You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Alan Conway (Created) (JIRA)" <ji...@apache.org> on 2011/11/30 17:23:40 UTC
[jira] [Created] (QPID-3652) Cluster authentication ignores
cluster-* settings
Cluster authentication ignores cluster-* settings
-------------------------------------------------
Key: QPID-3652
URL: https://issues.apache.org/jira/browse/QPID-3652
Project: Qpid
Issue Type: Bug
Affects Versions: 0.12
Reporter: Alan Conway
Assignee: Alan Conway
Authentication of qpid nodes within a cluster does not follow parameters
cluster-mechanism, cluster-username and cluster-password in many cases.
For more details: https://bugzilla.redhat.com/show_bug.cgi?id=730017
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
[jira] [Resolved] (QPID-3652) Cluster authentication ignores
cluster-* settings
Posted by "Alan Conway (Resolved) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/QPID-3652?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alan Conway resolved QPID-3652.
-------------------------------
Resolution: Fixed
Fixed on trunk
> Cluster authentication ignores cluster-* settings
> -------------------------------------------------
>
> Key: QPID-3652
> URL: https://issues.apache.org/jira/browse/QPID-3652
> Project: Qpid
> Issue Type: Bug
> Affects Versions: 0.12
> Reporter: Alan Conway
> Assignee: Alan Conway
>
> Authentication of qpid nodes within a cluster does not follow parameters
> cluster-mechanism, cluster-username and cluster-password in many cases.
> For more details: https://bugzilla.redhat.com/show_bug.cgi?id=730017
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
[jira] [Commented] (QPID-3652) Cluster authentication ignores
cluster-* settings
Posted by "jiraposter@reviews.apache.org (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/QPID-3652?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13162939#comment-13162939 ]
jiraposter@reviews.apache.org commented on QPID-3652:
-----------------------------------------------------
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/2988/#review3627
-----------------------------------------------------------
Ship it!
Seems ok to me...
/trunk/qpid/cpp/src/qpid/broker/ConnectionState.h
<https://reviews.apache.org/r/2988/#comment8091>
The last sentence in this comment isn't entirely true... it will only compare the id against the username if the userid of the connection was in the default domain. Not a big issue, I just got confused when first reading this.
/trunk/qpid/cpp/src/qpid/broker/ConnectionState.h
<https://reviews.apache.org/r/2988/#comment8092>
Does isDefaultRealm get initialised anywhere?
- Gordon
On 2011-12-01 21:09:19, Alan Conway wrote:
bq.
bq. -----------------------------------------------------------
bq. This is an automatically generated e-mail. To reply, visit:
bq. https://reviews.apache.org/r/2988/
bq. -----------------------------------------------------------
bq.
bq. (Updated 2011-12-01 21:09:19)
bq.
bq.
bq. Review request for qpid, Gordon Sim and Ted Ross.
bq.
bq.
bq. Summary
bq. -------
bq.
bq. QPID-3652: Fix cluster authentication.
bq.
bq. Only allow brokers that authenticate as the cluster-username to join a cluster.
bq.
bq. New broker first connects to a cluster broker authenticates as the cluster-username
bq. and sends its CPG member ID to the qpid.cluster-credentials exchange.
bq. The cluster broker that subsequently acts as updater verifies that the credentials are
bq. valid before connecting to give the update.
bq.
bq. NOTE: If you are using an ACL, the cluster-username must be allowed to
bq. publish to the qpid.cluster-credentials exchange. E.g. in your ACL file:
bq.
bq. acl allow foo@QPID publish exchange name=qpid.cluster-credentials
bq.
bq.
bq. This addresses bug QPID-3652.
bq. https://issues.apache.org/jira/browse/QPID-3652
bq.
bq.
bq. Diffs
bq. -----
bq.
