You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by ac...@apache.org on 2011/09/07 19:28:05 UTC
svn commit: r1166279 - in /qpid/trunk/qpid/cpp/src:
qpid/cluster/Connection.cpp qpid/cluster/SecureConnectionFactory.cpp
qpid/cluster/UpdateClient.cpp tests/cluster_tests.py
Author: aconway
Date: Wed Sep 7 17:28:04 2011
New Revision: 1166279
URL: http://svn.apache.org/viewvc?rev=1166279&view=rev
Log:
Bug 730017, QPID-3475: Cluster authentication ignores cluster-* settings.
When a broker joins a cluster, it should be authenticated authenticate
using the options --cluster-username, --cluster-password and
--cluster-mechanism. The broker was ignoring the settings and joining
the cluster even if an invalid user or password are supplied.
Modified:
qpid/trunk/qpid/cpp/src/qpid/cluster/Connection.cpp
qpid/trunk/qpid/cpp/src/qpid/cluster/SecureConnectionFactory.cpp
qpid/trunk/qpid/cpp/src/qpid/cluster/UpdateClient.cpp
qpid/trunk/qpid/cpp/src/tests/cluster_tests.py
Modified: qpid/trunk/qpid/cpp/src/qpid/cluster/Connection.cpp
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/cluster/Connection.cpp?rev=1166279&r1=1166278&r2=1166279&view=diff
==============================================================================
--- qpid/trunk/qpid/cpp/src/qpid/cluster/Connection.cpp (original)
+++ qpid/trunk/qpid/cpp/src/qpid/cluster/Connection.cpp Wed Sep 7 17:28:04 2011
@@ -99,7 +99,9 @@ Connection::Connection(Cluster& c, sys::
external,
isLink,
isCatchUp ? ++catchUpId : 0,
- isCatchUp), // isCatchUp => shadow
+ // The first catch-up connection is not considered a shadow
+ // as it needs to be authenticated.
+ isCatchUp && self.second > 1),
expectProtocolHeader(isLink),
mcastFrameHandler(cluster.getMulticast(), self),
updateIn(c.getUpdateReceiver()),
Modified: qpid/trunk/qpid/cpp/src/qpid/cluster/SecureConnectionFactory.cpp
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/cluster/SecureConnectionFactory.cpp?rev=1166279&r1=1166278&r2=1166279&view=diff
==============================================================================
--- qpid/trunk/qpid/cpp/src/qpid/cluster/SecureConnectionFactory.cpp (original)
+++ qpid/trunk/qpid/cpp/src/qpid/cluster/SecureConnectionFactory.cpp Wed Sep 7 17:28:04 2011
@@ -7,9 +7,9 @@
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
@@ -48,7 +48,7 @@ SecureConnectionFactory::create(Protocol
if (clusterCodec) {
SecureConnectionPtr sc(new SecureConnection());
clusterCodec->setSecureConnection(sc.get());
- sc->setCodec(codec);
+ sc->setCodec(codec);
return sc.release();
}
return 0;
@@ -63,7 +63,7 @@ SecureConnectionFactory::create(sys::Out
if (clusterCodec) {
SecureConnectionPtr sc(new SecureConnection());
clusterCodec->setSecureConnection(sc.get());
- sc->setCodec(codec);
+ sc->setCodec(codec);
return sc.release();
}
return 0;
Modified: qpid/trunk/qpid/cpp/src/qpid/cluster/UpdateClient.cpp
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/cluster/UpdateClient.cpp?rev=1166279&r1=1166278&r2=1166279&view=diff
==============================================================================
--- qpid/trunk/qpid/cpp/src/qpid/cluster/UpdateClient.cpp (original)
+++ qpid/trunk/qpid/cpp/src/qpid/cluster/UpdateClient.cpp Wed Sep 7 17:28:04 2011
@@ -151,6 +151,7 @@ void UpdateClient::run() {
try {
connection.open(updateeUrl, connectionSettings);
session = connection.newSession(UPDATE);
+ session.sync();
update();
done();
} catch (const std::exception& e) {
Modified: qpid/trunk/qpid/cpp/src/tests/cluster_tests.py
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/tests/cluster_tests.py?rev=1166279&r1=1166278&r2=1166279&view=diff
==============================================================================
--- qpid/trunk/qpid/cpp/src/tests/cluster_tests.py (original)
+++ qpid/trunk/qpid/cpp/src/tests/cluster_tests.py Wed Sep 7 17:28:04 2011
@@ -164,6 +164,121 @@ acl allow all all
self.fail("Expected exception")
except messaging.exceptions.NotFound: pass
+ def test_sasl_join(self):
+ """Verify SASL authentication between brokers when joining a cluster."""
