Bug 476716 - Feature: GSSAPI support in ruby client
Summary: Feature: GSSAPI support in ruby client
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: qpid-sdk
Version: 1.1
Hardware: All
OS: Linux
urgent
medium
Target Milestone: 1.1.1
: ---
Assignee: Ted Ross
QA Contact: Frantisek Reznicek
URL:
Whiteboard:
Depends On: 472519
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-12-16 18:14 UTC by Gordon Sim
Modified: 2015-11-16 00:06 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-04-21 16:17:31 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
Ruby code used to test (2.03 KB, text/plain)
2009-04-14 09:03 UTC, Jan Sarenik
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2009:0434 0 normal SHIPPED_LIVE Red Hat Enterprise MRG Messaging and Grid Version 1.1.1 2009-04-21 16:15:50 UTC

Description Gordon Sim 2008-12-16 18:14:39 UTC
Authentication and encryption.

Comment 1 Ted Ross 2009-01-20 21:34:09 UTC
This feature is now implemented upstream as of revision 736111.

Comment 2 Jan Sarenik 2009-02-19 10:45:22 UTC
Which one is the ruby client please?

Comment 3 Jan Sarenik 2009-02-19 15:19:11 UTC
It is in the package ruby-qpid (I would rather like qpid-ruby).

Comment 4 Jan Sarenik 2009-02-23 09:37:15 UTC
But I have still no idea how to test GSSAPI auth as
I do not feel capable of writing my own ruby test
at the moment. Any hint please?

Comment 5 Jan Sarenik 2009-02-23 10:34:25 UTC
See https://bugzilla.redhat.com/show_bug.cgi?id=472519
for more info on how I configure simple Kerberos5 testing
environment.

For testing ruby client's GSSAPI auth I am trying to use
qpid/ruby/examples/hello-world.rb but experiencing an issue
that the client does not auth using GSSAPI mechanism at all.

----------------------------------------------------------------
# ./hello-world.rb dhcp-0-137.brq.redhat.com
/usr/lib/ruby/site_ruby/1.8/qpid/connection.rb:143:in `start': Qpid::ConnectionFailed
        from ./hello-world.rb:32
----------------------------------------------------------------

while on console running 'qpidd --auth yes --realm EXAMPLE.COM -t'
I am getting this:
----------------------------------------------------------------
2009-feb-23 11:26:43 debug RECV [10.34.0.137:42225] INIT(0-10)
2009-feb-23 11:26:43 debug min_ssf: 0, max_ssf: 256
2009-feb-23 11:26:43 info SASL: Mechanism list: PLAIN ANONYMOUS GSSAPI LOGIN
2009-feb-23 11:26:43 trace SENT 10.34.0.137:42225 INIT(0-10)
2009-feb-23 11:26:43 trace SENT [10.34.0.137:42225]: Frame[BEbe; channel=0; {ConnectionStartBody: server-properties={qpid.federation_tag:V2:36:str16(2ff202c7-695f-4635-829d-7b71408c85cc)}; mechanisms=str16{V2:5:str16(PLAIN), V2:9:str16(ANONYMOUS), V2:6:str16(GSSAPI), V2:5:str16(LOGIN)}; locales=str16{V2:5:str16(en_US)}; }]
2009-feb-23 11:26:43 trace RECV [10.34.0.137:42225]: Frame[BEbe; channel=0; {ConnectionStartOkBody: client-properties={platform:V2:9:vbin16(linux-gnu),product:V2:18:vbin16(qpid python client),version:V2:11:vbin16(development)}; mechanism=PLAIN; response=xxxxxx; }]
2009-feb-23 11:26:43 info SASL: Starting authentication with mechanism: PLAIN
2009-feb-23 11:26:43 info SASL: Authentication failed: SASL(-13): user not found: Password verification failed
2009-feb-23 11:26:43 debug Exception constructed: Authentication failed
2009-feb-23 11:26:43 trace SENT [10.34.0.137:42225]: Frame[BEbe; channel=0; {ConnectionCloseBody: reply-code=320; reply-text=connection-forced: Authentication failed; }]
2009-feb-23 11:26:43 trace RECV [10.34.0.137:42225]: Frame[BEbe; channel=0; {ConnectionCloseOkBody: }]
2009-feb-23 11:26:43 debug DISCONNECTED [10.34.0.137:42225]
----------------------------------------------------------------

To prove that the setup is generally working, I am including
some more output:
----------------------------------------------------------------
# klist -5
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: testuser

Valid starting     Expires            Service principal
02/23/09 11:17:31  02/24/09 11:17:31  krbtgt/EXAMPLE.COM
02/23/09 11:18:36  02/24/09 11:17:31  qpidd/dhcp-0-137.brq.redhat.com

# perftest -b dhcp-0-137.brq.redhat.com --count 1
Processing 1 messages from sub_ready . done.
Sending start 1 times to pub_start
Processing 1 messages from pub_done . done.
Processing 1 messages from sub_done . done.

Total 2 transfers of 1024 bytes in 0.016159 seconds.

Publish transfers/sec:    
214.318
Average: 214.318

Subscribe transfers/sec:  
19.1745
Average: 19.1745

Total transfers/sec:      123.77
Total Mbytes/sec: 0.120869

# perftest --count 1 # do not try to run it without FQDN
2009-feb-23 11:29:10 warning Closing connection due to internal-error: Sasl error: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database) (qpid/client/SaslFactory.cpp:226)

internal-error: Sasl error: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database) (qpid/client/SaslFactory.cpp:226)
----------------------------------------------------------------

Comment 6 Jan Sarenik 2009-02-23 10:43:24 UTC
I wonder if this is the issue:
# rpm -q ruby-qpid
ruby-qpid-0.3.725356-2.el5

This is the latest version in mrg-devel repo at the moment.

Comment 7 Ted Ross 2009-02-26 14:02:00 UTC
GSSAPI support was introduced upstream at revision 736111.  The RPMs you are testing are too old.

Comment 8 Jeff Needle 2009-02-27 16:06:54 UTC
Please move this to MODIFIED with a pointer to the new package when it is brewed.  Moving back to ASSIGNED.

Comment 9 Jan Sarenik 2009-03-03 12:19:05 UTC
There is new ruby-qpid package, see
https://brewweb.devel.redhat.com/buildinfo?buildID=82344

Comment 10 Jan Sarenik 2009-03-03 15:59:20 UTC
Verified for ruby-qpid-0.4.749380-1.el5 which is not yet in
candidate repos.

Comment 11 Jan Sarenik 2009-04-14 09:03:59 UTC
Created attachment 339446 [details]
Ruby code used to test

Comment 13 errata-xmlrpc 2009-04-21 16:17:31 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-0434.html


Note You need to log in before you can comment on or make changes to this bug.