You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@qpid.apache.org by potato <bo...@gmail.com> on 2020/06/19 00:45:59 UTC
Qpid Dispatch Router With RabbitMQ and SASL
Hi,
I'm attempting to use AMQ Inteconnect Router which I believe is based on
Qpid Dispatch Router in an Openshift cluster to connect to RabbitMQ.
I'm having an issue with SASL auth when a handshake is attempted. Through
config I'm sending just "username and password" but on the RabbitMQ end I'm
seeing "username username password". RabbitMQ appears not to support this
and immediately closes the connection.
From what I can determine by googling, the dispatch router is sending both
an authcid and an authzid despite the fact that in my case the value will be
the same for both.
Am I likely to be doing something incredibly stupid? Is it possible to
prevent sending the authzid so that RabbitMQ doesn't have an issue or is
having an identical authcid and authzid an expected thing?
Any assistance greatly appreciated.
Thanks
David.
--
Sent from: http://qpid.2158936.n2.nabble.com/Apache-Qpid-users-f2158936.html
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: Qpid Dispatch Router With RabbitMQ and SASL
Posted by Robbie Gemmell <ro...@gmail.com>.
On Mon, 22 Jun 2020 at 17:48, Andrew Stitcher <as...@apache.org> wrote:
>
> On Fri, 2020-06-19 at 22:17 +0100, Gordon Sim wrote:
> > On 19/06/2020 9:40 pm, Andrew Stitcher wrote:
> > > On Fri, 2020-06-19 at 13:59 +0100, Gordon Sim wrote:
> > > > ...
> > > >
> > > > Looks like it changed back for cyrus-sasl anyway:
> > > > https://github.com/apache/qpid-proton/commit/885d68aeaf522021a35b7b5cecb7c7c53663929b#diff-47e0b33a5461eff21e6cbbd017a969edL123
> > >
> > > I don't exactly see where in that change any behaviour change
> > > happened
> > > - could you point it out (I know it was my change, but it was a
> > > long
> > > time ago!).
> >
> > Lines 123-125 in the diff:
> >
> > https://github.com/apache/qpid-proton/commit/885d68aeaf522021a35b7b5cecb7c7c53663929b#diff-47e0b33a5461eff21e6cbbd017a969edL123-L125
> >
> > It removes the handling for case SASL_CB_USER.
>
> Ah!
>
> I can't see any good reason why I reverted that earlier compatibility
> change. The default (non-cyrus) SASL implementation still doesn't send
> authzid at all, so it would make more sense for the cyrus impl to act
> the same way, certainly until we actually have some way/use for setting
> the authzid itself.
>
> Probably best to raise a new JIRA to note the regression from the
> earlier change - it's amazing it took so long to notice!
>
Raised: https://issues.apache.org/jira/browse/PROTON-2243
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: Qpid Dispatch Router With RabbitMQ and SASL
Posted by Gordon Sim <gs...@redhat.com>.
On 22/06/2020 5:48 pm, Andrew Stitcher wrote:
> I'd also note that raising a bug against RabbitMQ would be in order too
> as it shouldn't die if it receives an authzid equal to the authcid in
> any case.
There already is one: https://github.com/rabbitmq/rabbitmq-amqp1.0/issues/95
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: Qpid Dispatch Router With RabbitMQ and SASL
Posted by Andrew Stitcher <as...@apache.org>.
On Fri, 2020-06-19 at 22:17 +0100, Gordon Sim wrote:
> On 19/06/2020 9:40 pm, Andrew Stitcher wrote:
> > On Fri, 2020-06-19 at 13:59 +0100, Gordon Sim wrote:
> > > ...
> > >
> > > Looks like it changed back for cyrus-sasl anyway:
> > > https://github.com/apache/qpid-proton/commit/885d68aeaf522021a35b7b5cecb7c7c53663929b#diff-47e0b33a5461eff21e6cbbd017a969edL123
> >
> > I don't exactly see where in that change any behaviour change
> > happened
> > - could you point it out (I know it was my change, but it was a
> > long
> > time ago!).
>
> Lines 123-125 in the diff:
>
> https://github.com/apache/qpid-proton/commit/885d68aeaf522021a35b7b5cecb7c7c53663929b#diff-47e0b33a5461eff21e6cbbd017a969edL123-L125
>
> It removes the handling for case SASL_CB_USER.
