To this feature we need to be able to configure inter-broker links to use SASL for authentication and encryption. As well as picking up prefered mechanism it should be possible for the mechanism to be overridden. The principal to authenticate as will also need to be configured and (depending on mechanism) there will need to be some way to specify the password.
Could you please summarize the way how to validate it?
See also: https://issues.apache.org/jira/browse/QPID-1672
To validate this you would setup a broker to only allow mechanisms other than PLAIN/ANONYMOUS, and make sure that this broker could be both the source and destination for inter-broker links.
A fix to this bug also needs to be tested with a cluster at either end of the connection.
Created attachment 449476 [details] to be applied from trunk/qpid In trunk/qpid dir after applying this patch, do this: rm ./cpp/src/qpid/client/Sasl.h ./cpp/src/qpid/client/SaslFactory.*
This is not my final patch -- just here to help getting it reviewed. I will mark BZ MODI after that review, and then attach final patch.
Fixed by checkin 1024541 .
Can't mark as "modified" yet, because there is no packagae to test in.
Note: This fix modified qpid-tool. The fix is also in the qpid-tools package: Moved to mrg_1.3.0.x branch. Released in qpid-tools-0.7.946106-12 http://mrg1.lab.bos.redhat.com/cgit/qpid.git/tag/?id=qpid-tools-0.7.946106-12
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Although we have long had the ability to connect from a client to a broker using SASL, and using SSL as the 'external' SASL mechanism, it was not possible to do likewise with the link between two brokers of a federation. To make this work, one broker in a federation has to behave as the SASL server, while the other acts as the SASL client. Some SASL-related code needed to be moved from the client library into the common library, so that it could be used by both brokers and clients. It was also necessary to modify qpid-config so that it can set the SASL mechanism when it creates a federation (inter-broker) link. Federated links can now be SASLized, with an external mechanism of SSL. There is a test at cpp/src/tests/sasl_fed_ex to demonstrate.
Can anyone explain, what's happening on DEST BROKER?(very bottom log in of this post) /usr/bin/qpid-config -a hp-xw9400-01.rhts.eng.bos.redhat.com:5673 add exchange direct exc_tstid01_base00_ext00 /usr/bin/qpid-config -a hp-xw9400-01.rhts.eng.bos.redhat.com:5673 add queue que_tstid01_base00_ext00 /usr/bin/qpid-config -a hp-xw9400-01.rhts.eng.bos.redhat.com:5673 bind exc_tstid01_base00_ext00 que_tstid01_base00_ext00 bnd_tstid01_base00_ext00 /usr/bin/qpid-config -a hp-xw9400-01.rhts.eng.bos.redhat.com:5674 add exchange direct exc_tstid01_base00_ext00 /usr/bin/qpid-config -a hp-xw9400-01.rhts.eng.bos.redhat.com:5674 add queue que_tstid01_base00_ext00 /usr/bin/qpid-config -a hp-xw9400-01.rhts.eng.bos.redhat.com:5674 bind exc_tstid01_base00_ext00 que_tstid01_base00_ext00 bnd_tstid01_base00_ext00 /usr/bin/qpid-route queue add tester.eng.bos.redhat.com:5674 tester.eng.bos.redhat.com:5673 exc_tstid01_base00_ext00 que_tstid01_base00_ext00 --sasl-mechanism=GSSAPI SOURCE QPIDD log 2011-02-07 13:38:44 debug RECV [10.16.65.4:48043] INIT(0-10) 2011-02-07 13:38:44 debug External ssf=0 and auth= 2011-02-07 13:38:44 debug min_ssf: 0, max_ssf: 256, external_ssf: 0 2011-02-07 13:38:44 info SASL: Mechanism list: GSSAPI 2011-02-07 13:38:44 debug Management object (V1) added: org.apache.qpid.broker:connection:10.16.65.4:48043 