Bug 846465 - sasl mech list overhaul
Summary: sasl mech list overhaul
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: qpid-cpp
Version: 2.2
Hardware: Unspecified
OS: Unspecified
medium
high
Target Milestone: 2.3
: ---
Assignee: mick
QA Contact: Frantisek Reznicek
URL:
Whiteboard:
: 716523 815482 (view as bug list)
Depends On: 877469
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-08-07 20:56 UTC by mick
Modified: 2015-11-16 01:14 UTC (History)
9 users (show)

Fixed In Version: qpid-cpp-0.18-13
Doc Type: Enhancement
Doc Text:
Feature: expand default list of sasl mechs in /etc/sasl2/qpidd.conf, and write explanatory comments and release note. Reason: Previously, we decided to remove the GSSAPI mech from the default list, because its presence would cause many installations to fail by default if "--auth yes" was used on the broker command line. But I also removed a lot of mechanisms that did not need to be removed. Result (if any): release note { The mechanism list in the file /etc/sasl2/qpidd.conf has been changed to "ANONYMOUS DIGEST-MD5 EXTERNAL PLAIN". Please note that GSSAPI is no longer included in this list. If you would like to enable GSSAPI: 1. Change the mech_list line in /etc/sasl2/qpidd.conf to mech_list: GSSAPI 2. In the file /etc/qpidd.conf , add these lines: auth=yes realm=QPID 3. Follow instructions in Qpid documentation to install and enable GSSAPI service. }
Clone Of:
Environment:
Last Closed: 2013-03-06 18:51:34 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Apache JIRA QPID-4244 0 None None None Never
Red Hat Bugzilla 675713 0 medium CLOSED qpid broker-client authentication mechanism auto-selection is unpredictable (when mechanism is not selected manually) 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHSA-2013:0561 0 normal SHIPPED_LIVE Moderate: Red Hat Enterprise MRG Messaging 2.3 security update 2013-03-06 23:48:13 UTC

Internal Links: 675713

Description mick 2012-08-07 20:56:41 UTC
1. change default sasl mech list to ANONYMOUS, DIGEST-MD5, EXTERNAL, PLAIN

    2. do not allow updates to destabilize existing systems.

    3. add comment in config file describing how to enable GSSAPI &
       DIGEST-MD5.

    4. publish release not describing changes, including that GSSAPI is not
       enabled by default, & how to enable.

    5. review documentation & write changes where necessary / useful.

    6. review log messages in this area to see if they can be made more
       informative upon auth failure.

Comment 4 mick 2012-08-24 15:15:30 UTC
This is Jira  QPID-4244 .

Comment 5 Leonid Zhaldybin 2012-08-24 15:19:16 UTC
(In reply to comment #4)
> This is Jira  QPID-4244 .

I believe the link is broken. This is the correct one: https://issues.apache.org/jira/browse/QPID-4244

Comment 6 mick 2012-08-24 15:40:22 UTC
Committed revision 1376958.

This ended up being a very small change -- no improvement in log messages.
No need to change spec file that generates packages.
Just expanding the list in /etc/sasl2/qpidd.conf , and improving the comments a little.

Comment 9 Frantisek Reznicek 2012-11-16 15:53:18 UTC
Sorry to say, but bug 846465 is much more than QPID-4244 due to comment 0.

See detailed QA feedback inlined...

(In reply to comment #0)
>   1. change default sasl mech list to ANONYMOUS, DIGEST-MD5, EXTERNAL, PLAIN
> 

change[s] done and ok

>   2. do not allow updates to destabilize existing systems.
> 

testing is ongoing, so far so good

>   3. add comment in config file describing how to enable GSSAPI &
>        DIGEST-MD5.
> 

change was NOT done as further commands clarify:
[root@dhcp-x ~]# grep -i gssa /etc/sasl2/qpidd.conf
[root@dhcp-x ~]# grep -i krb /etc/sasl2/qpidd.conf
[root@dhcp-x ~]# rpm -qf /etc/sasl2/qpidd.conf
qpid-cpp-server-0.18-9.el5

>   4. publish release not describing changes, including that GSSAPI is not
>        enabled by default, & how to enable.
> 

release note requested, but defect is not yet carrying it (in ON_QA state which is wrong)

>   5. review documentation & write changes where necessary / useful.
> 

not done, lacking info in 
  Messaging_Installation_and_Configuration_Guide -> Simple Authentication and Security Layer - SASL -> Configure Kerberos 5
  and possibly also in
  Messaging_Installation_and_Configuration_Guide -> Simple Authentication and Security Layer - SASL -> Configure SASL using a Local Password File
  In above chapters it is needed to discuss effect[s] of /etc/sasl2/qpidd.conf file modifications (to narrow / enable different SASL mechanisms).

tracked now as bug 877469

>   6. review log messages in this area to see if they can be made more
>        informative upon auth failure.

skipped, not part of this defect anymore


-> ASSIGNED (3., 4., 5.)

Comment 10 mick 2012-11-28 10:15:40 UTC
The to-do list in comment #1 was not meant to be normative -- it only reflected my (imperfect) understanding of the task when I started.

