You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@qpid.apache.org by Fraser Adams <fr...@blueyonder.co.uk> on 2011/10/03 19:42:01 UTC
Is it possible to set authentication to only authenticate consumers?
Hi,
I haven't done any work playing with authentication, so I'm curious - Is
it possible to set authentication to only authenticate consumers so
producers can connect in without needing authentication?
Also is there a good tutorial for getting started with authentication -
preferable something that starts with the basics to help a total
authentication noob get something up and running quickly.
My personal view was that I wanted to run our system in a "trust and
verify" model where we'd audit connections, but some folks in my
organisation are getting a bit twitchy about that, so I want to keep my
options open. It's unfortunate as my system is sitting behind a firewall
on a trusted network and I wanted to have a model that maximises
business agility by allowing consumers to quickly subscribe to the data
they need when they need it and do cool stuff with it.
One of my biggest concerns about going down an authentication path is
the administrative overhead of setting up and managing
usernames/passwords. How do I do it so that it's not burdonsome to allow
a new connection - especially if someone needs one in a hurry "out of
hours". I guess the simple answer might be to have a single
qpid-subscriber "account", but surely one account/password is little
better than no authentication at all as anyone who knows this could
easily set up another consumer client and subscribe to different data.
MTIA
Frase
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org
Authentication newbie help sought - I'm afraid I'm failing at the
first hurdle :-(
Posted by Fraser Adams <fr...@blueyonder.co.uk>.
Hi all,
I thought I'd have an initial play with authentication, but I'm afraid
that I seem to be failing at the first hurdle.
So what I've done so far is:
I knew that there are potential issues with permissions with the
qpidd.sasldb so my first step was to copy etc/sasl2/qpidd.conf and
qpidd.sasldb to my home directory (just to make things easier while I'm
playing). I modified qpidd.conf with
sasldb_path: /home/fadams/qpidd.sasldb
I checked
sasldblistusers2 -f /home/fadams/qpidd.sasldb
and got (as expected)
guest@QPID: userPassword
and was able to add other users using
saslpasswd2 -f /home/fadams/qpidd.sasldb -u QPID fadams
So I started qpidd as myself with:
qpidd --sasl-config /home/fadams/qpidd.conf -t
And in the trace I got:
2011-10-04 18:57:59 info SASL: config path set to /home/fadams/qpidd.conf
2011-10-04 18:57:59 info SASL enabled
2011-10-04 18:57:59 notice Listening on TCP port 5672
2011-10-04 18:57:59 info Policy file not specified. ACL Disabled, no ACL
checking being done!
2011-10-04 18:57:59 notice Broker running
2011-10-04 18:58:04 debug RECV [127.0.0.1:5672-127.0.0.1:35444] INIT(0-10)
2011-10-04 18:58:04 debug External ssf=0 and auth=
2011-10-04 18:58:04 debug min_ssf: 0, max_ssf: 256, external_ssf: 0
2011-10-04 18:58:04 info SASL: Mechanism list: NTLM CRAM-MD5 LOGIN
DIGEST-MD5 ANONYMOUS PLAIN
Which looked OK to me.