2011-02-07 13:38:44 warning Client closed connection with 541: internal-error: interaction disallowed 2011-02-07 13:38:44 debug SEND raiseEvent (v1) class=org.apache.qpid.broker.clientDisconnect DESTINATION QPIDD log 2011-02-07 13:38:44 debug Inter-broker link connecting to hp-xw9400-01.rhts.eng.bos.redhat.com:5673 2011-02-07 13:38:44 info Inter-broker link established to hp-xw9400-01.rhts.eng.bos.redhat.com:5673 2011-02-07 13:38:44 debug SEND raiseEvent (v1) class=org.apache.qpid.broker.brokerLinkUp 2011-02-07 13:38:44 debug Management object (V1) added: org.apache.qpid.broker:connection:hp-xw9400-01.rhts.eng.bos.redhat.com:5673 2011-02-07 13:38:44 debug SENT [hp-xw9400-01.rhts.eng.bos.redhat.com:5673] INIT(0-10) 2011-02-07 13:38:44 debug CyrusSasl::start(PLAIN) 2011-02-07 13:38:44 debug min_ssf: 0, max_ssf: 256 2011-02-07 13:38:44 debug getUserFromSettings(): tester 2011-02-07 13:38:44 debug Exception constructed: interaction disallowed 2011-02-07 13:38:44 debug DISCONNECTED [hp-xw9400-01.rhts.eng.bos.redhat.com:5673] 2011-02-07 13:38:44 info Inter-broker link disconnected from hp-xw9400-01.rhts.eng.bos.redhat.com:5673 Closed by peer 2011-02-07 13:38:44 warning Inter-broker link disconnected from hp-xw9400-01.rhts.eng.bos.redhat.com:5673 2011-02-07 13:38:44 debug SEND raiseEvent (v1) class=org.apache.qpid.broker.brokerLinkDown 2011-02-07 13:38:46 debug Inter-broker link connecting to hp-xw9400-01.rhts.eng.bos.redhat.com:5673 2011-02-07 13:38:46 info Inter-broker link established to hp-xw9400-01.rhts.eng.bos.redhat.com:5673 2011-02-07 13:38:46 debug SEND raiseEvent (v1) class=org.apache.qpid.broker.brokerLinkUp 2011-02-07 13:38:46 debug Management object (V1) added: org.apache.qpid.broker:connection:hp-xw9400-01.rhts.eng.bos.redhat.com:5673 2011-02-07 13:38:46 debug SENT [hp-xw9400-01.rhts.eng.bos.redhat.com:5673] INIT(0-10) 2011-02-07 13:38:46 debug CyrusSasl::start(PLAIN) 2011-02-07 13:38:46 debug min_ssf: 0, max_ssf: 256 2011-02-07 13:38:46 debug getUserFromSettings(): tester 2011-02-07 13:38:46 debug Exception constructed: interaction disallowed 2011-02-07 13:38:46 debug DISCONNECTED [hp-xw9400-01.rhts.eng.bos.redhat.com:5673] 2011-02-07 13:38:46 info Inter-broker link disconnected from hp-xw9400-01.rhts.eng.bos.redhat.com:5673 Closed by peer 2011-02-07 13:38:46 warning Inter-broker link disconnected from hp-xw9400-01.rhts.eng.bos.redhat.com:5673 2011-02-07 13:38:46 debug SEND raiseEvent (v1) class=org.apache.qpid.broker.brokerLinkDown 2011-02-07 13:38:48 debug Inter-broker link connecting to hp-xw9400-01.rhts.eng.bos.redhat.com:5673 2011-02-07 13:38:48 info Inter-broker link established to hp-xw9400-01.rhts.eng.bos.redhat.com:5673 2011-02-07 13:38:48 debug SEND raiseEvent (v1) class=org.apache.qpid.broker.brokerLinkUp 2011-02-07 13:38:48 debug Management object (V1) added: org.apache.qpid.broker:connection:hp-xw9400-01.rhts.eng.bos.redhat.com:5673 2011-02-07 13:38:48 debug SENT [hp-xw9400-01.rhts.eng.bos.redhat.com:5673] INIT(0-10)
