You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by bh...@apache.org on 2019/11/19 16:13:48 UTC
[qpid-dispatch] branch master updated: Update 'password' and
'saslPassword' descriptions. This closes #611.
This is an automated email from the ASF dual-hosted git repository.
bhardesty pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/qpid-dispatch.git
The following commit(s) were added to refs/heads/master by this push:
new d3469b6 Update 'password' and 'saslPassword' descriptions. This closes #611.
d3469b6 is described below
commit d3469b6bbfa422bac76c84deec9694bda4f826b7
Author: Ben Hardesty <bh...@redhat.com>
AuthorDate: Tue Nov 5 16:42:44 2019 -0500
Update 'password' and 'saslPassword' descriptions. This closes #611.
---
.../common/fragment-password-description.adoc | 41 ++++++++++++++++++++++
...ecting-using-mutual-ssl-tls-authentication.adoc | 5 +--
...ing-using-username-password-authentication.adoc | 24 ++++++++++++-
.../user-guide/enabling-ssl-tls-encryption.adoc | 3 +-
.../securing-connections-between-routers.adoc | 3 +-
python/qpid_dispatch/management/qdrouter.json | 32 ++++++++---------
6 files changed, 87 insertions(+), 21 deletions(-)
diff --git a/docs/books/common/fragment-password-description.adoc b/docs/books/common/fragment-password-description.adoc
new file mode 100644
index 0000000..8517621
--- /dev/null
+++ b/docs/books/common/fragment-password-description.adoc
@@ -0,0 +1,41 @@
+////
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License
+////
+
+`password`:: The password to unlock the certificate key. You do not need to specify this if the certificate key does not have a password. By using different prefixes, you can specify the password several different ways depending on your security requirements:
++
+* Specify the absolute path to a file that contains the password. This is the most secure option, because you can set permissions on the file that contains the password. For example:
++
+[options="nowrap",subs="+quotes"]
+----
+password: file:/etc/qpid-dispatch-certs/inter-router/password.txt
+----
+
+* Specify an environment variable that stores the password. Use this option with caution, because the environment of other processes is visible on certain platforms. For example:
++
+[options="nowrap",subs="+quotes"]
+----
+password: env:CERT_PASSWORD
+----
+
+* Specify the password in clear text. This option is insecure, so it should only be used if security is not a concern. For example:
++
+[options="nowrap",subs="+quotes"]
+----
+password: pass:mycertpassword
+----
diff --git a/docs/books/modules/user-guide/connecting-using-mutual-ssl-tls-authentication.adoc b/docs/books/modules/user-guide/connecting-using-mutual-ssl-tls-authentication.adoc
index cf773e6..2b843a4 100644
--- a/docs/books/modules/user-guide/connecting-using-mutual-ssl-tls-authentication.adoc
+++ b/docs/books/modules/user-guide/connecting-using-mutual-ssl-tls-authentication.adoc
@@ -48,7 +48,7 @@ sslProfile {
certFile: /etc/qpid-dispatch-certs/tls.crt
privateKeyFile: /etc/qpid-dispatch-certs/tls.key
caCertFile: /etc/qpid-dispatch-certs/ca.crt
- password: file:/etc/qpid-dispatch-certs/
+ password: file:/etc/qpid-dispatch-certs/password.txt
...
}
----
@@ -60,7 +60,8 @@ sslProfile {
`privateKeyFile`:: The absolute path to the file containing the private key for this router's public certificate.
-`password`:: The password to unlock the certificate key. Not specified if certificate key has no password. The prefix file: is used to specify the absolute path of the file containing the password.
+//`password`
+include::{FragmentDir}/fragment-password-description.adoc[]
--
. Configure the `connector` for this connection to use the `sslProfile` that you created.
diff --git a/docs/books/modules/user-guide/connecting-using-username-password-authentication.adoc b/docs/books/modules/user-guide/connecting-using-username-password-authentication.adoc
index 2e31e05..4f2e168 100644
--- a/docs/books/modules/user-guide/connecting-using-username-password-authentication.adoc
+++ b/docs/books/modules/user-guide/connecting-using-username-password-authentication.adoc
@@ -41,7 +41,7 @@ include::{FragmentDir}/fragment-router-sasl-para.adoc[]
include::{FragmentDir}/fragment-router-open-config-file-step.adoc[]
-. Configure the `connector` for this connection to provide user name and password credentials to the external AMQP container. Note that the saslPassword used to attach to an external container uses the file: prefix to specify the absolute path of the file containing the the password. The file permissions need to be set on the file to prevent general access. Other prefixes like pass: or env: are also supported by generally unsafe.
