channel=0; {ConnectionCloseOkBody: }]
2009-feb-23 11:26:43 debug DISCONNECTED [10.34.0.137:42225]
----------------------------------------------------------------

To prove that the setup is generally working, I am including
some more output:
----------------------------------------------------------------
# klist -5
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: testuser@EXAMPLE.COM

Valid starting     Expires            Service principal
02/23/09 11:17:31  02/24/09 11:17:31  krbtgt/EXAMPLE.COM@EXAMPLE.COM
02/23/09 11:18:36  02/24/09 11:17:31  qpidd/dhcp-0-137.brq.redhat.com@EXAMPLE.COM

# perftest -b dhcp-0-137.brq.redhat.com --count 1
Processing 1 messages from sub_ready . done.
Sending start 1 times to pub_start
Processing 1 messages from pub_done . done.
Processing 1 messages from sub_done . done.

Total 2 transfers of 1024 bytes in 0.016159 seconds.

Publish transfers/sec:    
214.318
Average: 214.318

Subscribe transfers/sec:  
19.1745
Average: 19.1745

Total transfers/sec:      123.77
Total Mbytes/sec: 0.120869

# perftest --count 1 # do not try to run it without FQDN
2009-feb-23 11:29:10 warning Closing connection due to internal-error: Sasl error: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database) (qpid/client/SaslFactory.cpp:226)

internal-error: Sasl error: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database) (qpid/client/SaslFactory.cpp:226)
----------------------------------------------------------------
Comment 6 Jan Sarenik 2009-02-23 05:43:24 EST
I wonder if this is the issue:
# rpm -q ruby-qpid
ruby-qpid-0.3.725356-2.el5

This is the latest version in mrg-devel repo at the moment.
Comment 7 Ted Ross 2009-02-26 09:02:00 EST
GSSAPI support was introduced upstream at revision 736111.  The RPMs you are testing are too old.
Comment 8 Jeff Needle 2009-02-27 11:06:54 EST
Please move this to MODIFIED with a pointer to the new package when it is brewed.  Moving back to ASSIGNED.
Comment 9 Jan Sarenik 2009-03-03 07:19:05 EST
There is new ruby-qpid package, see
https://brewweb.devel.redhat.com/buildinfo?buildID=82344
Comment 10 Jan Sarenik 2009-03-03 10:59:20 EST
Verified for ruby-qpid-0.4.749380-1.el5 which is not yet in
candidate repos.
Comment 11 Jan Sarenik 2009-04-14 05:03:59 EDT
Created attachment 339446 [details]
Ruby code used to test
Comment 13 errata-xmlrpc 2009-04-21 12:17:31 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-0434.html

Note You need to log in before you can comment on or make changes to this bug.