The above exception is thrown from src/qpid/SaslFactory.cpp:343 CyrusSasl::interact(...) void CyrusSasl::interact(sasl_interact_t* client_interact) { /* In some context console interaction cannot be allowed, such as when this code run as part of a broker, or as a some other daemon. In those cases we will treat the attempt to */ if ( ! allowInteraction ) { throw InternalErrorException("interaction disallowed"); } if (client_interact->id == SASL_CB_PASS) { char* password = getpass(client_interact->prompt); input = std::string(password); client_interact->result = input.data(); client_interact->len = input.size(); } else { std::cout << client_interact->prompt; if (client_interact->defresult) std::cout << " (" << client_interact->defresult << ")"; std::cout << ": "; if (std::cin >> input) { client_interact->result = input.data(); client_interact->len = input.size(); } } } It seems that CyrusSasl class gets allowInteraction equal to false from src/qpid/broker/ConnectionHandler.cpp ConnectionHandler::Handler::start(...) [the allowInteraction is by default true] 249 if ( connection.getBroker().isAuthenticating() ) { 250 sasl = SaslFactory::getInstance().create( username, 251 password, 252 service, 253 host, 254 0, // TODO -- mgoulish Fri Sep 24 2010 255 256, 256 false ); // disallow interaction
I'll try to add additional information to comment #19: I'm trying to create "queue" type federation link over GSSAPI. Host setup was reduced to single host. Source broker runs port 5673, Destination 5674. Utility qpid-route(log below) shows link as established. Log in comment #19 shows that source broker tries to establish connection over GSSAPI every 2 seconds with the same result (interaction disallowed). On the Destination Broker there is raiseEvent: debug SEND raiseEvent (v1) class=org.apache.qpid.broker.brokerLinkUp ... debug SEND raiseEvent (v1) class=org.apache.qpid.broker.brokerLinkDown Then I'm trying to send messages into previously created queues on source broker, and read them on destination broker. The result is that messages can be found only on source broker - so messages are not passing to destination queue over federation link when using external auth mechanism GSSAPI. qpid-route route map $(uname -n):5674 Finding Linked Brokers: hp-xw9400-01.rhts.eng.bos.redhat.com:5674... Ok hp-xw9400-01.rhts.eng.bos.redhat.com:5673... Ok Dynamic Routes: none found Static Routes: hp-xw9400-01.rhts.eng.bos.redhat.com:5674(ex=exc_tstid01_base00_ext00) <= hp-xw9400-01.rhts.eng.bos.redhat.com:5673(queue=que_tstid01_base00_ext00) SOURCE>> 2011-02-08 04:20:33 debug RECV [10.16.65.4:50430] INIT(0-10) 2011-02-08 04:20:33 debug External ssf=0 and auth= 2011-02-08 04:20:33 debug min_ssf: 0, max_ssf: 256, external_ssf: 0 2011-02-08 04:20:33 info SASL: Mechanism list: GSSAPI 2011-02-08 04:20:33 debug Management object (V1) added: org.apache.qpid.broker:connection:10.16.65.4:50430 2011-02-08 04:20:33 warning Client closed connection with 541: internal-error: interaction disallowed 2011-02-08 04:20:33 debug SEND raiseEvent (v1) class=org.apache.qpid.broker.clientDisconnect DEST>> 2011-02-08 04:22:37 debug Inter-broker link connecting to hp-xw9400-01.rhts.eng.bos.redhat.com:5673 2011-02-08 04:22:37 info Inter-broker link established to hp-xw9400-01.rhts.eng.bos.redhat.com:5673 2011-02-08 04:22:37 debug SEND raiseEvent (v1) class=org.apache.qpid.broker.brokerLinkUp 2011-02-08 04:22:37 debug Management object (V1) added: org.apache.qpid.broker:connection:hp-xw9400-01.rhts.eng.bos.redhat.com:5673 2011-02-08 04:22:37 debug SENT [hp-xw9400-01.rhts.eng.bos.redhat.com:5673] INIT(0-10) 2011-02-08 04:22:37 debug CyrusSasl::start(PLAIN) 2011-02-08 04:22:37 debug min_ssf: 0, max_ssf: 256 2011-02-08 04:22:37 debug Exception constructed: interaction disallowed 2011-02-08 04:22:37 debug DISCONNECTED [hp-xw9400-01.rhts.eng.bos.redhat.com:5673] 2011-02-08 04:22:37 info Inter-broker link disconnected from hp-xw9400-01.rhts.eng.bos.redhat.com:5673 Closed by peer 2011-02-08 04:22:37 warning