You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@qpid.apache.org by "Ted Ross (JIRA)" <ji...@apache.org> on 2015/04/13 14:30:12 UTC

[jira] [Commented] (QPID-6491) qpid-route map does not use any authentication when querying other brokers

    [ https://issues.apache.org/jira/browse/QPID-6491?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14492341#comment-14492341 ] 

Ted Ross commented on QPID-6491:
--------------------------------

The route-map feature is intended for situations where all of the brokers in the federation are owned by the same organization.  As such, I think your patch is an improvement and should be merged into trunk.

In cases where different brokers have different owners (and different access credentials), route-map should be (already is) prevented from reaching into that part of the network.  Of course, if the brokers are open to ANONYMOUS access, then anyone can read that information.

The idea of getting credentials from QMF is a bad one as the security implications are numerous.


> qpid-route map does not use any authentication when querying other brokers
> --------------------------------------------------------------------------
>
>                 Key: QPID-6491
>                 URL: https://issues.apache.org/jira/browse/QPID-6491
>             Project: Qpid
>          Issue Type: Bug
>          Components: Python Tools
>    Affects Versions: 0.30
>            Reporter: Pavel Moravec
>            Priority: Minor
>         Attachments: QPID-6491.patch
>
>
> "qpid-route route map" during generating the federation topology connects to each and every broker in the federation to query it's federation peers. All such connections (except for the very first broker) are made as anonymous user only.
> It is requested the tool passes username, password and optionally also --client-sasl-mechanism parameter to all other brokers as well.
> (another option to this would be the tool gets the credentials info from the broker, but currently QMF response to links does not contain such info. This option would need much more code change also on broker side)



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org