+. Configure the `connector` for this connection to provide user name and password credentials to the external AMQP container.
+
--
[options="nowrap",subs="+quotes"]
@@ -55,4 +55,26 @@ connector {
saslPassword: file:/path/to/file/password.txt
}
----
+`saslPassword`:: The password to connect to the peer. By using different prefixes, you can specify the password several different ways depending on your security requirements:
++
+* Specify the absolute path to a file that contains the password. This is the most secure option, because you can set permissions on the file that contains the password. For example:
++
+[options="nowrap",subs="+quotes"]
+----
+password: file:/path/to/file/password.txt
+----
+
+* Specify an environment variable that stores the password. Use this option with caution, because the environment of other processes is visible on certain platforms. For example:
++
+[options="nowrap",subs="+quotes"]
+----
+password: env:PASSWORD
+----
+
+* Specify the password in clear text. This option is insecure, so it should only be used if security is not a concern. For example:
++
+[options="nowrap",subs="+quotes"]
+----
+password: pass:mypassword
+----
--
diff --git a/docs/books/modules/user-guide/enabling-ssl-tls-encryption.adoc b/docs/books/modules/user-guide/enabling-ssl-tls-encryption.adoc
index ba32dec..8497089 100644
--- a/docs/books/modules/user-guide/enabling-ssl-tls-encryption.adoc
+++ b/docs/books/modules/user-guide/enabling-ssl-tls-encryption.adoc
@@ -60,7 +60,8 @@ sslProfile {
`privateKeyFile`:: The absolute path to the file containing the private key for this router's public certificate.
-`password`:: The password to unlock the certificate key. Not specified if certificate key has no password. The prefix file: is used to specify the absolute path of the file containing the password.
+//`password`
+include::{FragmentDir}/fragment-password-description.adoc[]
--
. Configure the `listener` for this connection to use SSL/TLS to encrypt the connection.
diff --git a/docs/books/modules/user-guide/securing-connections-between-routers.adoc b/docs/books/modules/user-guide/securing-connections-between-routers.adoc
index de14ed5..e3746d9 100644
--- a/docs/books/modules/user-guide/securing-connections-between-routers.adoc
+++ b/docs/books/modules/user-guide/securing-connections-between-routers.adoc
@@ -70,7 +70,8 @@ sslProfile {
`privateKeyFile`:: The absolute path to the file containing the private key for this router's public certificate.
-`password`:: The password to unlock the certificate key. Not specified if certificate key has no password. The prefix file: is used to specify the absolute path of the file containing the password.
+//`password`
+include::{FragmentDir}/fragment-password-description.adoc[]
--
.. Configure the inter-router `connector` for this connection to use the `sslProfile` that you created.
diff --git a/python/qpid_dispatch/management/qdrouter.json b/python/qpid_dispatch/management/qdrouter.json
index 2ee4c94..f631626 100644
--- a/python/qpid_dispatch/management/qdrouter.json
+++ b/python/qpid_dispatch/management/qdrouter.json
@@ -594,12 +594,12 @@
"type": "integer",
"description":"Number of deliveries that were sent to another router in the network.",
"graph": true
- },
+ },
"deliveriesIngressRouteContainer": {
"type": "integer",
"description":"Number of deliveries that were received from router container connections.",
"graph": true
- },
+ },
"deliveriesEgressRouteContainer": {
"type": "integer",
"description":"Number of deliveries that were sent to route container connections.",
@@ -616,7 +616,7 @@
"description": "The number of seconds since the router was started."
