[
https://issues.apache.org/jira/browse/QPID-6491?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14575720#comment-14575720
]
Pavel Moravec edited comment on QPID-6491 at 6/6/15 1:38 PM:
-------------------------------------------------------------
I realized the patch is wrong:
self.broker.saslUser is not the username and self.broker.authUser is not its
password.
I.e. the there should be commit:
{quote}
< url = BrokerURL(host=link.host, port=link.port,
user=self.broker.saslUser, password=self.broker.authUser)
---
> url = BrokerURL(host=link.host, port=link.port,
> user=self.broker.authUser, password=self.broker.authPass)
{quote}
(to my defense, it can be spotted only when using credentials with
username!=password).
Further, is printing credentials desired or rather disturbing? I.e. should be
the output be:
{quote}
Finding Linked Brokers:
company_B/password_B@localhost:6001... Ok
company_B/password_B@localhost:6002... Ok
company_B/password_B@localhost:6003... Ok
{quote}
(that's current), or rather just:
{quote}
Finding Linked Brokers:
localhost:6001... Ok
localhost:6002... Ok
localhost:6003... Ok
{quote}
? I would vote for the second (without credentials), as 1) it's shorter and the
user knows the credentials, 2) it can be shared with others without potential
credentials leak.
Any objections if I would remove the credentials in the commit fixing the
user/pass ?
was (Author: pmoravec):
I realized the patch is wrong:
self.broker.saslUser is not the username and self.broker.authUser is not its
password.
I.e. the there should be commit:
{quote}
< url = BrokerURL(host=link.host, port=link.port,
user=self.broker.saslUser, password=self.broker.authUser)
---
> url = BrokerURL(host=link.host, port=link.port,
> user=self.broker.authUser, password=self.broker.authPass)
{quote}
(to my defense, it can be spotted only when using credentials with
username!=password).
Further, is printing credentials desired or rather disturbing? I.e. should be
the output be:
{quote}
Finding Linked Brokers:
company_B/password_B@localhost:6001... Ok
company_B/password_B@localhost:6002... Ok
company_B/password_B@localhost:6003... Ok
{quote}
(that's current), or rather just:
Finding Linked Brokers:
localhost:6001... Ok
localhost:6002... Ok
localhost:6003... Ok
? I would vote for the second (without credentials), as 1) it's shorter and the
user knows the credentials, 2) it can be shared with others without potential
credentials leak.
Any objections if I would remove the credentials in the commit fixing the
user/pass ?
> qpid-route map does not use any authentication when querying other brokers
> --------------------------------------------------------------------------
>
> Key: QPID-6491
> URL: https://issues.apache.org/jira/browse/QPID-6491
> Project: Qpid
> Issue Type: Bug
> Components: Python Tools
> Affects Versions: 0.30
> Reporter: Pavel Moravec
> Assignee: Pavel Moravec
> Priority: Minor
> Fix For: 0.33
>
> Attachments: QPID-6491.patch
>
>
> "qpid-route route map" during generating the federation topology connects to
> each and every broker in the federation to query it's federation peers. All
> such connections (except for the very first broker) are made as anonymous
> user only.
> It is requested the tool passes username, password and optionally also
> --client-sasl-mechanism parameter to all other brokers as well.
> (another option to this would be the tool gets the credentials info from the
> broker, but currently QMF response to links does not contain such info. This
> option would need much more code change also on broker side)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