Ah!
I can't see any good reason why I reverted that earlier compatibility
change. The default (non-cyrus) SASL implementation still doesn't send
authzid at all, so it would make more sense for the cyrus impl to act
the same way, certainly until we actually have some way/use for setting
the authzid itself.
Probably best to raise a new JIRA to note the regression from the
earlier change - it's amazing it took so long to notice!
I'd also note that raising a bug against RabbitMQ would be in order too
as it shouldn't die if it receives an authzid equal to the authcid in
any case.
Andrew
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: Qpid Dispatch Router With RabbitMQ and SASL
Posted by Gordon Sim <gs...@redhat.com>.
On 19/06/2020 9:40 pm, Andrew Stitcher wrote:
> On Fri, 2020-06-19 at 13:59 +0100, Gordon Sim wrote:
>> ...
>>
>> Looks like it changed back for cyrus-sasl anyway:
>> https://github.com/apache/qpid-proton/commit/885d68aeaf522021a35b7b5cecb7c7c53663929b#diff-47e0b33a5461eff21e6cbbd017a969edL123
>
> I don't exactly see where in that change any behaviour change happened
> - could you point it out (I know it was my change, but it was a long
> time ago!).
Lines 123-125 in the diff:
https://github.com/apache/qpid-proton/commit/885d68aeaf522021a35b7b5cecb7c7c53663929b#diff-47e0b33a5461eff21e6cbbd017a969edL123-L125
It removes the handling for case SASL_CB_USER.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: Qpid Dispatch Router With RabbitMQ and SASL
Posted by Andrew Stitcher <as...@apache.org>.
On Fri, 2020-06-19 at 13:59 +0100, Gordon Sim wrote:
> ...
>
> Looks like it changed back for cyrus-sasl anyway:
> https://github.com/apache/qpid-proton/commit/885d68aeaf522021a35b7b5cecb7c7c53663929b#diff-47e0b33a5461eff21e6cbbd017a969edL123
I don't exactly see where in that change any behaviour change happened
- could you point it out (I know it was my change, but it was a long
time ago!).
As far as I remember that change was pureley intended to unify the code
for the built in and cyrus sasl implementations.
Andrew
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: Qpid Dispatch Router With RabbitMQ and SASL
Posted by Gordon Sim <gs...@redhat.com>.
On 19/06/2020 11:50 am, Robbie Gemmell wrote:
> On Fri, 19 Jun 2020 at 10:04, Gordon Sim <gs...@redhat.com> wrote:
>>
>> On 19/06/2020 1:45 am, potato wrote:
>>> Hi,
>>> I'm attempting to use AMQ Inteconnect Router which I believe is based on
>>> Qpid Dispatch Router in an Openshift cluster to connect to RabbitMQ.
>>> I'm having an issue with SASL auth when a handshake is attempted. Through
>>> config I'm sending just "username and password" but on the RabbitMQ end I'm
>>> seeing "username username password". RabbitMQ appears not to support this
>>> and immediately closes the connection.
>>> From what I can determine by googling, the dispatch router is sending both
>>> an authcid and an authzid despite the fact that in my case the value will be
>>> the same for both.
>>>
>>> Am I likely to be doing something incredibly stupid? Is it possible to
>>> prevent sending the authzid so that RabbitMQ doesn't have an issue or is
>>> having an identical authcid and authzid an expected thing?
>>
>> This is how the underlying proton-c sasl support works. I don't believe
>> there is anyway to avoid that purely through config I'm afraid (short of
>> choosing a different authentication mechanism).
>>
>
> This came up before in other contexts a while ago in
> https://issues.apache.org/jira/browse/PROTON-1055 and a change was
> made to proton-c to stop it sending that either when using the newer
> cyrus-sasl based sasl impl, or the basic fallback sasl impl. Did it
> change again in one or both impls?
Looks like it changed back for cyrus-sasl anyway:
https://github.com/apache/qpid-proton/commit/885d68aeaf522021a35b7b5cecb7c7c53663929b#diff-47e0b33a5461eff21e6cbbd017a969edL123
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: Qpid Dispatch Router With RabbitMQ and SASL
Posted by Robbie Gemmell <ro...@gmail.com>.
