Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 908749

Summary: C++ qpid client unable to authenticate DIGEST-MD5 mechanism when broker in auth=no mode
Product: Red Hat Enterprise MRG Reporter: Frantisek Reznicek <freznice>
Component: Messaging_Installation_and_Configuration_GuideAssignee: Jared MORGAN <jmorgan>
Status: CLOSED CURRENTRELEASE QA Contact: Eric Sammons <esammons>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 2.2CC: esammons, gsim, jross, mmurray
Target Milestone: 3.0Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-01-22 15:28:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Frantisek Reznicek 2013-02-07 12:32:16 UTC 
Description of problem:

C++ qpid client unable to authenticate DIGEST-MD5 mechanism when broker in auth=no mode. See additional info cases.

Cases ABCD6 and ABCD9 are tracked separately as bug 902319.


Looking more closely at cases AB10]

qpid-send --connection-options "{ sasl_mechanisms:DIGEST-MD5, username:guest, password: guest }" -a myq...

Exactly the same command in auth=yes passes, so I do not see any reason why it should not work in qpidd's auth=no mode.
I believe AB10] cases should pass.


Moreover looking more closely at cases AB11]

qpid-send --connection-options "{   sasl_mechanisms:DIGEST-MD5, username:unknown-X, password: unknown-X }" -a myq...

Similar command with invalid user/pass works ok with PLAIN mechanism as qpidd does not check whether the credentials are ok.
I believe AB11] cases should pass.

There might be some specific DIGEST-MD5 requirements which are not in place for PLAIN I'm not aware of. qpid-tools are behaving the similar way.


Version-Release number of selected component (if applicable):
qpid-0.10, qpid-0.14, qpid-0.18

How reproducible:
100%

Steps to Reproduce:
0. set auth=no in /etc/qpidd.conf
1. auth_test
  
Actual results:
C++ qpid client unable to authenticate DIGEST-MD5 mechanism when broker in auth=no mode.

Expected results:
C++ qpid client should be able to authenticate DIGEST-MD5 mechanism when broker in auth=no mode similarly as it works for PLAIN.

Additional info:

function auth_test ()
{
  service qpidd restart
  grep ^mech_list /etc/sasl2/qpidd.conf
  grep ^auth /etc/qpidd.conf

  CPPS=$(rpm -ql rh-qpid-cpp-tests| grep qpid-send)
  PYS=$(rpm -ql python-qpid | grep spout)

  TC=0

  for i_mech in "" ANONYMOUS PLAIN DIGEST-MD5; do
    for i_userpass in "" guest unknown-X; do
      # c++
      local coptions=" "
      [ -n "${i_mech}" ] && coptions="${coptions} sasl_mechanisms:${i_mech},"
      [ -n "${i_userpass}" ] && coptions="${coptions} username:${i_userpass}, password: ${i_userpass}"
      [[ "${coptions}" =~ ",$" ]] && coptions=${coptions:0:$((${#coptions}-1))}
      echo "case ${TC} ${CPPS} --content-string A --connection-options \"{ ${coptions} }\" -a myq..."
      ${CPPS} --content-string "A" --connection-options "{ ${coptions} }" -a "myq;{create: sender, delete:sender}"
      echo $?
      # python
      