However I then tried to connect with a Java consumer using a fairly
basic connection URL
connectionfactory.ConnectionFactory =
amqp://guest:guest@clientid/test?brokerlist='tcp://localhost:5672'
Which failed with "session creation failed"
And a broker trace of:
2011-10-04 18:58:04 trace SENT [127.0.0.1:5672-127.0.0.1:35444]:
Frame[BEbe; channel=0; {ConnectionStartBody:
server-properties={qpid.federation_tag:V2:36:str16(04cb2a36-ccaa-4762-9e9a-56329c267085)};
mechanisms=str16{V2:4:str16(NTLM), V2:8:str16(CRAM-MD5),
V2:5:str16(LOGIN), V2:10:str16(DIGEST-MD5), V2:9:str16(ANONYMOUS),
V2:5:str16(PLAIN)}; locales=str16{V2:5:str16(en_US)}; }]
2011-10-04 18:58:04 trace RECV [127.0.0.1:5672-127.0.0.1:35444]:
Frame[BEbe; channel=0; {ConnectionStartOkBody:
client-properties={clientName:V2:8:str16(clientid),qpid.client_pid:F4:int32(7032),qpid.client_process:V2:16:str16(Qpid
Java Client),qpid.session_flow:F4:int32(1)}; mechanism=PLAIN;
response=xxxxxx; }]
2011-10-04 18:58:04 debug SASL: Starting authentication with mechanism:
PLAIN
2011-10-04 18:58:04 info SASL: Authentication failed for
guest@QPID:SASL(-13): user not found: Password verification failed
2011-10-04 18:58:04 debug Exception constructed: Authentication failed
2011-10-04 18:58:04 debug SEND raiseEvent (v1)
class=org.apache.qpid.broker.clientConnectFail
2011-10-04 18:58:04 debug SEND raiseEvent (v2)
class=org.apache.qpid.broker.clientConnectFail
2011-10-04 18:58:04 trace SENT [127.0.0.1:5672-127.0.0.1:35444]:
Frame[BEbe; channel=0; {ConnectionCloseBody: reply-code=320;
reply-text=connection-forced: Authentication failed; }]
2011-10-04 18:58:04 trace RECV [127.0.0.1:5672-127.0.0.1:35444]:
Frame[BEbe; channel=0; {ConnectionCloseOkBody: }]
2011-10-04 18:58:04 debug DISCONNECTED [127.0.0.1:5672-127.0.0.1:35444]
I also tried explicitly setting the realm using:
qpidd --sasl-config /home/fadams/qpidd.conf --realm QPID -t
but that was equally unsuccessful.
Finally as much out of desperation as anything I tried:
sudo qpidd -t
which clearly should have picked up the default stuff in the default
qpidd.sasldb locations and clearly would have the correct read
permissions. Again I got:
2011-10-04 19:41:59 info SASL: Authentication failed for
guest@QPID:SASL(-13): user not found: Password verification failed
I'd be really grateful if someone who knows about this stuff could
suggest what I've done wrong. I can't see why I should be getting "user
not found" with a fairly vanilla set up.
MTIA
Frase
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org
Re: Is it possible to set authentication to only authenticate consumers?
Posted by Fraser Adams <fr...@blueyonder.co.uk>.
Oh I forgot to say I'm using the C++ broker and a mixture of C++, Java
and Perl clients.
Fraser Adams wrote:
> Hi,
> I haven't done any work playing with authentication, so I'm curious -
> Is it possible to set authentication to only authenticate consumers so
> producers can connect in without needing authentication?
>
> Also is there a good tutorial for getting started with authentication
> - preferable something that starts with the basics to help a total
> authentication noob get something up and running quickly.
>
> My personal view was that I wanted to run our system in a "trust and
> verify" model where we'd audit connections, but some folks in my
> organisation are getting a bit twitchy about that, so I want to keep
> my options open. It's unfortunate as my system is sitting behind a
> firewall on a trusted network and I wanted to have a model that
> maximises business agility by allowing consumers to quickly subscribe
> to the data they need when they need it and do cool stuff with it.
>
> One of my biggest concerns about going down an authentication path is
> the administrative overhead of setting up and managing
> usernames/passwords. How do I do it so that it's not burdonsome to
> allow a new connection - especially if someone needs one in a hurry
> "out of hours". I guess the simple answer might be to have a single
> qpid-subscriber "account", but surely one account/password is little
> better than no authentication at all as anyone who knows this could
> easily set up another consumer client and subscribe to different data.
>
> MTIA
> Frase
>
> ---------------------------------------------------------------------
> Apache Qpid - AMQP Messaging Implementation
> Project: http://qpid.apache.org
> Use/Interact: mailto:users-subscribe@qpid.apache.org
>
>
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org
Re: Is it possible to set authentication to only authenticate consumers?