bq. /trunk/qpid/cpp/rubygen/amqpgen.rb 1209052
bq. /trunk/qpid/cpp/src/Makefile.am 1209052
bq. /trunk/qpid/cpp/src/cluster.mk 1209052
bq. /trunk/qpid/cpp/src/qpid/UrlArray.h PRE-CREATION
bq. /trunk/qpid/cpp/src/qpid/UrlArray.cpp PRE-CREATION
bq. /trunk/qpid/cpp/src/qpid/broker/ConnectionState.h 1209052
bq. /trunk/qpid/cpp/src/qpid/broker/SemanticState.h 1209052
bq. /trunk/qpid/cpp/src/qpid/broker/SemanticState.cpp 1209052
bq. /trunk/qpid/cpp/src/qpid/client/FailoverListener.cpp 1209052
bq. /trunk/qpid/cpp/src/qpid/cluster/Cluster.h 1209052
bq. /trunk/qpid/cpp/src/qpid/cluster/Cluster.cpp 1209052
bq. /trunk/qpid/cpp/src/qpid/cluster/CredentialsExchange.h PRE-CREATION
bq. /trunk/qpid/cpp/src/qpid/cluster/CredentialsExchange.cpp PRE-CREATION
bq. /trunk/qpid/cpp/src/qpid/cluster/FailoverExchange.cpp 1209052
bq. /trunk/qpid/cpp/src/qpid/cluster/InitialStatusMap.h 1209052
bq. /trunk/qpid/cpp/src/qpid/cluster/InitialStatusMap.cpp 1209052
bq. /trunk/qpid/cpp/src/tests/InitialStatusMap.cpp 1209052
bq. /trunk/qpid/cpp/src/tests/brokertest.py 1209052
bq. /trunk/qpid/cpp/src/tests/cluster_authentication_soak.cpp 1209052
bq. /trunk/qpid/cpp/src/tests/cluster_tests.py 1209052
bq. /trunk/qpid/cpp/xml/cluster.xml 1209052
bq.
bq. Diff: https://reviews.apache.org/r/2988/diff
bq.
bq.
bq. Testing
bq. -------
bq.
bq. 3 new tests in cluster_tests.py, tested by hand with ANONYMOUS, PLAIN and DIGEST-MD5 mechanisms.
bq.
bq.
bq. Thanks,
bq.
bq. Alan
bq.
bq.
> Cluster authentication ignores cluster-* settings
> -------------------------------------------------
>
> Key: QPID-3652
> URL: https://issues.apache.org/jira/browse/QPID-3652
> Project: Qpid
> Issue Type: Bug
> Affects Versions: 0.12
> Reporter: Alan Conway
> Assignee: Alan Conway
>
> Authentication of qpid nodes within a cluster does not follow parameters
> cluster-mechanism, cluster-username and cluster-password in many cases.
> For more details: https://bugzilla.redhat.com/show_bug.cgi?id=730017
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
[jira] [Commented] (QPID-3652) Cluster authentication ignores
cluster-* settings
Posted by "jiraposter@reviews.apache.org (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/QPID-3652?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13163058#comment-13163058 ]
jiraposter@reviews.apache.org commented on QPID-3652:
-----------------------------------------------------
bq. On 2011-12-05 18:44:53, Gordon Sim wrote:
bq. > /trunk/qpid/cpp/src/qpid/broker/ConnectionState.h, line 88
bq. > <https://reviews.apache.org/r/2988/diff/1/?file=61523#file61523line88>
bq. >
bq. > The last sentence in this comment isn't entirely true... it will only compare the id against the username if the userid of the connection was in the default domain. Not a big issue, I just got confused when first reading this.
Updated to: * If id has the default realm will also compare plain username.
bq. On 2011-12-05 18:44:53, Gordon Sim wrote:
bq. > /trunk/qpid/cpp/src/qpid/broker/ConnectionState.h, line 133
bq. > <https://reviews.apache.org/r/2988/diff/1/?file=61523#file61523line133>
bq. >
bq. > Does isDefaultRealm get initialised anywhere?
It should be initialized in the ctor, will do that.