      # java
      let 'TC++'
    done
  done

}

# case-group A [qpidd: auth=no, sasl:mech_list: ANONYMOUS DIGEST-MD5 EXTERNAL PLAIN]
[root@amd-x-y qmf-agent]# auth_test
Stopping Qpid AMQP daemon: [  OK  ]
Starting Qpid AMQP daemon: 2013-02-07 06:50:43 [Broker] debug Forked daemon child process
[  OK  ]
mech_list: ANONYMOUS DIGEST-MD5 EXTERNAL PLAIN
auth=no
case 0 qpid-send --content-string A --connection-options "{   }" -a myq...
0
case 1 qpid-send --content-string A --connection-options "{   username:guest, password: guest }" -a myq...
0
case 2 qpid-send --content-string A --connection-options "{   username:unknown-X, password: unknown-X }" -a myq...
0
case 3 qpid-send --content-string A --connection-options "{   sasl_mechanisms:ANONYMOUS }" -a myq...
0
case 4 qpid-send --content-string A --connection-options "{   sasl_mechanisms:ANONYMOUS, username:guest, password: guest }" -a myq...
0
case 5 qpid-send --content-string A --connection-options "{   sasl_mechanisms:ANONYMOUS, username:unknown-X, password: unknown-X }" -a myq...
0
case 6 qpid-send --content-string A --connection-options "{   sasl_mechanisms:PLAIN }" -a myq...
2013-02-07 06:50:44 [Client] warning Closing connection due to internal-error: Sasl error: SASL(-4): no mechanism available: No worthy mechs found (qpid/SaslFactory.cpp:280)
qpid-send: internal-error: Sasl error: SASL(-4): no mechanism available: No worthy mechs found (qpid/SaslFactory.cpp:280)
1
case 7 qpid-send --content-string A --connection-options "{   sasl_mechanisms:PLAIN, username:guest, password: guest }" -a myq...
0
case 8 qpid-send --content-string A --connection-options "{   sasl_mechanisms:PLAIN, username:unknown-X, password: unknown-X }" -a myq...
0
case 9 qpid-send --content-string A --connection-options "{   sasl_mechanisms:DIGEST-MD5 }" -a myq...
2013-02-07 06:50:44 [Client] warning Closing connection due to Desired mechanism(s) not valid: DIGEST-MD5 (supported: ANONYMOUS PLAIN) (qpid/client/ConnectionHandler.cpp:258)
qpid-send: Desired mechanism(s) not valid: DIGEST-MD5 (supported: ANONYMOUS PLAIN) (qpid/client/ConnectionHandler.cpp:258)
1
case 10 qpid-send --content-string A --connection-options "{   sasl_mechanisms:DIGEST-MD5, username:guest, password: guest }" -a myq...
2013-02-07 06:50:44 [Client] warning Closing connection due to Desired mechanism(s) not valid: DIGEST-MD5 (supported: ANONYMOUS PLAIN) (qpid/client/ConnectionHandler.cpp:258)
qpid-send: Desired mechanism(s) not valid: DIGEST-MD5 (supported: ANONYMOUS PLAIN) (qpid/client/ConnectionHandler.cpp:258)
1
case 11 qpid-send --content-string A --connection-options "{   sasl_mechanisms:DIGEST-MD5, username:unknown-X, password: unknown-X }" -a myq...
2013-02-07 06:50:44 [Client] warning Closing connection due to Desired mechanism(s) not valid: DIGEST-MD5 (supported: ANONYMOUS PLAIN) (qpid/client/ConnectionHandler.cpp:258)
qpid-send: Desired mechanism(s) not valid: DIGEST-MD5 (supported: ANONYMOUS PLAIN) (qpid/client/ConnectionHandler.cpp:258)
1


# case-group B [qpidd: auth=no, sasl:<no-mech_list>]
[root@amd-x-y qmf-agent]# auth_test
Stopping Qpid AMQP daemon: [  OK  ]
Starting Qpid AMQP daemon: 2013-02-07 06:51:58 [Broker] debug Forked daemon child process
[  OK  ]
auth=no
case 0 qpid-send --content-string A --connection-options "{   }" -a myq...
0
case 1 qpid-send --content-string A --connection-options "{   username:guest, password: guest }" -a myq...
0
case 2 qpid-send --content-string A --connection-options "{   username:unknown-X, password: unknown-X }" -a myq...
0
case 3 qpid-send --content-string A --connection-options "{   sasl_mechanisms:ANONYMOUS }" -a myq...
0
case 4 qpid-send --content-string A --connection-options "{   sasl_mechanisms:ANONYMOUS, username:guest, password: guest }" -a myq...
0
case 5 qpid-send --content-string A --connection-options "{   sasl_mechanisms:ANONYMOUS, username:unknown-X, password: unknown-X }" -a myq...
0
case 6 qpid-send --content-string A --connection-options "{   sasl_mechanisms:PLAIN }" -a myq...
2013-02-07 06:51:59 [Client] warning Closing connection due to internal-error: Sasl error: SASL(-4): no mechanism available: No worthy mechs found (qpid/SaslFactory.cpp:280)
qpid-send: internal-error: Sasl error: SASL(-4): no mechanism available: No worthy mechs found (qpid/SaslFactory.cpp:280)
1
case 7 qpid-send --content-string A --connection-options "{   sasl_mechanisms:PLAIN, username:guest, password: guest }" -a myq...
0
case 8 qpid-send --content-string A --connection-options "{   sasl_mechanisms:PLAIN, username:unknown-X, password: unknown-X }" -a myq...
0
case 9 qpid-send --content-string A --connection-options "{   sasl_mechanisms:DIGEST-MD5 }" -a myq...
2013-02-07 06:51:59 [Client] warning Closing connection due to Desired mechanism(s) not valid: DIGEST-MD5 (supported: ANONYMOUS PLAIN) (qpid/client/ConnectionHandler.cpp:258)
qpid-send: Desired mechanism(s) not valid: DIGEST-MD5 (supported: ANONYMOUS PLAIN) (qpid/client/ConnectionHandler.cpp:258)
1
case 10 qpid-send --content-string A --connection-options "{   sasl_mechanisms:DIGEST-MD5, username:guest, password: guest }" -a myq...
2013-02-07 06:51:59 [Client] warning Closing connection due to Desired mechanism(s) not valid: DIGEST-MD5 (supported: ANONYMOUS PLAIN) (qpid/client/ConnectionHandler.cpp:258)
qpid-send: Desired mechanism(s) not valid: DIGEST-MD5 (supported: ANONYMOUS PLAIN) (qpid/client/ConnectionHandler.cpp:258)
1
case 11 qpid-send --content-string A --connection-options "{   sasl_mechanisms:DIGEST-MD5, username:unknown-X, password: unknown-X }" -a myq...
2013-02-07 06:51:59 [Client] warning Closing connection due to Desired mechanism(s) not valid: DIGEST-MD5 (supported: ANONYMOUS PLAIN) (qpid/client/ConnectionHandler.cpp:258)
qpid-send: Desired mechanism(s) not valid: DIGEST-MD5 (supported: ANONYMOUS PLAIN) (qpid/client/ConnectionHandler.cpp:258)
1