}
}
- },
+ },
"sslProfile": {
"description":"Attributes for setting TLS/SSL configuration for connections.",
"referential": true,
@@ -627,12 +627,12 @@
"type": "string",
"description": "Specifies the enabled ciphers so the SSL Ciphers can be hardened. In other words, use this field to disable weak ciphers. The ciphers are specified in the format understood by the OpenSSL library. For example, ciphers can be set to ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; -- The full list of allowed ciphers can be viewed using the openssl ciphers command",
"create": true
- },
+ },
"protocols": {
"type": "string",
"description": "The TLS protocols that this sslProfile can use. You can specify a list of one or more of TLSv1, TLSv1.1, or TLSv1.2. To specify multiple protocols, separate the protocols with a space. For example, to permit the sslProfile to use TLS v1.1 and TLS v1.2 only, you would set the value to TLSv1.1 TLSv1.2. If you do not specify a value, the sslProfile uses the TLS protocol specified by the system-wide configuration.",
"create": true
- },
+ },
"caCertFile": {
"type": "path",
"description": "The absolute path to the database that contains the public certificates of trusted certificate authorities (CA).",
@@ -661,7 +661,7 @@
},
"password": {
"type": "string",
- "description": "Password that unlocks the certificate key. Supports three prefixes namely - env:, file: pass:. Also supports the legacy literal: prefix. env:var obtains the password from the environment variable var. Since the environment of other processes is visible on certain platforms (e.g. ps under certain Unix OSes) this option should be used with caution. file:absolutepath obtains the password from the absolute path of the file containing the password. This op [...]
+ "description": "The password that unlocks the certificate key. You can specify the password by specifying an environment variable that stores the password, a file that stores the password, or by entering the password in clear text. To use an environment variable, specify 'password: env:<var>'. Use this option with caution, because the environment of other processes is visible on certain platforms (for example, ps on certain Unix OSs). To use a file, specify 'password: [...]
"create": true
},
@@ -703,7 +703,7 @@
"default": "amqp",
"create": true
- },
+ },
"realm": {
"type": "string",
"description": "Value to set for hostname field on sasl-init",
@@ -1023,7 +1023,7 @@
"saslPassword": {
"type": "string",
"required": false,
- "description": "The password that the connector is using to connect to a peer. You can specify the password by specifying an environment variable that stores the password, a file that stores the password, or by entering the password in clear text. To use an environment variable, specify 'saslPassword: env:'. Use this option with caution, because the environment of other processes is visible on certain platforms (for example, ps on certain Unix OSs). To use a file, spe [...]
+ "description": "The password that the connector is using to connect to a peer. You can specify the password by specifying an environment variable that stores the password, a file that stores the password, or by entering the password in clear text. To use an environment variable, specify 'saslPassword: env:<var>'. Use this option with caution, because the environment of other processes is visible on certain platforms (for example, ps on certain Unix OSs). To use a file [...]
"create": true,
"hidden": true
},
@@ -1039,18 +1039,18 @@
"description": "A read-only, comma-separated list of failover urls. ",
"deprecationName": "failoverList",
"create": false
-
+
},
"connectionStatus": {
"type": "string",
"description": "A read-only status of the connection. Could be one of CONNECTING, SUCCESS, FAILED",
- "create": false
+ "create": false
},
"connectionMsg": {
"type": "string",
"description": "A read-only connection message. Contains the connection message",
- "create": false
- },
+ "create": false
+ },
"policyVhost": {
"type": "string",
"required": false,
@@ -1723,7 +1723,7 @@
},
"operStatus": {
"type": ["up", "closing"]
- },
+ },
"container": {
"description": "The container for this connection",
"type": "string"
@@ -2056,14 +2056,14 @@
"default": true,
"required": false,
"create": true
- },
+ },
"allowFallbackLinks": {
"type": "boolean",
"description": "Whether this connection is allowed to claim 'qd.fallback' capability for attached links. This allows endpoints to act as fallback destinations for addresses that have fallback capability enabled.",
"default": true,
"required": false,
"create": true
- },
+ },
"sources": {
"type": "string",
"description": "A list of source addresses from which users in this group may receive messages. To specify multiple addresses, separate the addresses with either a comma or a space. If you do not specify any addresses, users in this group are not allowed to receive messages from any addresses. You can use the substitution token '${user}' to specify an address that contains a user's authenticated user name. You can use an asterisk ('*') wildcard to match one or more ch [...]
@@ -2120,7 +2120,7 @@
"receiverDenied": {"type": "integer", "graph": true}
}
},
-
+
"dummy": {
"description": "Dummy entity for test purposes.",
"extends": "entity",
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org