On Tue, 31 Jan 2012, Keith Wall (Commented) (JIRA) wrote:
[
https://issues.apache.org/jira/browse/QPID-3175?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13197121#comment-13197121
]
Keith Wall commented on QPID-3175:
----------------------------------
I think the change of the default SASL mechanism to ANONYMOUS broken the
Python/Javabuild:
{code}
Error during test: Traceback (most recent call last):
File
"/home/jenkins/jenkins-slave/workspace/Qpid-Python-Java-Test/trunk/qpid/python/qpid-python-test",
line 340, in run
phase()
File
"/home/jenkins/jenkins-slave/workspace/Qpid-Python-Java-Test/trunk/qpid/python/qpid/tests/messaging/endpoints.py",
line 34, in testEstablish
self.conn = Connection.establish(self.broker, **self.connection_options())
File
"/home/jenkins/jenkins-slave/workspace/Qpid-Python-Java-Test/trunk/qpid/python/qpid/messaging/endpoints.py",
line 68, in establish
conn.open()
File "<string>", line 6, in open
File
"/home/jenkins/jenkins-slave/workspace/Qpid-Python-Java-Test/trunk/qpid/python/qpid/messaging/endpoints.py",
line 255, in open
self.attach()
File "<string>", line 6, in attach
File
"/home/jenkins/jenkins-slave/workspace/Qpid-Python-Java-Test/trunk/qpid/python/qpid/messaging/endpoints.py",
line 273, in attach
self._ewait(lambda: self._transport_connected and not self._unlinked())
File
"/home/jenkins/jenkins-slave/workspace/Qpid-Python-Java-Test/trunk/qpid/python/qpid/messaging/endpoints.py",
line 208, in _ewait
self.check_error()
File
"/home/jenkins/jenkins-slave/workspace/Qpid-Python-Java-Test/trunk/qpid/python/qpid/messaging/endpoints.py",
line 201, in check_error
raise self.error
AuthenticationFailure: sasl negotiation failed: no mechanism agreed
{code}
See:
https://builds.apache.org/view/M-R/view/Qpid/job/Qpid-Python-Java-Test/lastCompletedBuild/testReport/
Whilst I think we could change the test harness configuration to pass through
the sasl_mechanisms of PLAIN, I wonder why the decision to default has been
made? I don't see how this contributes to SSL support.
The old code would default to PLAIN if username/password was supplied and PLAIN
was support by the Broker (sasl.py:89) which I think was a useful default
regardless of Broker choice.
Any thoughts please?
You're right, this relates to ssl but doesn't contribute to it.
Taken as a question on its own, however, I think the default sasl mech
lists ought to be the following:
client (anonymous)
broker (anonymous, digest-md5)
-> negotiates to anonymous
The trouble with plain is that it offers no meaningful security when not
used in concert with ssl. We've gone one worse and faked anonymous by
introducing default 'guest' credentials. The straightforward,
no-surprises way to do this is simply to use anonymous.
Digest-md5 does offer meaningful security and requires little integration
with other systems. It therefore should serve as our primary option for
credentialed access. In this case:
client explicitly sets (digest-md5), overriding default (anonymous)
broker (anonymous, digest-md5)
-> negotiates to digest-md5
Importantly, by using anonymous we can create a separate privilege domain
for operations such as wiring changes, etc. It also could reduce the
number of steps an administrator must take to make the system secure. We
can (eventually) make it as simple as "disable anonymous".
In summary, I think plain should be out of the *default* picture, for all
clients and brokers.
Justin
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:[email protected]
