[
https://issues.apache.org/jira/browse/QPID-2187?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12874628#action_12874628
]
Alan Conway commented on QPID-2187:
-----------------------------------
In revision 950608 fixed a remaining race condition that caused clients to exit
with "reserved bits not 0" exception.
> Allow clients to make secure/authenticated connections to a cluster.
> --------------------------------------------------------------------
>
> Key: QPID-2187
> URL: https://issues.apache.org/jira/browse/QPID-2187
> Project: Qpid
> Issue Type: Improvement
> Environment: all
> Reporter: Ken Giusti
> Assignee: michael j. goulish
> Attachments: 944158.diff
>
>
> The current implementation of clustering does not correctly handle
> authentication correctly. From the trunk build:
> [kgiu...@localhost src]$ ./qpidd --auth yes --realm KGIUSTI.COM --log-enable
> info+ --load-module ./.libs/cluster.so --cluster-name ken
> 2009-11-02 10:30:58 info Loaded Module: ./.libs/cluster.so
> 2009-11-02 10:30:58 info Management enabled
> 2009-11-02 10:30:58 notice Initializing CPG
> 2009-11-02 10:30:58 notice cluster(127.0.0.1:14581 INIT) membership change:
> 127.0.0.1:14581 (joined: 127.0.0.1:14581(joined) )
> 2009-11-02 10:30:58 info No message store configured, persistence is disabled.
> 2009-11-02 10:30:58 info SASL enabled
> 2009-11-02 10:30:58 notice Listening on TCP port 5672
> 2009-11-02 10:30:58 notice cluster(127.0.0.1:14581 INIT) joining cluster ken
> with url=amqp:tcp:10.16.19.19:5672,tcp:10.16.14.69:5672,tcp:192.168.122.1:5672
> 2009-11-02 10:30:58 notice Broker running
> 2009-11-02 10:30:58 info cluster(127.0.0.1:14581 READY) member update:
> 127.0.0.1:14581(member)
> 2009-11-02 10:30:58 notice cluster(127.0.0.1:14581 READY) first in cluster
> 2009-11-02 10:31:05 info SASL: Mechanism list: ANONYMOUS PLAIN DIGEST-MD5
> LOGIN GSSAPI CRAM-MD5
> 2009-11-02 10:31:05 info cluster(127.0.0.1:14581 READY) new local connection
> 127.0.0.1:14581-1
> 2009-11-02 10:31:05 info SASL: Starting authentication with mechanism: GSSAPI
> 2009-11-02 10:31:05 info SASL: Authentication succeeded for:
> [email protected]
> 2009-11-02 10:31:05 error cluster(127.0.0.1:14581 READY) aborting connection
> 127.0.0.1:14581-1: framing-error: Reserved bits not zero
> (qpid/framing/AMQFrame.cpp:132)
> 2009-11-02 10:31:05 info cluster(127.0.0.1:14581 READY) connection closed
> 127.0.0.1:14581-1
>
> The above error occurs when running perftest against the cluster in the
> following manner:
> [kgiu...@localhost tests]$ /usr/kerberos/bin/kinit [email protected]
> [kgiu...@localhost tests]$ ./perftest -b localhost.localdomain --mechanism
> GSSAPI --username testuser --tx 1 --count 1 --summary --log-enable info+
> 2009-11-02 10:31:05 info Connecting to tcp:localhost.localdomain:5672
> 2009-11-02 10:31:05 info Installing security layer, SSF: 56
> 2009-11-02 10:31:05 warning Connection closed
> Running the same test, but turning off clustering, authentication succeeds.
> Alan has determined that the problem is due to the way the clustered broker
> constructs the codec chain. The chain is built without the codec for a
> secure connection.
> The correct solution would implement a mechanism that allows more generic
> chaining of the codecs. It should be possible to allow codecs to be built
> that support both clustering and security/authentication.
> In this case, the fix would secure the client/broker connection, and mirror
> the unencrypted data across the cluster.
> Does this make sense? Opinions welcome.
>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:[email protected]
