You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by gs...@apache.org on 2008/05/09 20:09:44 UTC
svn commit: r654902 - in /incubator/qpid/trunk/qpid/cpp: Makefile.am
configure.ac etc/Makefile.am etc/sasl2/ etc/sasl2/qpidd.conf qpidc.spec.in
src/qpid/broker/Broker.cpp src/qpid/broker/Broker.h
src/qpid/broker/SaslAuthenticator.cpp
Author: gsim
Date: Fri May 9 11:09:43 2008
New Revision: 654902
URL: http://svn.apache.org/viewvc?rev=654902&view=rev
Log:
QPID-648: Patch from Matt Farrellee
- support for realms
- updates to packaging to create a default db and the necessary conf files for plain and anon
Added:
incubator/qpid/trunk/qpid/cpp/etc/Makefile.am
incubator/qpid/trunk/qpid/cpp/etc/sasl2/
incubator/qpid/trunk/qpid/cpp/etc/sasl2/qpidd.conf
Modified:
incubator/qpid/trunk/qpid/cpp/Makefile.am
incubator/qpid/trunk/qpid/cpp/configure.ac
incubator/qpid/trunk/qpid/cpp/qpidc.spec.in
incubator/qpid/trunk/qpid/cpp/src/qpid/broker/Broker.cpp
incubator/qpid/trunk/qpid/cpp/src/qpid/broker/Broker.h
incubator/qpid/trunk/qpid/cpp/src/qpid/broker/SaslAuthenticator.cpp
Modified: incubator/qpid/trunk/qpid/cpp/Makefile.am
URL: http://svn.apache.org/viewvc/incubator/qpid/trunk/qpid/cpp/Makefile.am?rev=654902&r1=654901&r2=654902&view=diff
==============================================================================
--- incubator/qpid/trunk/qpid/cpp/Makefile.am (original)
+++ incubator/qpid/trunk/qpid/cpp/Makefile.am Fri May 9 11:09:43 2008
@@ -5,14 +5,11 @@
EXTRA_DIST = \
LICENSE NOTICE README RELEASE_NOTES\
- etc/qpidd etc/qpidd.conf \
$(SPEC) $(SPEC).in \
rpm/README.qpidd-devel \
xml/cluster.xml
-sysconf_DATA = etc/qpidd.conf
-
-SUBDIRS = managementgen src docs/api docs/man examples
+SUBDIRS = managementgen etc src docs/api docs/man examples
# Update libtool, if needed.
libtool: $(LIBTOOL_DEPS)
Modified: incubator/qpid/trunk/qpid/cpp/configure.ac
URL: http://svn.apache.org/viewvc/incubator/qpid/trunk/qpid/cpp/configure.ac?rev=654902&r1=654901&r2=654902&view=diff
==============================================================================
--- incubator/qpid/trunk/qpid/cpp/configure.ac (original)
+++ incubator/qpid/trunk/qpid/cpp/configure.ac Fri May 9 11:09:43 2008
@@ -177,6 +177,7 @@
[AC_MSG_ERROR([Bad value for --with-sasl: $withval])])
# If we weren't explicitly asked /not/ to test, i.e. not given --without-sasl
+have_sasl=no
AS_IF([test "x$WANT_SASL" != xno],
# Perform tests for headers and libraries. Remember, AC_CHECK_LIB
# will give you some useful default behavior, e.g. setup LDFLAGS, if
@@ -189,10 +190,12 @@
# And we were given --with, then fail
[AS_IF([test "x$WANT_SASL" = xyes],
[AC_MSG_ERROR([sasl requested but not available])])],
- # Otherwise, no tests failed, setup AC_SUBST/AC_DEFINE/AM_CONDITIONALs
+ # Otherwise, no tests failed, setup AC_SUBST/AC_DEFINE/vars for AM_CONDITIONALs
[AC_DEFINE([BROKER_SASL_NAME], ["qpidd"],
[The SASL app name for the qpid Broker])
- AC_DEFINE([HAVE_SASL], [1], [Enable if libsasl is present])])])
+ AC_DEFINE([HAVE_SASL], [1], [Enable if libsasl is present])
+ have_sasl=yes])])
+AM_CONDITIONAL([HAVE_SASL], [test "x$have_sasl" = xyes])
# Setup --with-xml/--without-xml as arguments to configure
@@ -261,6 +264,7 @@
Makefile
examples/Makefile
managementgen/Makefile
+ etc/Makefile
src/Makefile
src/tests/Makefile
docs/man/Makefile
Added: incubator/qpid/trunk/qpid/cpp/etc/Makefile.am
URL: http://svn.apache.org/viewvc/incubator/qpid/trunk/qpid/cpp/etc/Makefile.am?rev=654902&view=auto
==============================================================================
--- incubator/qpid/trunk/qpid/cpp/etc/Makefile.am (added)
+++ incubator/qpid/trunk/qpid/cpp/etc/Makefile.am Fri May 9 11:09:43 2008
@@ -0,0 +1,34 @@
+SASL_CONF = sasl2/qpidd.conf
+
+EXTRA_DIST = \
+ $(SASL_CONF) \
+ qpidd qpidd.conf
+
+nobase_sysconf_DATA = \
+ qpidd.conf
+
+if HAVE_SASL
+SASL_DB = sasl2/qpidd.sasldb
+
+nobase_sysconf_DATA += \
+ $(SASL_CONF)
+
+sasldbdir = $(localstatedir)/lib/qpidd
+sasldb_DATA = $(SASL_DB)
+
+# Setup the default sasldb file with a single user, guest, with an
+# obvious password. This user and password are the default for many
+# clients.