Posted by Fraser Adams <fr...@blueyonder.co.uk>.
Gordon Sim wrote:
> On 10/07/2011 05:50 PM, Fraser Adams wrote:
>> What I'd quite like to be able to do is to log, but not deny if a queue
>> is created that's not one of a named set. I'm suspecting that I can't do
>> that with acl and I might have to write a QMF client to do that.
>
> I think you are right, QMF may be the simplest way to go. You can
> quite easily get events sent out for queue creation and could then
> check the name against an expected set and log any deviation.
Yeah, I suspect that it ought to be pretty easy to do this using
qpid-printevents as a starting point. I've just had a quick look and I
suspect that the only slight gotcha is to cope with the case where the
broker gets restarted and a connection is made straight after. In this
case qpid-printevents was only showing its own bind events. I suspect if
I intercept the bind to the qpid.management exchange and use that to
trigger a getObjects() for all queues/bindings/exchanges to cover that
edge case.
Thanks for all your help yet again!!
Frase
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org
Re: Is it possible to set authentication to only authenticate consumers?
Posted by Gordon Sim <gs...@redhat.com>.
On 10/07/2011 05:50 PM, Fraser Adams wrote:
> What I'd quite like to be able to do is to log, but not deny if a queue
> is created that's not one of a named set. I'm suspecting that I can't do
> that with acl and I might have to write a QMF client to do that.
I think you are right, QMF may be the simplest way to go. You can quite
easily get events sent out for queue creation and could then check the
name against an expected set and log any deviation.
> Incidentally, is it possible to get the broker to re-read an acl. I've
> been restarting the broker, but that's not ideal in a live environment.
Yes, there is a QMF method on the broker for re-reading the ACL.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org
Re: Is it possible to set authentication to only authenticate consumers?
Posted by Fraser Adams <fr...@blueyonder.co.uk>.
>
> That seems strange to me. For me, if DIGEST-MD5, PLAIN and ANONYMOUS
> are all available, ANONYMOUS is picked by default unless a username is
> set. Are you sure you aren't setting a username?
Pretty certain. As I said earlier it's a pretty basic client that has
string broker = "localhost:5672";
string connectionOptions = "{reconnect: true}";
When I looked at the broker trace it was talking about fadams@QPID,
fadams is the name of the account that I'm using to run the client, but
I've never explicitly used fadams anywhere as a qpid username so
*something* is picking the account name.
>
> I wonder if your sasl lib behaves differently to mine...
Possibly, I'm running Ubuntu - perhaps it's got some subtly different
options. I guess it's no big deal now as I seem to have got things
working generally.
I still think anything to do with security is voodoo magic though, it's
some sort of miracle that I've made it this far :-D
So now I've got another slightly off the wall question :-) So I've got
an acl set up whereby I can have anonymous@QPID to only have publish
rights and named users to subscribe.
What I'd quite like to be able to do is to log, but not deny if a queue
is created that's not one of a named set. I'm suspecting that I can't do
that with acl and I might have to write a QMF client to do that.
Incidentally, is it possible to get the broker to re-read an acl. I've
been restarting the broker, but that's not ideal in a live environment.
Frase
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org
Re: Is it possible to set authentication to only authenticate consumers?
Posted by Gordon Sim <gs...@redhat.com>.
On 10/07/2011 01:59 PM, Fraser Adams wrote:
>>
>>> I've just run up a basic C++ client and that asks for a password. It
>>> appears to be sending the account name as the username (in other words
>>> in my case it's saying Authentication failed for fadams@QPID:SASL(-13):
>>> authentication failure: client response doesn't match what we
>>> generated).
>>
>> Hmm, the c++ client doesn't default the username anymore. That was
>> changed some time ago
>> (http://svn.apache.org/viewvc?view=revision&revision=732691), are you
>> sure you are using 0.10 client libs?