# case-group C [qpidd: auth=yes, sasl:mech_list: ANONYMOUS DIGEST-MD5 EXTERNAL PLAIN]
[root@amd-x-y qmf-agent]# auth_test
Stopping Qpid AMQP daemon: [  OK  ]
Starting Qpid AMQP daemon: 2013-02-07 06:51:03 [Broker] debug Forked daemon child process
[  OK  ]
mech_list: ANONYMOUS DIGEST-MD5 EXTERNAL PLAIN
auth=yes
case 0 qpid-send --content-string A --connection-options "{   }" -a myq...
0
case 1 qpid-send --content-string A --connection-options "{   username:guest, password: guest }" -a myq...
0
case 2 qpid-send --content-string A --connection-options "{   username:unknown-X, password: unknown-X }" -a myq...
2013-02-07 06:51:04 [Client] warning Broker closed connection: 320, connection-forced: Authentication failed
qpid-send: connection-forced: Authentication failed
1
case 3 qpid-send --content-string A --connection-options "{   sasl_mechanisms:ANONYMOUS }" -a myq...
0
case 4 qpid-send --content-string A --connection-options "{   sasl_mechanisms:ANONYMOUS, username:guest, password: guest }" -a myq...
0
case 5 qpid-send --content-string A --connection-options "{   sasl_mechanisms:ANONYMOUS, username:unknown-X, password: unknown-X }" -a myq...
0
case 6 qpid-send --content-string A --connection-options "{   sasl_mechanisms:PLAIN }" -a myq...
2013-02-07 06:51:04 [Client] warning Closing connection due to internal-error: Sasl error: SASL(-4): no mechanism available: No worthy mechs found (qpid/SaslFactory.cpp:280)
qpid-send: internal-error: Sasl error: SASL(-4): no mechanism available: No worthy mechs found (qpid/SaslFactory.cpp:280)
1
case 7 qpid-send --content-string A --connection-options "{   sasl_mechanisms:PLAIN, username:guest, password: guest }" -a myq...
0
case 8 qpid-send --content-string A --connection-options "{   sasl_mechanisms:PLAIN, username:unknown-X, password: unknown-X }" -a myq...
2013-02-07 06:51:04 [Client] warning Broker closed connection: 320, connection-forced: Authentication failed
qpid-send: connection-forced: Authentication failed
1
case 9 qpid-send --content-string A --connection-options "{   sasl_mechanisms:DIGEST-MD5 }" -a myq...
2013-02-07 06:51:04 [Client] warning Closing connection due to internal-error: Sasl error: SASL(-4): no mechanism available: No worthy mechs found (qpid/SaslFactory.cpp:280)
qpid-send: internal-error: Sasl error: SASL(-4): no mechanism available: No worthy mechs found (qpid/SaslFactory.cpp:280)
1
case 10 qpid-send --content-string A --connection-options "{   sasl_mechanisms:DIGEST-MD5, username:guest, password: guest }" -a myq...
0
case 11 qpid-send --content-string A --connection-options "{   sasl_mechanisms:DIGEST-MD5, username:unknown-X, password: unknown-X }" -a myq...
2013-02-07 06:51:04 [Client] warning Broker closed connection: 320, connection-forced: Authentication failed
qpid-send: connection-forced: Authentication failed
1