+#
+# The realm specified by -u is very important, and QPID is the default
+# for the broker so we use it here. The realm is important because it
+# defaults to the local hostname of the machine running the
+# broker. This may not seem to bad at first glance, but it means that
+# the sasldb has to be tailored to each machine that would be running
+# a broker, and if the machine ever changed its name the
+# authentication would stop working until the sasldb was updated. For
+# these reasons we always want the broker to specify a realm where its
+# users live, and we want the users to exist in that realm as well.
+$(SASL_DB):
+ echo guest | /usr/sbin/saslpasswd2 -c -p -f $(SASL_DB) -u QPID guest
+endif
Added: incubator/qpid/trunk/qpid/cpp/etc/sasl2/qpidd.conf
URL: http://svn.apache.org/viewvc/incubator/qpid/trunk/qpid/cpp/etc/sasl2/qpidd.conf?rev=654902&view=auto
==============================================================================
--- incubator/qpid/trunk/qpid/cpp/etc/sasl2/qpidd.conf (added)
+++ incubator/qpid/trunk/qpid/cpp/etc/sasl2/qpidd.conf Fri May 9 11:09:43 2008
@@ -0,0 +1,24 @@
+#
+# This configuation allows for either SASL PLAIN or ANONYMOUS
+# authentication. The PLAIN authentication is done on a
+# username+password, which is stored in the sasldb_path
+# file. Usernames and passwords can be added to the file using the
+# command:
+#
+# saslpasswd2 -f /var/lib/qpidd/qpidd.sasldb -u <REALM> <USER>
+#
+# The REALM is important and should be the same as the --auth-realm
+# option to the broker. This lets the broker properly find the user in
+# the sasldb file.
+#
+# Existing user accounts may be listed with:
+#
+# sasldblistusers2 -f /var/lib/qpidd/qpidd.sasldb
+#
+# NOTE: The sasldb file must be readable by the user running the qpidd
+# daemon, and should be readable only by that user.
+#
+mech_list: plain anonymous
+pwcheck_method: auxprop
+auxprop_plugin: sasldb
+sasldb_path: /var/lib/qpidd/qpidd.sasldb
Modified: incubator/qpid/trunk/qpid/cpp/qpidc.spec.in
URL: http://svn.apache.org/viewvc/incubator/qpid/trunk/qpid/cpp/qpidc.spec.in?rev=654902&r1=654901&r2=654902&view=diff
==============================================================================
--- incubator/qpid/trunk/qpid/cpp/qpidc.spec.in (original)
+++ incubator/qpid/trunk/qpid/cpp/qpidc.spec.in Fri May 9 11:09:43 2008
@@ -7,7 +7,7 @@
Name: @PACKAGE@
Version: @VERSION@
-Release: 31%{?dist}
+Release: 32%{?dist}
Summary: Libraries for Qpid C++ client applications
Group: System Environment/Libraries
License: Apache Software License
@@ -58,6 +58,8 @@
Requires: openais
Requires: xqilla
Requires: xerces-c
+Requires: cyrus-sasl
+BuildRequires: cyrus-sasl-devel
%description -n %{qpidd}
A message broker daemon that receives stores and routes messages using
@@ -137,8 +139,10 @@
%_libdir/libqpidcluster.so.0
%_libdir/libqpidcluster.so.0.1.0
%_sbindir/%{qpidd}
+%config(noreplace) %_sysconfdir/sasl2/qpidd.conf
%{_initrddir}/%{qpidd}
%attr(755, qpidd, qpidd) %_localstatedir/lib/qpidd
+%attr(600, qpidd, qpidd) %config(noreplace) %_localstatedir/lib/qpidd/qpidd.sasldb
%doc %_mandir/man1/%{qpidd}.*
%files -n %{qpidd}-devel
@@ -172,6 +176,10 @@
/sbin/ldconfig
%changelog
+* Thu May 8 2008 Matthew Farrellee <mf...@redhat> - 0.2-32