- Alan
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/2988/#review3627
-----------------------------------------------------------
On 2011-12-01 21:09:19, Alan Conway wrote:
bq.
bq. -----------------------------------------------------------
bq. This is an automatically generated e-mail. To reply, visit:
bq. https://reviews.apache.org/r/2988/
bq. -----------------------------------------------------------
bq.
bq. (Updated 2011-12-01 21:09:19)
bq.
bq.
bq. Review request for qpid, Gordon Sim and Ted Ross.
bq.
bq.
bq. Summary
bq. -------
bq.
bq. QPID-3652: Fix cluster authentication.
bq.
bq. Only allow brokers that authenticate as the cluster-username to join a cluster.
bq.
bq. New broker first connects to a cluster broker authenticates as the cluster-username
bq. and sends its CPG member ID to the qpid.cluster-credentials exchange.
bq. The cluster broker that subsequently acts as updater verifies that the credentials are
bq. valid before connecting to give the update.
bq.
bq. NOTE: If you are using an ACL, the cluster-username must be allowed to
bq. publish to the qpid.cluster-credentials exchange. E.g. in your ACL file:
bq.
bq. acl allow foo@QPID publish exchange name=qpid.cluster-credentials
bq.
bq.
bq. This addresses bug QPID-3652.
bq. https://issues.apache.org/jira/browse/QPID-3652
bq.
bq.
bq. Diffs
bq. -----
bq.
bq. /trunk/qpid/cpp/rubygen/amqpgen.rb 1209052
bq. /trunk/qpid/cpp/src/Makefile.am 1209052
bq. /trunk/qpid/cpp/src/cluster.mk 1209052
bq. /trunk/qpid/cpp/src/qpid/UrlArray.h PRE-CREATION
bq. /trunk/qpid/cpp/src/qpid/UrlArray.cpp PRE-CREATION
bq. /trunk/qpid/cpp/src/qpid/broker/ConnectionState.h 1209052
bq. /trunk/qpid/cpp/src/qpid/broker/SemanticState.h 1209052
bq. /trunk/qpid/cpp/src/qpid/broker/SemanticState.cpp 1209052
bq. /trunk/qpid/cpp/src/qpid/client/FailoverListener.cpp 1209052
bq. /trunk/qpid/cpp/src/qpid/cluster/Cluster.h 1209052
bq. /trunk/qpid/cpp/src/qpid/cluster/Cluster.cpp 1209052
bq. /trunk/qpid/cpp/src/qpid/cluster/CredentialsExchange.h PRE-CREATION
bq. /trunk/qpid/cpp/src/qpid/cluster/CredentialsExchange.cpp PRE-CREATION
bq. /trunk/qpid/cpp/src/qpid/cluster/FailoverExchange.cpp 1209052
bq. /trunk/qpid/cpp/src/qpid/cluster/InitialStatusMap.h 1209052
bq. /trunk/qpid/cpp/src/qpid/cluster/InitialStatusMap.cpp 1209052
bq. /trunk/qpid/cpp/src/tests/InitialStatusMap.cpp 1209052
bq. /trunk/qpid/cpp/src/tests/brokertest.py 1209052
bq. /trunk/qpid/cpp/src/tests/cluster_authentication_soak.cpp 1209052
bq. /trunk/qpid/cpp/src/tests/cluster_tests.py 1209052
bq. /trunk/qpid/cpp/xml/cluster.xml 1209052
bq.
bq. Diff: https://reviews.apache.org/r/2988/diff
bq.
bq.
bq. Testing
bq. -------
bq.
bq. 3 new tests in cluster_tests.py, tested by hand with ANONYMOUS, PLAIN and DIGEST-MD5 mechanisms.
bq.
bq.
bq. Thanks,
bq.
bq. Alan
bq.
bq.
> Cluster authentication ignores cluster-* settings
> -------------------------------------------------
>
> Key: QPID-3652
> URL: https://issues.apache.org/jira/browse/QPID-3652
> Project: Qpid
> Issue Type: Bug
> Affects Versions: 0.12
> Reporter: Alan Conway
> Assignee: Alan Conway
>
> Authentication of qpid nodes within a cluster does not follow parameters
> cluster-mechanism, cluster-username and cluster-password in many cases.
> For more details: https://bugzilla.redhat.com/show_bug.cgi?id=730017
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
[jira] [Commented] (QPID-3652) Cluster authentication ignores
cluster-* settings
Posted by "Alan Conway (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/QPID-3652?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13161171#comment-13161171 ]
Alan Conway commented on QPID-3652:
-----------------------------------
Propsed fix up for review at https://reviews.apache.org/r/2988/
> Cluster authentication ignores cluster-* settings
> -------------------------------------------------
>
> Key: QPID-3652
> URL: https://issues.apache.org/jira/browse/QPID-3652
> Project: Qpid
> Issue Type: Bug
> Affects Versions: 0.12
> Reporter: Alan Conway
> Assignee: Alan Conway
>
> Authentication of qpid nodes within a cluster does not follow parameters
> cluster-mechanism, cluster-username and cluster-password in many cases.
