You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Pavel Moravec (JIRA)" <ji...@apache.org> on 2015/06/06 15:39:00 UTC
[jira] [Comment Edited] (QPID-6491) qpid-route map does not use any
authentication when querying other brokers
[ https://issues.apache.org/jira/browse/QPID-6491?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14575720#comment-14575720 ]
Pavel Moravec edited comment on QPID-6491 at 6/6/15 1:38 PM:
-------------------------------------------------------------
I realized the patch is wrong:
self.broker.saslUser is not the username and self.broker.authUser is not its password.
I.e. the there should be commit:
{quote}
< url = BrokerURL(host=link.host, port=link.port, user=self.broker.saslUser, password=self.broker.authUser)
---
> url = BrokerURL(host=link.host, port=link.port, user=self.broker.authUser, password=self.broker.authPass)
{quote}
(to my defense, it can be spotted only when using credentials with username!=password).
Further, is printing credentials desired or rather disturbing? I.e. should be the output be:
{quote}
Finding Linked Brokers:
company_B/password_B@localhost:6001... Ok
company_B/password_B@localhost:6002... Ok
company_B/password_B@localhost:6003... Ok
{quote}
(that's current), or rather just:
{quote}
Finding Linked Brokers:
localhost:6001... Ok
localhost:6002... Ok
localhost:6003... Ok
{quote}
? I would vote for the second (without credentials), as 1) it's shorter and the user knows the credentials, 2) it can be shared with others without potential credentials leak.
Any objections if I would remove the credentials in the commit fixing the user/pass ?
was (Author: pmoravec):
I realized the patch is wrong:
self.broker.saslUser is not the username and self.broker.authUser is not its password.
I.e. the there should be commit:
{quote}
< url = BrokerURL(host=link.host, port=link.port, user=self.broker.saslUser, password=self.broker.authUser)
---
> url = BrokerURL(host=link.host, port=link.port, user=self.broker.authUser, password=self.broker.authPass)
{quote}
(to my defense, it can be spotted only when using credentials with username!=password).
Further, is printing credentials desired or rather disturbing? I.e. should be the output be:
{quote}
Finding Linked Brokers:
company_B/password_B@localhost:6001... Ok
company_B/password_B@localhost:6002... Ok
company_B/password_B@localhost:6003... Ok
{quote}
(that's current), or rather just:
Finding Linked Brokers:
localhost:6001... Ok
localhost:6002... Ok
localhost:6003... Ok
? I would vote for the second (without credentials), as 1) it's shorter and the user knows the credentials, 2) it can be shared with others without potential credentials leak.
Any objections if I would remove the credentials in the commit fixing the user/pass ?
> qpid-route map does not use any authentication when querying other brokers
> --------------------------------------------------------------------------
>
> Key: QPID-6491
> URL: https://issues.apache.org/jira/browse/QPID-6491
> Project: Qpid
> Issue Type: Bug
> Components: Python Tools
> Affects Versions: 0.30
> Reporter: Pavel Moravec
> Assignee: Pavel Moravec
> Priority: Minor
> Fix For: 0.33
>
> Attachments: QPID-6491.patch
>
>
> "qpid-route route map" during generating the federation topology connects to each and every broker in the federation to query it's federation peers. All such connections (except for the very first broker) are made as anonymous user only.
> It is requested the tool passes username, password and optionally also --client-sasl-mechanism parameter to all other brokers as well.
> (another option to this would be the tool gets the credentials info from the broker, but currently QMF response to links does not contain such info. This option would need much more code change also on broker side)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org