>
> I'm fairly sure I am using the 0.10 client libs, when I upgraded from
> 0.8 I did a full make uninstall of 0.8 then a full make/make install of
> 0.10, you might recall I had problems when I initially tried compiling
> 0.10 because the make was picking up the 0.8 libs so I had to do a full
> uninstall of 0.8 before I could make 0.10.
>
> Is there a simple way that I can double check the installed client libs
> are the right version?
I can't think of anything that could be described as simple. The change
I referenced should have been in 0.8 anyway though I think.
> Like I say what I appear to be seeing is that if I don't explicitly set
> mech_list: anonymous plain in qpidd.conf it appears to be trying to
> authenticate via DIGEST-MD5 using the account name as username, when I
> do set the mech_list explicitly it seems to happily send anonymous
That seems strange to me. For me, if DIGEST-MD5, PLAIN and ANONYMOUS are
all available, ANONYMOUS is picked by default unless a username is set.
Are you sure you aren't setting a username?
I wonder if your sasl lib behaves differently to mine...
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org
Re: Is it possible to set authentication to only authenticate consumers?
Posted by Fraser Adams <fr...@blueyonder.co.uk>.
>
>> I've just run up a basic C++ client and that asks for a password. It
>> appears to be sending the account name as the username (in other words
>> in my case it's saying Authentication failed for fadams@QPID:SASL(-13):
>> authentication failure: client response doesn't match what we
>> generated).
>
> Hmm, the c++ client doesn't default the username anymore. That was
> changed some time ago
> (http://svn.apache.org/viewvc?view=revision&revision=732691), are you
> sure you are using 0.10 client libs?
I'm fairly sure I am using the 0.10 client libs, when I upgraded from
0.8 I did a full make uninstall of 0.8 then a full make/make install of
0.10, you might recall I had problems when I initially tried compiling
0.10 because the make was picking up the 0.8 libs so I had to do a full
uninstall of 0.8 before I could make 0.10.
Is there a simple way that I can double check the installed client libs
are the right version?
Like I say what I appear to be seeing is that if I don't explicitly set
mech_list: anonymous plain in qpidd.conf it appears to be trying to
authenticate via DIGEST-MD5 using the account name as username, when I
do set the mech_list explicitly it seems to happily send anonymous
Frase
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org
Re: Is it possible to set authentication to only authenticate consumers?
Posted by Gordon Sim <gs...@redhat.com>.
On 10/07/2011 12:09 PM, Fraser Adams wrote:
> How would I go about enabling anonymous authentication?
It should be enabled by default.
> I've
> successfully authenticated my basic Java client using the "guest/guest"
> username/password - I'm guessing that's not "anonymous" though as it
> clearly has a name :-).
In the Java client you need to explicitly set the SASL mechanism to use
(else PLAIN is the default). This is to be changed in the next release I
believe, to make the default choose from any of the mutually supported
options.
> I've just run up a basic C++ client and that asks for a password. It
> appears to be sending the account name as the username (in other words
> in my case it's saying Authentication failed for fadams@QPID:SASL(-13):
> authentication failure: client response doesn't match what we generated).
Hmm, the c++ client doesn't default the username anymore. That was
changed some time ago
(http://svn.apache.org/viewvc?view=revision&revision=732691), are you
sure you are using 0.10 client libs?
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org
Re: Is it possible to set authentication to only authenticate consumers?
Posted by Gordon Sim <gs...@redhat.com>.
On 10/07/2011 12:50 PM, Pavel Moravec wrote:
> qpidd chooses from the available mechanisms the most secure (from available) every time, when possible. I think SASL library itself does not have a priority list itself, the decision is made by qpidd only.
Actually I think it is the other way around. There is no logic in qpidd
(or the cyrus-sasl based clients) to prioritise mechanisms. The user can
configure what the client and broker will support, but its the
underlying sasl library that picks one if there is more than one
mutually acceptable option. The choice is I think based on the perceived
security provided and certainly isn't controlled by the order used in
the mech_list.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org
Re: Is it possible to set authentication to only authenticate consumers?