On Fri, 19 Jun 2020 at 10:04, Gordon Sim <gs...@redhat.com> wrote:
>
> On 19/06/2020 1:45 am, potato wrote:
> > Hi,
> > I'm attempting to use AMQ Inteconnect Router which I believe is based on
> > Qpid Dispatch Router in an Openshift cluster to connect to RabbitMQ.
> > I'm having an issue with SASL auth when a handshake is attempted. Through
> > config I'm sending just "username and password" but on the RabbitMQ end I'm
> > seeing "username username password". RabbitMQ appears not to support this
> > and immediately closes the connection.
> > From what I can determine by googling, the dispatch router is sending both
> > an authcid and an authzid despite the fact that in my case the value will be
> > the same for both.
> >
> > Am I likely to be doing something incredibly stupid? Is it possible to
> > prevent sending the authzid so that RabbitMQ doesn't have an issue or is
> > having an identical authcid and authzid an expected thing?
>
> This is how the underlying proton-c sasl support works. I don't believe
> there is anyway to avoid that purely through config I'm afraid (short of
> choosing a different authentication mechanism).
>
This came up before in other contexts a while ago in
https://issues.apache.org/jira/browse/PROTON-1055 and a change was
made to proton-c to stop it sending that either when using the newer
cyrus-sasl based sasl impl, or the basic fallback sasl impl. Did it
change again in one or both impls?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: Qpid Dispatch Router With RabbitMQ and SASL
Posted by Gordon Sim <gs...@redhat.com>.
On 19/06/2020 1:45 am, potato wrote:
> Hi,
> I'm attempting to use AMQ Inteconnect Router which I believe is based on
> Qpid Dispatch Router in an Openshift cluster to connect to RabbitMQ.
> I'm having an issue with SASL auth when a handshake is attempted. Through
> config I'm sending just "username and password" but on the RabbitMQ end I'm
> seeing "username username password". RabbitMQ appears not to support this
> and immediately closes the connection.
> From what I can determine by googling, the dispatch router is sending both
> an authcid and an authzid despite the fact that in my case the value will be
> the same for both.
>
> Am I likely to be doing something incredibly stupid? Is it possible to
> prevent sending the authzid so that RabbitMQ doesn't have an issue or is
> having an identical authcid and authzid an expected thing?
This is how the underlying proton-c sasl support works. I don't believe
there is anyway to avoid that purely through config I'm afraid (short of
choosing a different authentication mechanism).
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: Qpid Dispatch Router With RabbitMQ and SASL
Posted by potato <bo...@gmail.com>.
Yes, I believe this is using PLAIN SASL auth with the cyrus sasl
implementation. All through the magic of the AMQ Interconnect config.
Would it be a proper pain to get a change made to send only the authcid and
password? I'd be extremely grateful. I'm happy to raise an issue if that
helps, not that I know where I should do that.
Thanks
David.
--
Sent from: http://qpid.2158936.n2.nabble.com/Apache-Qpid-users-f2158936.html
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: Qpid Dispatch Router With RabbitMQ and SASL
Posted by Andrew Stitcher <as...@apache.org>.
Can yo just confirm that you are using PLAIN SASL auth - I'd guess that
you will be using the cyrus sasl implementation, but if you can confirm
that too it would help a little.
Andrew
On Thu, 2020-06-18 at 17:45 -0700, potato wrote:
> Hi,
> I'm attempting to use AMQ Inteconnect Router which I believe is based
> on
> Qpid Dispatch Router in an Openshift cluster to connect to RabbitMQ.
> I'm having an issue with SASL auth when a handshake is attempted.
> Through
> config I'm sending just "username and password" but on the RabbitMQ
> end I'm
> seeing "username username password". RabbitMQ appears not to support
> this
> and immediately closes the connection.
> From what I can determine by googling, the dispatch router is sending
> both
> an authcid and an authzid despite the fact that in my case the value
> will be
> the same for both.
>
> Am I likely to be doing something incredibly stupid? Is it possible
> to
> prevent sending the authzid so that RabbitMQ doesn't have an issue or
> is
> having an identical authcid and authzid an expected thing?
>
> Any assistance greatly appreciated.
> Thanks
> David.
>
>
>
>
>
>
> --
> Sent from:
> http://qpid.2158936.n2.nabble.com/Apache-Qpid-users-f2158936.html
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> For additional commands, e-mail: users-help@qpid.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org