Bug 604149 - [RFE] qpid-tools python clients should have possibility to choose authentication mechanism.
[RFE] qpid-tools python clients should have possibility to choose authenticat...
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: qpid-qmf (Show other bugs)
Development
All Linux
medium Severity medium
: 2.0
: ---
Assigned To: Jonathan Robie
Petra Svobodová
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-06-15 10:07 EDT by Frantisek Reznicek
Modified: 2015-11-15 20:12 EST (History)
7 users (show)

See Also:
Fixed In Version: qpid-tools-0.9.1078967-1
Doc Type: Enhancement
Doc Text:
Qpid-tool's python clients (such as qpid-config, qpid-queue-stats, qpid-route, qpid-stat and qpid-printevents) are now able to select the mechanism used by them for authentication.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-07-05 10:15:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Frantisek Reznicek 2010-06-15 10:07:46 EDT
Description of problem:

qpid-tools python clients (qpid-tool, qpid-config, qpid-route, ...) should have possibility to choose authentication mechanism.

All qpid-tools clients does not have possibility to choose authentication mechanism which leads sometimes to very difficult situation, because mechanism picked by cyrus-sasl is not always suitable.


Version-Release number of selected component (if applicable):
qpid-tools-0.7.946106-4.el5

How reproducible:
100%

Steps to Reproduce:
1. qpid-config --help | grep -Ei '(mech|auth)'

Actual results:
pid-tools python clients does not have have possibility to choose authentication mechanism.

Expected results:
pid-tools python clients should have possibility to choose authentication mechanism.

Additional info:
Comment 1 Jonathan Robie 2010-12-10 17:12:28 EST
I'm not sure that I clearly understand the use case. 

You say:

> which leads sometimes to very difficult situation, because
> mechanism picked by cyrus-sasl is not always suitable.

What are the situations in which the mechanmism picked by
cyrus-sasl is not suitable? 

As I understand it, cyrus-sasl always picks the most secure
mechanism that is supported by both the server and the client. If
the mechanism requires a password, it can be specified in the
connection URL. The other mechanisms do not affect the command
line of these tools.

Are you thinking of a scenario where a test environment sets up a
broker that supports many mechanisms, then tests each mechanism?
Is this only for testing, or is this something that you would
envision someone actually using in a production environment?
Comment 2 Frantisek Reznicek 2010-12-13 09:45:27 EST
This defect requests possibility to select authentication mechanism for underlying SASL layer.

There are couple of situations when forcing the specific authentication mechanism is the only way to get management data.

Lately I have been reviewing a GSSAPI client - broker scenario and in situation when kerberos setup was not correct or tickets were intentionally destroyed to prove that client does not succeeds the authentication qpid-tools fail to execute the operation.

These two scenarios highlight need of adding possibility to select the authentication mechanism for qpid-tools.
Comment 3 Jonathan Robie 2010-12-13 09:53:47 EST
As I understand it, all that is needed is the ability to select the mechanism by name, as in perftest?
Comment 4 Jonathan Robie 2010-12-21 18:48:02 EST
Done, upstream in revision 1051700.
Comment 5 Jonathan Robie 2011-01-14 10:08:44 EST
The following revisions are related:

Revision: 1055267

Allow any SASL mechanism to be specified in command line options.

Previously used a fixed list of SASL mechanisms.  

Revision: 1055632

Fixes typo in findById function declaration.
Comment 7 Petra Svobodová 2011-05-12 10:50:21 EDT
Some qpid-tools python clients have possibility to choose authentication mechanism but others do not; see lists bellow.

Tools with possibility to choose the authentication mechanism (via the "sasl-mechanism" option):
qpid-config
qpid-queue-stats
qpid-route (via the "client-sasl-mechanism" option)
qpid-stat
qpid-printevents

Tools with authentication option but without possibility to choose authentication mechanism:
qpid-tool
qmf-tool 

Tools without authentication option:
qpid-cluster
qpid-cluster-store

I'm unclear about qpid-cluster-store case. I guess this tool does not create broker connection and thus should not have sasl-mechanism switch, right?

Tested packages: qpid-cpp - 0.10.3 on RHEL 5.6 / 6.1 i[36]86/ x86_64 

-->ASSIGNED
Comment 8 Misha H. Ali 2011-05-31 03:17:35 EDT
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Qpid-tool's python clients (such as qpid-config, qpid-queue-stats, qpid-route, qpid-stat and qpid-printevents) are now able to select the mechanism used by them for authentication.
Comment 9 Petra Svobodová 2011-06-01 06:16:00 EDT
My question is still pending, raising NEEDINFO back.
Comment 11 Gordon Sim 2011-06-03 07:29:49 EDT
https://bugzilla.redhat.com/show_bug.cgi?id=710429 raised to cover the absence of the feature in the remaining three tools (qpid-cluster-store is a separate case as it does not connect to a broker and therefore does not authenticate at all).
Comment 12 Misha H. Ali 2011-06-05 23:34:24 EDT
Technical note can be viewed in the release notes for 2.0 at the documentation stage here:

http://documentation-stage.bne.redhat.com/docs/en-US/Red_Hat_Enterprise_MRG/2.0/html-single/MRG_Release_Notes/index.html#tabl-MRG_Release_Notes-CONSOLE_Update_Notes-CONSOLE_Update_Notes
Comment 14 Petra Svobodová 2011-06-09 10:37:13 EDT
Hi Gordon,

thank you for answer my question and for creating the additional bug.

The "qpid-tools" for which the possibility to choose the authentication mechanism is relevant, except "qpid-cluster", "qpid-tool" and "qmf-tool" (see bug 710429) can choose the authentication mechanism.

--> VERIFIED

Note You need to log in before you can comment on or make changes to this bug.