The Console Guide should ensure that we put in explicit instructions for configuring an ACL file when SASL-based ACL is activated on the broker. The ACL file passed to the broker should have contents like: acl allow cumin@QPID all all acl allow anonymous@QPID all all acl deny all all "anonymous@QPID" will be the default credentials passed to the broker if the Admin hasn't made use of the new Condor QMF Broker parameters from Bug 606391. If credentials are configured as in Bug 606391, then they must replace or be added with the anonymous@QPID ACL rule.
*** Bug 684458 has been marked as a duplicate of this bug. ***
Created attachment 489236 [details] Changes for section 2.1
Created attachment 489239 [details] Changes for section 4.1
Created open office attachments with change tracking on showing edits to Chapter 2, section 2.1 and Chapter 4, section 2.1.
Change made in revision 0.1-1, build: Red_Hat_Enterprise_MRG-Management_Console_Installation_Guide-2.0-web-en-US-0.1-1.el5 Code snippets: <section id="sect-Management_Console_Installation_Guide-Installing_the_CONSOLE-Configuring_the_RHM_Broker_for_use_with_the_CONSOLE_and_GRID"> <title>Configuring the &RHM; Broker for use with the &CONSOLE; and &GRID;</title> In order to use the &RHM; broker with &CONSOLE; and &GRID;, the &RHM; broker must first be installed and configured. <orderedlist id="orde-Management_Console_Installation_Guide-Configuring_the_RHM_Broker_for_use_with_the_CONSOLE-Configuring_the_RHM_Broker_for_Authentication_to_the_CONSOLE_and_GRID"> <title>Configuring the &RHM; Broker for Authentication of the &CONSOLE; and &GRID;</title> <para> This command will create a <parameter>cumin</parameter> user in the SASL database. These credentials will be used by the Management Console to authenticate to the broker. The username and password will be needed later during installation and configuration of the &CONSOLE;. </para> <listitem> <para> &GRID; will authenticate to the &RHM; broker using the <parameter>anonymous</parameter> mechanism by default. If <parameter>anonymous</parameter> authentication is permitted by the broker, this step can be skipped. If the broker has been configured to disallow <parameter>anonymous</parameter> authentication, credentials for &GRID; nodes must be created also. </para> <para> A user named <parameter>grid</parameter> is created below. This username is used by every &GRID; node. On the host, run the <command>saslpasswd2</command> command as the root user: </para> <screen> # /usr/sbin/saslpasswd2 -f /var/lib/qpidd/qpidd.sasldb -u QPID grid </screen> <para> When prompted, create a password. </para> <para> This command creates a <parameter>grid</parameter> user in the SASL database. These credentials will be used by &GRID; nodes to authenticate to the broker. Any valid username may be used, multiple users may be created to be used by different &GRID; nodes. The username and password will be needed later during configuration of the &GRID; for use with the &CONSOLE;. </para> </listitem> <formalpara> <title>Adding &CONSOLE; and &GRID; credentials to optional broker ACLs</title> <para> The &RHM; broker can be configured to use an access control list (ACL). If an ACL is present for the &RHM; broker, ensure the <parameter>cumin</parameter> and any &GRID; users are added. Note that if &GRID; is using <parameter>anonymous</parameter> authentication, the <parameter>anonymous@qpid</parameter> user must be added to the ACL. Information on setting up ACLs can be found in the <citetitle>&RHM; User Guide</citetitle>. </para> </formalpara> <listitem> <para> To set the broker address on all nodes which are <emphasis>not</emphasis> running the &RHM; broker locally, add the following line, to the <filename>40QMF.config</filename> file and specify the hostname of the machine running the broker: </para> <programlisting> QMF_BROKER_HOST = '<<replaceable>hostname</replaceable>>' </programlisting> </listitem> <listitem> <para> All &GRID; nodes will attempt to use the <parameter>anonymous</parameter> authentication mechanism unless specific parameters are set. Authentication credentials were optionally created for use by &GRID; nodes in chapter 2. To use password authentication (the <parameter>plain</parameter> mechanism), set the parameters in the <filename>40QMF.config</filename> file on all nodes according to the <parameter>grid</parameter> credentials created in Chapter 2. </para> <programlisting> QMF_BROKER_AUTH_MECH = PLAIN QMF_BROKER_USERNAME = grid QMF_BROKER_PASSWORD_FILE = '<<replaceable>path</replaceable>>' </programlisting> <para> The last parameter contains the path of a file containing the password for the <parameter>grid</parameter> user in plain text. This is the password supplied for the <parameter>grid</parameter> user when credentials were created. The security of the password file is the responsibility of system administrators. </para> </listitem>