+- Added sasl2 config file for qpidd
+- Added cyrus-sasl dependencies
+
* Wed May 7 2008 Matthew Farrellee <mf...@redhat> - 0.2-31
- Added python dependency, needed by managementgen
Modified: incubator/qpid/trunk/qpid/cpp/src/qpid/broker/Broker.cpp
URL: http://svn.apache.org/viewvc/incubator/qpid/trunk/qpid/cpp/src/qpid/broker/Broker.cpp?rev=654902&r1=654901&r2=654902&view=diff
==============================================================================
--- incubator/qpid/trunk/qpid/cpp/src/qpid/broker/Broker.cpp (original)
+++ incubator/qpid/trunk/qpid/cpp/src/qpid/broker/Broker.cpp Fri May 9 11:09:43 2008
@@ -85,6 +85,7 @@
#else
auth(false),
#endif
+ realm("QPID"),
ack(0)
{
int c = sys::SystemInfo::concurrency();
@@ -110,6 +111,8 @@
"Management Publish Interval")
("auth", optValue(auth, "yes|no"),
"Enable authentication, if disabled all incoming connections will be trusted")
+ ("realm", optValue(realm, "REALM"),
+ "Use the given realm when performing authentication")
("ack", optValue(ack, "N"),
"Send session.ack/solicit-ack at least every N frames. 0 disables voluntary ack/solitict-ack");
}
Modified: incubator/qpid/trunk/qpid/cpp/src/qpid/broker/Broker.h
URL: http://svn.apache.org/viewvc/incubator/qpid/trunk/qpid/cpp/src/qpid/broker/Broker.h?rev=654902&r1=654901&r2=654902&view=diff
==============================================================================
--- incubator/qpid/trunk/qpid/cpp/src/qpid/broker/Broker.h (original)
+++ incubator/qpid/trunk/qpid/cpp/src/qpid/broker/Broker.h Fri May 9 11:09:43 2008
@@ -80,6 +80,7 @@
bool enableMgmt;
uint16_t mgmtPubInterval;
bool auth;
+ std::string realm;
uint32_t ack;
};
Modified: incubator/qpid/trunk/qpid/cpp/src/qpid/broker/SaslAuthenticator.cpp
URL: http://svn.apache.org/viewvc/incubator/qpid/trunk/qpid/cpp/src/qpid/broker/SaslAuthenticator.cpp?rev=654902&r1=654901&r2=654902&view=diff
==============================================================================
--- incubator/qpid/trunk/qpid/cpp/src/qpid/broker/SaslAuthenticator.cpp (original)
+++ incubator/qpid/trunk/qpid/cpp/src/qpid/broker/SaslAuthenticator.cpp Fri May 9 11:09:43 2008
@@ -109,8 +109,26 @@
void CyrusAuthenticator::init()
{
- int code = sasl_server_new(BROKER_SASL_NAME,
- NULL, NULL, NULL, NULL, NULL, 0,
+ /* Next to the service name, which specifies the
+ * /etc/sasl2/<service name>.conf file to read, the realm is
+ * currently the most important argument below. When
+ * performing authentication the user that is authenticating
+ * will be looked up in a specific realm. If none is given
+ * then the realm defaults to the hostname, which can cause
+ * confusion when the daemon is run on different hosts that
+ * may be logically sharing a realm (aka a user domain). This
+ * is especially important for SASL PLAIN authentication,
+ * which cannot specify a realm for the user that is
+ * authenticating.
+ */
+ const char *realm = connection.getBroker().getOptions().realm.c_str();
+ int code = sasl_server_new(BROKER_SASL_NAME, /* Service name */
+ NULL, /* Server FQDN, gethostname() */
+ realm, /* Authentication realm */
+ NULL, /* Local IP, needed for some mechanism */
+ NULL, /* Remote IP, needed for some mechanism */
+ NULL, /* Callbacks */
+ 0, /* Connection flags */
&sasl_conn);
if (SASL_OK != code) {