Bug 975430 - SASL layer doesn't work for AMQP 1.0, broker initiated connections
SASL layer doesn't work for AMQP 1.0, broker initiated connections
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: qpid-cpp (Show other bugs)
Development
Unspecified Unspecified
high Severity medium
: 3.0
: ---
Assigned To: Gordon Sim
mick
:
Depends On:
Blocks: 974061 1010399
  Show dependency treegraph
 
Reported: 2013-06-18 09:03 EDT by Gordon Sim
Modified: 2015-01-21 07:56 EST (History)
5 users (show)

See Also:
Fixed In Version: qpid-cpp-0.22-5.el6, qpid-cpp-0.22-5.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-01-21 07:56:57 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Apache JIRA QPID-4878 None None None Never

  None (edit)
Description Gordon Sim 2013-06-18 09:03:30 EDT
Description of problem:

When requesting the broker to establish a link to some external process using AMQP 1.0, if a SASL layer is used the connection handshake does not complete.

Version-Release number of selected component (if applicable):

qpid 0.22

How reproducible:

100%

Steps to Reproduce:
1. start 2 brokers, A and B, with 1.0 enabled
2. qpidt create domain BrokerB url=<brokerA> sasl_mechanisms=PLAIN username=blah password=blah
3. qpid-receive -b <brokerB> --address 'q; {create: always}' -f
4. qpid-send --connection-options {protocol:amqp1.0} --address q@BrokerB --send-eos 1
 

Actual results:

qpid-receive in step3 never receives the message (if instead you use sasl_mechanisms=NONE in step 2 to disable SASL then it will - assuming broker b has auth=no)

Expected results:

receiver gets message and then exists

Additional info:
Comment 1 Gordon Sim 2013-06-18 10:07:50 EDT
See https://svn.apache.org/repos/asf/qpid/trunk/qpid/cpp/src/tests/qpidt for qpidt utility.
Comment 2 mick 2013-09-03 15:08:19 EDT
To reproduce:

I started the brokers this way:
------------------------------------------------------------




#! /bin/bash


QPIDD=qpidd

echo $QPIDD

rm -rf /tmp/mick
mkdir /tmp/mick

PORT=5801

$QPIDD                                           \
  -p ${PORT}                                     \
  --data-dir /tmp/mick/data_${PORT}              \
  --auth=yes                                     \
  --mgmt-enable=yes                              \
  --log-enable info+                             \
  --log-to-file /tmp/mick/qpidd_${PORT}.log      \
  --log-source yes                               \
  --sasl-config=/home/mick/trunk/qpid/cpp/build/src/tests/sasl_config \
  -d


echo "started broker $PORT "



PORT=5802

$QPIDD                                           \
  -p ${PORT}                                     \
  --data-dir /tmp/mick/data_${PORT}              \
  --auth=yes                                     \
  --mgmt-enable=yes                              \
  --log-enable info+                             \
  --log-to-file /tmp/mick/qpidd_${PORT}.log      \
  --log-source yes                               \
  --sasl-config=/home/mick/trunk/qpid/cpp/build/src/tests/sasl_config \
  -d


echo "started broker $PORT "



The sasl_config dir was created this way:
------------------------------------------------------------------

SASL_PW=/usr/sbin/saslpasswd2
test -x $SASL_PW || { echo Skipping SASL test, saslpasswd2 not found; exit 0; }

mkdir -p sasl_config

# Create configuration file.
cat > sasl_config/qpidd.conf <<EOF
pwcheck_method: auxprop
auxprop_plugin: sasldb
sasldb_path: $PWD/sasl_config/qpidd.sasldb
sql_select: dummy select
mech_list: ANONYMOUS PLAIN DIGEST-MD5 EXTERNAL CRAM-MD5
EOF

# Populate temporary sasl db.
SASLTEST_DB=./sasl_config/qpidd.sasldb
rm -f $SASLTEST_DB
echo guest | $SASL_PW -c -p -f $SASLTEST_DB -u QPID guest
echo zig | $SASL_PW -c -p -f $SASLTEST_DB -u QPID zig
echo zag | $SASL_PW -c -p -f $SASLTEST_DB -u QPID zag



And here are the repro commands
-----------------------------------------------
    qpidt --broker localhost:5801  create domain BrokerB url=localhost:5802 sasl_mechanisms=PLAIN username=guest password=guest

    qpid-receive -b localhost:5802 --address 'q; {create: always}' -f

    qpid-send --broker localhost:5801  --connection-options {protocol:amqp1.0} --address q@BrokerB --send-eos 1




successful repro of bug-FIXED behavior using these packages
{
cyrus-sasl-2.1.23-13.el6_3.1.x86_64
cyrus-sasl-devel-2.1.23-13.el6_3.1.x86_64
cyrus-sasl-gssapi-2.1.23-13.el6_3.1.x86_64
cyrus-sasl-lib-2.1.23-13.el6_3.1.x86_64
cyrus-sasl-md5-2.1.23-13.el6_3.1.x86_64
cyrus-sasl-plain-2.1.23-13.el6_3.1.x86_64
python-qpid-0.22-4.el6.noarch
python-qpid-qmf-0.22-9.el6.x86_64
python-saslwrapper-0.22-3.el6.x86_64
qpid-cpp-client-0.22-11.el6.x86_64
qpid-cpp-client-devel-0.22-11.el6.x86_64
qpid-cpp-client-devel-docs-0.22-11.el6.noarch
qpid-cpp-client-rdma-0.22-11.el6.x86_64
qpid-cpp-client-ssl-0.22-11.el6.x86_64
qpid-cpp-debuginfo-0.22-11.el6.x86_64
qpid-cpp-server-0.22-11.el6.x86_64
qpid-cpp-server-devel-0.22-11.el6.x86_64
qpid-cpp-server-ha-0.22-11.el6.x86_64
qpid-cpp-server-rdma-0.22-11.el6.x86_64
qpid-cpp-server-ssl-0.22-11.el6.x86_64
qpid-cpp-server-store-0.22-11.el6.x86_64
qpid-cpp-server-xml-0.22-11.el6.x86_64
qpid-cpp-tar-0.22-11.el6.noarch
qpid-java-client-0.22-5.el6.noarch
qpid-java-common-0.22-5.el6.noarch
qpid-java-example-0.22-5.el6.noarch
qpid-proton-c-0.4-2.2.el6.x86_64
qpid-proton-c-devel-0.4-2.2.el6.x86_64
qpid-proton-debuginfo-0.4-2.2.el6.x86_64
qpid-qmf-0.22-9.el6.x86_64
qpid-qmf-debuginfo-0.22-9.el6.x86_64
qpid-qmf-devel-0.22-9.el6.x86_64
qpid-snmpd-1.0.0-12.el6.x86_64
qpid-snmpd-debuginfo-1.0.0-12.el6.x86_64
qpid-tests-0.22-4.el6.noarch
qpid-tools-0.22-3.el6.noarch
saslwrapper-0.22-3.el6.x86_64
saslwrapper-devel-0.22-3.el6.x86_64
}
Comment 3 mick 2013-09-04 11:09:18 EDT
Since it's a skip-errata bug, I am content with only showing that the problem no longer exists in latest packages.

---> verified !

Note You need to log in before you can comment on or make changes to this bug.