Hide Forgot
Changes introduced in BZ 606391 have impacted the default OOTB SASL-based authorization for the condor qmf plugins. In the absence of the new configuration described in 606391, the plugins won't be able to connect to establish an authenticated connection to the broker when it has SASL turned on. Note that the schedd plugin relies on broker SASL auth in order to provide us with a userid string that is checked in the mgmt plugin. This is our only security safeguard for submissions from QMF at this time. Some options: 1) revert defaults in plugins, etc. to use "guest/guest" identity when initializing the agent if it can't get condor params for same. The guest user is OOTB with the broker install IIRC. 2) doc updates that explicitly expand the broker auth setup instructions for secured submissions - broker & sasl config AND - condor user/password config from 606391
Looks like option #2 is really what is called for. We can no longer rely on the guest user id being an OOTB credential. The ACL file passed to the broker like this: sudo qpidd --load-module /usr/lib/qpid/daemon/acl.so --acl-file /full/path/to/qpidd.acl --auth=yes should have lines like: acl allow cumin@QPID all all acl allow anonymous@QPID all all acl deny all all
This is really a documentation issue. *** This bug has been marked as a duplicate of bug 687872 ***