756402 – SPQR does not support every authentication mechanism available in qmfengine

Bug 756402 - SPQR does not support every authentication mechanism available in qmfengine

Summary: SPQR does not support every authentication mechanism available in qmfengine

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise MRG
Classification:	Red Hat
Component:	ruby-spqr
Sub Component:
Version:	2.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	2.1.1
Target Release:	---
Assignee:	Will Benton
QA Contact:	Martin Kudlej
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	765607
TreeView+	depends on / blocked

Reported:	2011-11-23 13:09 UTC by Will Benton
Modified:	2012-02-07 10:39 UTC (History)
CC List:	3 users (show)
Fixed In Version:	ruby-spqr-0.3.5; wallaby-0.12.5
Doc Type:	Bug Fix
Doc Text:	C: The SPQR library and the Wallaby service previously rejected authentication mechanisms other than PLAIN, ANONYMOUS, or GSSAPI. C: The underlying QMF engine library supported additional mechanisms, which were unavailable to SPQR developers or Wallaby users. F: The SPQR library and Wallaby service have been changed to not reject any valid SASL mechanism a priori. R: Any SASL mechanism that is available to QMF and the configured Qpid broker will be available to SPQR and Wallaby.
Clone Of:
Environment:
Last Closed:	2012-02-06 18:18:08 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2012:0100	0	normal	SHIPPED_LIVE	Moderate: MRG Grid security, bug fix, and enhancement update	2012-02-06 23:15:47 UTC

Internal Links: 804616

Description Will Benton 2011-11-23 13:09:09 UTC

Description of problem:

As in title.

Version-Release number of selected component (if applicable):

spqr-0.3.3

How reproducible:

Specify an authentication mechanism supported by qmfengine but not one of PLAIN, ANONYMOUS, or GSSAPI, e.g., DIGEST-MD5.
  
Actual results:

SPQR will reject this mechanism.

Expected results:

SPQR should use the specified authentication mechanism.

Additional info:

Comment 1 Matthew Farrellee 2011-11-23 13:13:21 UTC

Note - wallaby-agent also has an explicit mechanism list

Comment 3 Luigi Toscano 2011-12-05 19:04:17 UTC

Are we going to support all the available mechanism (LOGIN, DIGEST-MD5, CRAM-MD5, ...)?

Comment 8 Will Benton 2012-01-09 15:43:06 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
C:  The SPQR library and the Wallaby service previously rejected authentication mechanisms other than PLAIN, ANONYMOUS, or GSSAPI.
C:  The underlying QMF engine library supported additional mechanisms, which were unavailable to SPQR developers or Wallaby users.
F:  The SPQR library and Wallaby service have been changed to not reject any valid SASL mechanism a priori.
R:  Any SASL mechanism that is available to QMF and the configured Qpid broker will be available to SPQR and Wallaby.

Comment 9 Martin Kudlej 2012-01-10 11:23:54 UTC

Wallaby agent has connect to broker which supports just DIGEST-MD5.
$  qpid-stat  --sasl-mechanism=DIGEST-MD5 -b guest/guest@localhost:5672 -c
Connections
  client-addr                     cproc          cpid   auth        connected  idle  msgIn  msgOut
  ==================================================================================================
  127.0.0.1:5672-127.0.0.1:48422  qpid-stat      17080  guest@QPID  0s         0s     259    332
  127.0.0.1:5672-127.0.0.1:48421  wallaby-agent  17074  guest@QPID  12s        9s      54     28

But wallaby shell cannot connect to broker:
wallaby -U guest -P guest -M DIGET-MD5 show-group default-group
invalid argument: -M DIGET-MD5

Condor_configure_* work well after install python-saslwrapper:
$ condor_configure_pool --default-group -l -U guest -P guest --auth-mechanism DIGEST-MD5

Other info:
$ cat /etc/sasl2/qpidd.conf
pwcheck_method: auxprop
auxprop_plugin: sasldb
sasldb_path: /var/lib/qpidd/qpidd.sasldb

#following line stops spurious 'sql_select option missing' errors when
#cyrus-sql-sasl plugin is installed
sql_select: dummy select

mech_list:DIGEST-MD5

$ cat /etc/qpidd.conf
cluster-mechanism=ANONYMOUS
auth=yes

Comment 10 Martin Kudlej 2012-01-10 11:29:20 UTC

Used packages;
ruby-wallaby-0.12.4-1.el5
wallaby-0.12.4-1.el5
wallaby-utils-0.12.4-1.el5
condor-wallaby-client-4.1.2-1.el5
python-wallabyclient-4.1.2-1.el5
condor-wallaby-tools-4.1.2-1.el5
ruby-spqr-0.3.5-1.el5
python-wallaby-0.12.4-1.el5
condor-wallaby-base-db-1.19-1.el5

python-wallaby-0.12.4-1.el6.noarch
condor-wallaby-base-db-1.19-1.el6.noarch
python-wallabyclient-4.1.2-1.el6.noarch
ruby-spqr-0.3.5-1.el6.noarch
wallaby-utils-0.12.4-1.el6.noarch
wallaby-0.12.4-1.el6.noarch
condor-wallaby-tools-4.1.2-1.el6.noarch
ruby-wallaby-0.12.4-1.el6.noarch
condor-wallaby-client-4.1.2-1.el6.noarch