# case-group D [qpidd: auth=yes, sasl:<no-mech_list>]
[root@amd-x-y qmf-agent]# auth_test
Stopping Qpid AMQP daemon: [  OK  ]
Starting Qpid AMQP daemon: 2013-02-07 06:51:35 [Broker] debug Forked daemon child process
[  OK  ]
auth=yes
case 0 qpid-send --content-string A --connection-options "{   }" -a myq...
0
case 1 qpid-send --content-string A --connection-options "{   username:guest, password: guest }" -a myq...
0
case 2 qpid-send --content-string A --connection-options "{   username:unknown-X, password: unknown-X }" -a myq...
2013-02-07 06:51:36 [Client] warning Broker closed connection: 320, connection-forced: Authentication failed
qpid-send: connection-forced: Authentication failed
1
case 3 qpid-send --content-string A --connection-options "{   sasl_mechanisms:ANONYMOUS }" -a myq...
0
case 4 qpid-send --content-string A --connection-options "{   sasl_mechanisms:ANONYMOUS, username:guest, password: guest }" -a myq...
0
case 5 qpid-send --content-string A --connection-options "{   sasl_mechanisms:ANONYMOUS, username:unknown-X, password: unknown-X }" -a myq...
0
case 6 qpid-send --content-string A --connection-options "{   sasl_mechanisms:PLAIN }" -a myq...
2013-02-07 06:51:36 [Client] warning Closing connection due to internal-error: Sasl error: SASL(-4): no mechanism available: No worthy mechs found (qpid/SaslFactory.cpp:280)
qpid-send: internal-error: Sasl error: SASL(-4): no mechanism available: No worthy mechs found (qpid/SaslFactory.cpp:280)
1
case 7 qpid-send --content-string A --connection-options "{   sasl_mechanisms:PLAIN, username:guest, password: guest }" -a myq...
0
case 8 qpid-send --content-string A --connection-options "{   sasl_mechanisms:PLAIN, username:unknown-X, password: unknown-X }" -a myq...
qpid-send: 2013-02-07 06:51:36 [Client] warning Broker closed connection: 320, connection-forced: Authentication failed
connection-forced: Authentication failed
1
case 9 qpid-send --content-string A --connection-options "{   sasl_mechanisms:DIGEST-MD5 }" -a myq...
2013-02-07 06:51:36 [Client] warning Closing connection due to internal-error: Sasl error: SASL(-4): no mechanism available: No worthy mechs found (qpid/SaslFactory.cpp:280)
qpid-send: internal-error: Sasl error: SASL(-4): no mechanism available: No worthy mechs found (qpid/SaslFactory.cpp:280)
1
case 10 qpid-send --content-string A --connection-options "{   sasl_mechanisms:DIGEST-MD5, username:guest, password: guest }" -a myq...
0
case 11 qpid-send --content-string A --connection-options "{   sasl_mechanisms:DIGEST-MD5, username:unknown-X, password: unknown-X }" -a myq...
2013-02-07 06:51:37 [Client] warning Broker closed connection: 320, connection-forced: Authentication failed
qpid-send: connection-forced: Authentication failed
1
Comment 1 Gordon Sim 2013-02-07 13:31:22 UTC 
The auth=no mode only supports two mechanisms PLAIN and ANONYMOUS. The point of auth=no is that no authentication is actually performed. (PLAIN is supported simply to allow a username to be specified e.g. for the purposes of testing permissions, but no attempt is made to actually verify that).

In my view this is not a bug (unless of course I have misunderstood!).
Comment 2 Justin Ross 2013-02-07 14:41:12 UTC 
I also think this is not a bug.  Proceeding on that assumption for now.
Comment 3 Frantisek Reznicek 2013-02-08 14:24:18 UTC 
Fair enough, thank you for your update.

I'm reopening for documentation.
I'd like to add comment 1 information to both Messaging_Installation_and_Configuration_Guide and Messaging_Programming_Reference into chapters 'Security'.

The message we should pass to users are that in auth=yes we support all we document atm, but for broker's auth=no mode we support only PLAIN and ANONYMOUS authentication mechanisms.
Comment 4 Gordon Sim 2013-02-08 15:21:33 UTC 
The most important message is that auth=no *turns off* all authentication. Though PLAIN is then advertised as a SASL mechanism, it offers no authentication in that mode.
Comment 5 Joshua Wulf 2013-04-22 09:08:33 UTC 
Section 9.1.3

http://documentation-devel.engineering.redhat.com/docs/en-US/Red_Hat_Enterprise_MRG/2/html-single/Messaging_Installation_and_Configuration_Guide/index.html#SASL_Mechanisms
Comment 6 Leonid Zhaldybin 2013-04-23 08:35:49 UTC 
The documentation change is informative enough.

-> VERIFIED