> For more details: https://bugzilla.redhat.com/show_bug.cgi?id=730017
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org
[jira] [Commented] (QPID-3652) Cluster authentication ignores
cluster-* settings
Posted by "jiraposter@reviews.apache.org (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/QPID-3652?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13161169#comment-13161169 ]
jiraposter@reviews.apache.org commented on QPID-3652:
-----------------------------------------------------
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/2988/
-----------------------------------------------------------
Review request for qpid, Gordon Sim and Ted Ross.
Summary
-------
QPID-3652: Fix cluster authentication.
Only allow brokers that authenticate as the cluster-username to join a cluster.
New broker first connects to a cluster broker authenticates as the cluster-username
and sends its CPG member ID to the qpid.cluster-credentials exchange.
The cluster broker that subsequently acts as updater verifies that the credentials are
valid before connecting to give the update.
NOTE: If you are using an ACL, the cluster-username must be allowed to
publish to the qpid.cluster-credentials exchange. E.g. in your ACL file:
acl allow foo@QPID publish exchange name=qpid.cluster-credentials
This addresses bug QPID-3652.
https://issues.apache.org/jira/browse/QPID-3652
Diffs
-----
/trunk/qpid/cpp/rubygen/amqpgen.rb 1209052
/trunk/qpid/cpp/src/Makefile.am 1209052
/trunk/qpid/cpp/src/cluster.mk 1209052
/trunk/qpid/cpp/src/qpid/UrlArray.h PRE-CREATION
/trunk/qpid/cpp/src/qpid/UrlArray.cpp PRE-CREATION
/trunk/qpid/cpp/src/qpid/broker/ConnectionState.h 1209052
/trunk/qpid/cpp/src/qpid/broker/SemanticState.h 1209052
/trunk/qpid/cpp/src/qpid/broker/SemanticState.cpp 1209052
/trunk/qpid/cpp/src/qpid/client/FailoverListener.cpp 1209052
/trunk/qpid/cpp/src/qpid/cluster/Cluster.h 1209052
/trunk/qpid/cpp/src/qpid/cluster/Cluster.cpp 1209052
/trunk/qpid/cpp/src/qpid/cluster/CredentialsExchange.h PRE-CREATION
/trunk/qpid/cpp/src/qpid/cluster/CredentialsExchange.cpp PRE-CREATION
/trunk/qpid/cpp/src/qpid/cluster/FailoverExchange.cpp 1209052
/trunk/qpid/cpp/src/qpid/cluster/InitialStatusMap.h 1209052
/trunk/qpid/cpp/src/qpid/cluster/InitialStatusMap.cpp 1209052
/trunk/qpid/cpp/src/tests/InitialStatusMap.cpp 1209052
/trunk/qpid/cpp/src/tests/brokertest.py 1209052
/trunk/qpid/cpp/src/tests/cluster_authentication_soak.cpp 1209052
/trunk/qpid/cpp/src/tests/cluster_tests.py 1209052
/trunk/qpid/cpp/xml/cluster.xml 1209052
Diff: https://reviews.apache.org/r/2988/diff
Testing
-------
3 new tests in cluster_tests.py, tested by hand with ANONYMOUS, PLAIN and DIGEST-MD5 mechanisms.
Thanks,
Alan
> Cluster authentication ignores cluster-* settings
> -------------------------------------------------
>
> Key: QPID-3652
> URL: https://issues.apache.org/jira/browse/QPID-3652
> Project: Qpid
> Issue Type: Bug
> Affects Versions: 0.12
> Reporter: Alan Conway
> Assignee: Alan Conway
>
> Authentication of qpid nodes within a cluster does not follow parameters
> cluster-mechanism, cluster-username and cluster-password in many cases.
> For more details: https://bugzilla.redhat.com/show_bug.cgi?id=730017
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org