Comment 11 Martin Kudlej 2012-01-11 11:00:59 UTC

Just to be sure that you know on what Messaging packages I test this:
cyrus-sasl-2.1.23-13.el6.i686
cyrus-sasl-plain-2.1.23-13.el6.i686
qpid-tools-0.12-2.el6.noarch
python-saslwrapper-0.10-2.el6.i686
qpid-cpp-client-0.12-6.el6.i686
qpid-qmf-0.12-6.el6.i686
python-qpid-qmf-0.12-6.el6.i686
cyrus-sasl-md5-2.1.23-13.el6.i686
saslwrapper-0.10-2.el6.i686
qpid-cpp-server-0.12-6.el6.i686
python-qpid-0.12-1.el6.noarch
ruby-qpid-qmf-0.12-6.el6.i686
cyrus-sasl-lib-2.1.23-13.el6.i686
condor-qmf-7.6.5-0.11.el6.i686
cyrus-sasl-gssapi-2.1.23-13.el6.i686

cyrus-sasl-lib-2.1.22-5.el5_4.3
cyrus-sasl-2.1.22-5.el5_4.3
python-qpid-0.10-1.el5
qpid-cpp-server-0.10-9.el5
qpid-cpp-client-devel-0.10-9.el5
cyrus-sasl-gssapi-2.1.22-5.el5_4.3
cyrus-sasl-plain-2.1.22-5.el5_4.3
qpid-qmf-0.10-11.el5
ruby-qpid-qmf-0.10-11.el5
qpid-tools-0.10-6.el5
cyrus-sasl-md5-2.1.22-5.el5_4.3
saslwrapper-0.10-4.el5
qpid-cpp-client-0.10-9.el5
qpid-qmf-debuginfo-0.10-11.el5
qpid-qmf-devel-0.10-11.el5
python-qpid-qmf-0.10-11.el5
condor-qmf-7.6.5-0.11.el5
python-saslwrapper-0.10-4.el5

Comment 12 Will Benton 2012-01-11 15:51:34 UTC

Thanks for finding this, Martin.  It's fixed in wallaby-0.12.5-1.

Comment 14 Martin Kudlej 2012-01-18 15:26:07 UTC

Tested with PLAIN, ANONYMOUS, DIGEST-MD5 and it works for qpid-0.10 on RHEL 5.7 and qpid-0.12 on RHEL 6.2 and qpid-0.14 on RHEL 5.7/RHEL 6.2.

Tested with CRAM-MD5 and it doesn't work for qpid-0.10 on RHEL 5.7 and qpid-0.12 on RHEL 6.2. It works for qpid-0.14 on RHEL 5.7/RHEL 6.2. --> release notes?

Comment 18 Martin Kudlej 2012-01-19 14:09:44 UTC

Tested with qpid-0.10 on RHEL 5.7 and qpid-0.12 on RHEL 6.2 and qpid-0.14 on RHEL 5.7/RHEL 6.2 and wallaby as daemon ends with error because it cannot connect to broker. 

$ tail /var/log/messages
/usr/bin/wallaby-agent[12003]: storing configuration to /var/lib/wallaby/config.db
/usr/bin/wallaby-agent[12003]: storing snapshots to /var/lib/wallaby/snap.db
/usr/bin/wallaby-agent[12003]: agent exiting with exception #<ArgumentError: Value for attribute 'password' has unsupported type: NilClass>
/usr/bin/wallaby-agent[12216]: storing configuration to /var/lib/wallaby/config.db
/usr/bin/wallaby-agent[12216]: storing snapshots to /var/lib/wallaby/snap.db
/usr/bin/wallaby-agent[12216]: agent exiting with exception #<ArgumentError: Value for attribute 'password' has unsupported type: NilClass>

$ cat /etc/sysconfig/wallaby-agent
export WALLABY_CONFIGDB_NAME=/var/lib/wallaby/config.db
export WALLABY_SNAPDB_NAME=/var/lib/wallaby/snap.db
export WALLABY_BROKER_HOST=_hostname_
export WALLABY_BROKER_PORT=5672
export WALLABY_BROKER_MECHANISM=GSSAPI
export WALLABY_BROKER_USER=guest
export WALLABY_LOGFILE=/var/log/wallaby/agent.log
export WALLABY_LOGLEVEL=DEBUG

I've got ticket:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: guest

Valid starting     Expires            Service principal
01/19/12 11:49:34  01/20/12 11:49:34  krbtgt/EXAMPLE.COM
01/19/12 11:49:41  01/20/12 11:49:34  qpidd/_hostname_

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

and also wallaby shell command can connect, just wallaby daemon isn't online:
$ wallaby  -H `hostname` -M GSSAPI -U guest  list-groups
...
Console Connection Established...
fatal:  cannot find a wallaby agent on the specified broker (_hostname_:5672); is one running?
use -h for help

and standard qpid clients work well.

$ qpid-stat  --sasl-mechanism=GSSAPI -b guest@`hostname`:5672 -c
Connections
  client-addr                           cproc      cpid   auth               connected  idle  msgIn  msgOut
  ===========================================================================================================
  10.34.33.251:5672-10.34.33.251:33747  qpid-stat  12345  guest  0s         0s     210    265


--> ASSIGNED

Comment 21 Martin Kudlej 2012-01-19 15:07:38 UTC

I've opened new bug 783164 so I verify this one.

Comment 22 errata-xmlrpc 2012-02-06 18:18:08 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-0100.html

Note You need to log in before you can comment on or make changes to this bug.