Posted by Pavel Moravec <pm...@redhat.com>.
Hi Frase,
qpidd chooses from the available mechanisms the most secure (from available) every time, when possible. I think SASL library itself does not have a priority list itself, the decision is made by qpidd only.
Kind regards,
Pavel
----- Original Message -----
> From: "Fraser Adams" <fr...@blueyonder.co.uk>
> To: users@qpid.apache.org
> Sent: Friday, October 7, 2011 1:32:02 PM
> Subject: Re: Is it possible to set authentication to only authenticate consumers?
>
> I think I'm sorted now.
>
> I added:
>
> mech_list: anonymous plain
>
> to my qpidd.conf and that seems to work.
>
> out of curiosity does sasl choose the mechanisms in order here?
> Without
> specifying mech_list the broker trace indicated that it was
> supporting a
> wide range of mechanisms including anonymous yet it chose MD5-DIGEST
> (I
> think) when it was initially failing with my c++ client
>
> Frase
>
>
>
> Fraser Adams wrote:
> > Gordon Sim wrote:
> >> On 10/03/2011 06:42 PM, Fraser Adams wrote:
> >>> Is it possible to set authentication to only authenticate
> >>> consumers so
> >>> producers can connect in without needing authentication?
> >>
> >> You can allow both anonymous- and known- users to connect, and
> >> then
> >> use ACLs to only allow the known users to consume while allowing
> >> everyone (including anonymous users) to publish.
> >>
> > Hi Gordon,
> > How would I go about enabling anonymous authentication? I've
> > successfully authenticated my basic Java client using the
> > "guest/guest" username/password - I'm guessing that's not
> > "anonymous"
> > though as it clearly has a name :-).
> >
> > I've just run up a basic C++ client and that asks for a password.
> > It
> > appears to be sending the account name as the username (in other
> > words
> > in my case it's saying Authentication failed for
> > fadams@QPID:SASL(-13): authentication failure: client response
> > doesn't
> > match what we generated).
> >
> > My client is pretty basic and has
> > string broker = "localhost:5672";
> > string connectionOptions = "{reconnect: true}";
> >
> > Now I think that I can add username/password to the connection
> > options
> > and I noticed a |sasl_mechanisms |connection option so I may be
> > able
> > to explicitly set that to anonymous
> >
> > But both of these would require code changes. That's fine in my
> > case
> > here where I can change the code, but in a real world scenario I've
> > got a lot of producers (and I'm not convinced that the developers
> > have
> > necessarily made the connection options configurable) currently
> > connecting to a broker with authentication disabled. I'd like to be
> > able to "authenticate" without them having to change and to add ACL
> > rules to only allow them to produce.
> >
> > I'd have thought that anonymous would have been something that I
> > could
> > enable on the broker config.
> >
> > Have I missed something?
> >
> > MTIA
> > Frase
> >
> >
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > Apache Qpid - AMQP Messaging Implementation
> > Project: http://qpid.apache.org
> > Use/Interact: mailto:users-subscribe@qpid.apache.org
> >
> >
>
>
> ---------------------------------------------------------------------
> Apache Qpid - AMQP Messaging Implementation
> Project: http://qpid.apache.org
> Use/Interact: mailto:users-subscribe@qpid.apache.org
>
>
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org
Re: Is it possible to set authentication to only authenticate consumers?
Posted by Fraser Adams <fr...@blueyonder.co.uk>.
I think I'm sorted now.
I added:
mech_list: anonymous plain
to my qpidd.conf and that seems to work.
out of curiosity does sasl choose the mechanisms in order here? Without
specifying mech_list the broker trace indicated that it was supporting a
wide range of mechanisms including anonymous yet it chose MD5-DIGEST (I
think) when it was initially failing with my c++ client
Frase
Fraser Adams wrote:
> Gordon Sim wrote:
>> On 10/03/2011 06:42 PM, Fraser Adams wrote:
>>> Is it possible to set authentication to only authenticate consumers so
>>> producers can connect in without needing authentication?