Inter-broker link disconnected from hp-xw9400-01.rhts.eng.bos.redhat.com:5673 2011-02-08 04:22:37 debug SEND raiseEvent (v1) class=org.apache.qpid.broker.brokerLinkDown klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: tester Valid starting Expires Service principal 02/07/11 14:26:04 02/08/11 14:26:04 krbtgt/PEPE.COM 02/07/11 14:26:04 02/08/11 14:26:04 qpidd/hp-xw9400-01.rhts.eng.bos.redhat.com /usr/sbin/qpidd -d --data-dir /tmp/5673 --port 5673 --log-to-stderr no --log-to-stdout no --log-enable debug+ --log-to-file /tmp/5673/qpidd.log --auth yes --realm PEPE.COM /usr/sbin/qpidd -d --data-dir /tmp/5674 --port 5674 --log-to-stderr no --log-to-stdout no --log-enable debug+ --log-to-file /tmp/5674/qpidd.log --auth yes --realm PEPE.COM
It looks like the tool qpid-route can be used in more than one way to create a route between two brokers. But I only extended one of those --- "qpid-route route add" --- to have the new "external" flag. The QE script that is being used to test this feature is using a different method: "qpid-route queue add". That has not been extended, and so the broker is not being told to use SASL EXTERNAL. Please see my test script cpp/src/tests/sasl_fed_ex Also, the help message in qpid-route says that the flag "--sasl-mechanism" is "not for authentication between the source and destination brokers" --- but that flag is being used in the script.
I can verify, that creating of federation link of type "exchange-to-exchange" works and for such federation link type user can specify preferred mechanism. As i tried to propose above it does not work (or it's unclear) how user can create link for "queue-to-exchange" and "dynamic-exchange links" federation link types (via qpid-route tool it's "qpid-route queue add" and "qpid-route dynamic add" )
Verified with SSL on RHEL4, RHEL5, RHEL6 (both i386 x86_64): - as passing ssl credentials among server-broker and client-broker is still not supported by python api there is https://bugzilla.redhat.com/show_bug.cgi?id=694762 Verified with GSSAPI mechanism on RHEL5, RHEL6 (i386, x86_64) VERIFIED
Technical note updated. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -4,4 +4,8 @@ It was also necessary to modify qpid-config so that it can set the SASL mechanism when it creates a federation (inter-broker) link. -Federated links can now be SASLized, with an external mechanism of SSL. There is a test at cpp/src/tests/sasl_fed_ex to demonstrate.+Federated links can now be SASLized, with an external mechanism of SSL. There is a test at cpp/src/tests/sasl_fed_ex to demonstrate. + +Technical Notes Entry: + +Previously, the messaging-broker connected successfully from a client to a broker using SASL as well as via SSL as the external SASL mechanism but a similar connection between two brokers of a federation was not possible. Changes have been made to qpid-config and the location of some SASL-related code to allow one federation broker to act as an SASL server while the other acts as an SASL client. Federated links can now be connected with SASL, with the external mechanism of SSL. A test that demonstrates this new connectivity is available at cpp/src/tests/sasl_fed_ex.
Technical note can be viewed in the release notes for 2.0 at the documentation stage here: http://documentation-stage.bne.redhat.com/docs/en-US/Red_Hat_Enterprise_MRG/2.0/html-single/MRG_Release_Notes/index.html#tabl-MRG_Release_Notes-RHM_Update_Notes-RHM_Update_Notes
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2011-0890.html