+ sasl_config=os.path.join(self.rootdir, "sasl_config")
+
+ # Valid user/password, ensure queue is created.
+ c = cluster[0].connect(username="zig", password="zig")
+ c.session().sender("ziggy;{create:always}")
+ c.close()
+ c = cluster[1].connect(username="zig", password="zig")
+ c.session().receiver("ziggy;{assert:always}")
+ c.close()
+ for b in cluster: b.ready() # Make sure all brokers still running.
+
+ # Valid user, bad password
+ try:
+ cluster[0].connect(username="zig", password="foo").close()
+ self.fail("Expected exception")
+ except messaging.exceptions.ConnectionError: pass
+ for b in cluster: b.ready() # Make sure all brokers still running.
+
+ # Bad user ID
+ try:
+ cluster[0].connect(username="foo", password="bar").close()
+ self.fail("Expected exception")
+ except messaging.exceptions.ConnectionError: pass
+ for b in cluster: b.ready() # Make sure all brokers still running.
+
+ # Action disallowed by ACL
+ c = cluster[0].connect(username="zag", password="zag")
+ try:
+ s = c.session()
+ s.sender("zaggy;{create:always}")
+ s.close()
+ self.fail("Expected exception")
+ except messaging.exceptions.UnauthorizedAccess: pass
+ # make sure the queue was not created at the other node.
+ c = cluster[0].connect(username="zag", password="zag")
+ try:
+ s = c.session()
+ s.sender("zaggy;{assert:always}")
+ s.close()
+ self.fail("Expected exception")
+ except messaging.exceptions.NotFound: pass
+
+ def test_sasl_join(self):
+ """Verify SASL authentication between brokers when joining a cluster."""
+ # Valid user/password, ensure queue is created.
+ c = cluster[0].connect(username="zig", password="zig")
+ c.session().sender("ziggy;{create:always}")
+ c.close()
+ c = cluster[1].connect(username="zig", password="zig")
+ c.session().receiver("ziggy;{assert:always}")
+ c.close()
+ for b in cluster: b.ready() # Make sure all brokers still running.
+
+ # Valid user, bad password
+ try:
+ cluster[0].connect(username="zig", password="foo").close()
+ self.fail("Expected exception")
+ except messaging.exceptions.ConnectionError: pass
+ for b in cluster: b.ready() # Make sure all brokers still running.
+
+ # Bad user ID
+ try:
+ cluster[0].connect(username="foo", password="bar").close()
+ self.fail("Expected exception")
+ except messaging.exceptions.ConnectionError: pass
+ for b in cluster: b.ready() # Make sure all brokers still running.
+
+ # Action disallowed by ACL
+ c = cluster[0].connect(username="zag", password="zag")
+ try:
+ s = c.session()
+ s.sender("zaggy;{create:always}")
+ s.close()
+ self.fail("Expected exception")
+ except messaging.exceptions.UnauthorizedAccess: pass
+ # make sure the queue was not created at the other node.
+ c = cluster[0].connect(username="zag", password="zag")
+ try:
+ s = c.session()
+ s.sender("zaggy;{assert:always}")
+ s.close()
+ self.fail("Expected exception")
+ except messaging.exceptions.NotFound: pass
+
+ def test_sasl_join(self):
+ """Verify SASL authentication between brokers when joining a cluster."""
+ sasl_config=os.path.join(self.rootdir, "sasl_config")
+ # Test with a valid username/password
+ cluster = self.cluster(1, args=["--auth", "yes",
+ "--sasl-config", sasl_config,
+ "--load-module", os.getenv("ACL_LIB"),
+ "--cluster-username=zig",
+ "--cluster-password=zig",
+ "--cluster-mechanism=PLAIN"
+ ])
+ cluster.start()
+ cluster.ready()
+ c = cluster[1].connect(username="zag", password="zag")
+
+ # Test with an invalid username/password
+ cluster = self.cluster(1, args=["--auth", "yes",
+ "--sasl-config", sasl_config,
+ "--load-module", os.getenv("ACL_LIB"),
+ "--cluster-username=x",
+ "--cluster-password=y",
+ "--cluster-mechanism=PLAIN"
+ ])
+ try:
+ cluster.start(expect=EXPECT_EXIT_OK)
+ cluster[1].ready()
+ self.fail("Expected exception")
+ except: pass
+
def test_user_id_update(self):
"""Ensure that user-id of an open session is updated to new cluster members"""
sasl_config=os.path.join(self.rootdir, "sasl_config")
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:commits-subscribe@qpid.apache.org