The much more limited change that I actually made is what I believe was desired by management by the end of this small effort.  ( Please confirm with jross. )

How should I best handle this?  If it would be better, I could close this bug as "will not fix" and open a new one with corrected requirements.

Comment 11 Frantisek Reznicek 2012-11-28 15:15:40 UTC
(In reply to comment #10)
> The to-do list in comment #1 was not meant to be normative -- it only
> reflected my (imperfect) understanding of the task when I started.
> 
> The much more limited change that I actually made is what I believe was
> desired by management by the end of this small effort.  ( Please confirm
> with jross. )
> 
> How should I best handle this?  If it would be better, I could close this
> bug as "will not fix" and open a new one with corrected requirements.

Hello Mick.
Thanks for your comment!

I already stripped out point 6] based on your later comments.
I'm fine to track 5] separately (even w/o bz dependency link).
The remaining points (3] and 4]) should be done in my view which means:
  point 3] - additional chapter needs to be added to sasl qpidd.conf
  point 4] - release note text needs to be created

Could you try to summarize what is current content of the defect then, please?
Based on your list I'll be able to finish this defect.

Comment 12 Justin Ross 2012-11-29 15:26:31 UTC
(In reply to comment #11)
> I already stripped out point 6] based on your later comments.
> I'm fine to track 5] separately (even w/o bz dependency link).
> The remaining points (3] and 4]) should be done in my view which means:
>   point 3] - additional chapter needs to be added to sasl qpidd.conf
>   point 4] - release note text needs to be created

I agree that 3 and 4 should be handled in the context of this bz.

Comment 13 mick 2012-12-04 20:06:32 UTC
I pushed this branch:
  0.18-mrg-mick-846465
about 0900  4 Dec 

with two small changes  ( comments only ) to the config files /etc/qpidd.conf , and /etc/sasl2/qpidd.conf

Comment 15 Justin Ross 2012-12-07 18:23:34 UTC
*** Bug 716523 has been marked as a duplicate of this bug. ***

Comment 16 Justin Ross 2012-12-10 20:56:37 UTC
*** Bug 815482 has been marked as a duplicate of this bug. ***

Comment 17 Frantisek Reznicek 2013-01-25 14:34:15 UTC
The default list of SASL mechanisms changed, /etc/sasl2/qpidd.confhas correctly updated.

Details:

>   1. change default sasl mech list to ANONYMOUS, DIGEST-MD5, EXTERNAL, PLAIN
> 

change[s] done and ok

>   2. do not allow updates to destabilize existing systems.
> 

Testing found no destabilization.

>   3. add comment in config file describing how to enable GSSAPI &
>        DIGEST-MD5.
> 

comments in /etc/qpidd.conf , and /etc/sasl2/qpidd.conf are ok.

>   4. publish release not describing changes, including that GSSAPI is not
>        enabled by default, & how to enable.
> 

release note ok.

>   5. review documentation & write changes where necessary / useful.
> 

tracked now as bug 877469

>   6. review log messages in this area to see if they can be made more
>        informative upon auth failure.

skipped, not part of this defect anymore


Tested on RHEL5.9 / 6.4b i[36]86 / x86_64 on packages:
  [root@dhcp-27-156 bz805881]# rpm -qa | grep qpid | sort
  python-qpid-0.18-4.el5
  python-qpid-qmf-0.18-13.el5
  qpid-cpp-client-0.18-13.el5
  qpid-cpp-client-devel-0.18-13.el5
  qpid-cpp-client-devel-docs-0.18-13.el5
  qpid-cpp-client-rdma-0.18-13.el5
  qpid-cpp-client-ssl-0.18-13.el5
  qpid-cpp-mrg-debuginfo-0.18-13.el5
  qpid-cpp-server-0.18-13.el5
  qpid-cpp-server-cluster-0.18-13.el5
  qpid-cpp-server-devel-0.18-13.el5
  qpid-cpp-server-rdma-0.18-13.el5
  qpid-cpp-server-ssl-0.18-13.el5
  qpid-cpp-server-store-0.18-13.el5
  qpid-cpp-server-xml-0.18-13.el5
  qpid-java-client-0.18-6.el5
  qpid-java-common-0.18-6.el5
  qpid-java-example-0.18-6.el5
  qpid-jca-0.18-6.el5
  qpid-jca-xarecovery-0.18-6.el5
  qpid-jca-zip-0.18-6.el5
  qpid-qmf-0.18-13.el5
  qpid-qmf-debuginfo-0.18-13.el5
  qpid-qmf-devel-0.18-13.el5
  qpid-tests-0.18-2.el5
  qpid-tools-0.18-7.el5
  rh-qpid-cpp-tests-0.18-13.el5
  ruby-qpid-qmf-0.18-13.el5


This defect is considered as verified.
Available documentation (bug 877469) is the last condition which blocks state change.

Comment 18 Frantisek Reznicek 2013-02-18 08:57:57 UTC
Documentation (bug 877469) available and ok.

-> VERIFIED

Comment 20 errata-xmlrpc 2013-03-06 18:51:34 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0561.html


Note You need to log in before you can comment on or make changes to this bug.