>>
>> You can allow both anonymous- and known- users to connect, and then
>> use ACLs to only allow the known users to consume while allowing
>> everyone (including anonymous users) to publish.
>>
> Hi Gordon,
> How would I go about enabling anonymous authentication? I've
> successfully authenticated my basic Java client using the
> "guest/guest" username/password - I'm guessing that's not "anonymous"
> though as it clearly has a name :-).
>
> I've just run up a basic C++ client and that asks for a password. It
> appears to be sending the account name as the username (in other words
> in my case it's saying Authentication failed for
> fadams@QPID:SASL(-13): authentication failure: client response doesn't
> match what we generated).
>
> My client is pretty basic and has
> string broker = "localhost:5672";
> string connectionOptions = "{reconnect: true}";
>
> Now I think that I can add username/password to the connection options
> and I noticed a |sasl_mechanisms |connection option so I may be able
> to explicitly set that to anonymous
>
> But both of these would require code changes. That's fine in my case
> here where I can change the code, but in a real world scenario I've
> got a lot of producers (and I'm not convinced that the developers have
> necessarily made the connection options configurable) currently
> connecting to a broker with authentication disabled. I'd like to be
> able to "authenticate" without them having to change and to add ACL
> rules to only allow them to produce.
>
> I'd have thought that anonymous would have been something that I could
> enable on the broker config.
>
> Have I missed something?
>
> MTIA
> Frase
>
>
>
>
>
>
> ---------------------------------------------------------------------
> Apache Qpid - AMQP Messaging Implementation
> Project: http://qpid.apache.org
> Use/Interact: mailto:users-subscribe@qpid.apache.org
>
>
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org
Re: Is it possible to set authentication to only authenticate consumers?
Posted by Fraser Adams <fr...@blueyonder.co.uk>.
Gordon Sim wrote:
> On 10/03/2011 06:42 PM, Fraser Adams wrote:
>> Is it possible to set authentication to only authenticate consumers so
>> producers can connect in without needing authentication?
>
> You can allow both anonymous- and known- users to connect, and then
> use ACLs to only allow the known users to consume while allowing
> everyone (including anonymous users) to publish.
>
Hi Gordon,
How would I go about enabling anonymous authentication? I've
successfully authenticated my basic Java client using the "guest/guest"
username/password - I'm guessing that's not "anonymous" though as it
clearly has a name :-).
I've just run up a basic C++ client and that asks for a password. It
appears to be sending the account name as the username (in other words
in my case it's saying Authentication failed for fadams@QPID:SASL(-13):
authentication failure: client response doesn't match what we generated).
My client is pretty basic and has
string broker = "localhost:5672";
string connectionOptions = "{reconnect: true}";
Now I think that I can add username/password to the connection options
and I noticed a |sasl_mechanisms |connection option so I may be able to
explicitly set that to anonymous
But both of these would require code changes. That's fine in my case
here where I can change the code, but in a real world scenario I've got
a lot of producers (and I'm not convinced that the developers have
necessarily made the connection options configurable) currently
connecting to a broker with authentication disabled. I'd like to be able
to "authenticate" without them having to change and to add ACL rules to
only allow them to produce.
I'd have thought that anonymous would have been something that I could
enable on the broker config.
Have I missed something?
MTIA
Frase
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org
Re: Is it possible to set authentication to only authenticate consumers?
Posted by Gordon Sim <gs...@redhat.com>.
On 10/03/2011 06:42 PM, Fraser Adams wrote:
> Is it possible to set authentication to only authenticate consumers so
> producers can connect in without needing authentication?
You can allow both anonymous- and known- users to connect, and then use
ACLs to only allow the known users to consume while allowing everyone
(including anonymous users) to publish.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org