On 02/25/2016 11:48 AM, Gordon Sim wrote:
On 25/02/16 17:23, Alexander N. Moibenko wrote:
On 02/25/2016 10:39 AM, Gordon Sim wrote:
Another workaround is simply to set the sasl_max_ssf to 0. That way
you still use kerberos for authentication, but don't encrypt the
messages.
Could you tell me where and how I set it.
I tried
sasl_max_ssf: 0
in /etc/sasl2/qpidd.conf to no effect.
You need to set it on the clients I'm afraid. It is a connection
option for qpid::messaging, so use
qpid::messaging::Connection::setOption().
I have been assuming you are using AMQP 0-10 here. If so, another
option might be to try using AMQP 1.0? (Specify connection option
'protocol' as 'amqp1.0'). I am merely speculating here, but certainly
it does not have the same protocol level limit and it is a different
codepath for fragmentation etc.
I am doing this using python inteface.
Here is the simple test code:
import qpid.messaging
conn = qpid.messaging.Connection(host='dmsen05',
port=5672,
username=None,
password=None,
sasl_max_ssf=0,
sasl_mechanisms=['GSSAPI'],
reconnect=True,
reconnect_interval=60,
)
conn.open()
print "OPEN"
conn.close()
Here is what happens:
[enstore@dmsen05 messaging]$ python ct.py
Traceback (most recent call last):
File "ct.py", line 12, in <module>
conn.open()
File "<string>", line 6, in open
File
"/opt/enstore/Python/lib/python2.7/site-packages/qpid/messaging/endpoints.py",
line 256, in open
self.attach()
File "<string>", line 6, in attach
File
"/opt/enstore/Python/lib/python2.7/site-packages/qpid/messaging/endpoints.py",
line 274, in attach
self._ewait(lambda: self._transport_connected and not self._unlinked())
File
"/opt/enstore/Python/lib/python2.7/site-packages/qpid/messaging/endpoints.py",
line 209, in _ewait
self.check_error()
File
"/opt/enstore/Python/lib/python2.7/site-packages/qpid/messaging/endpoints.py",
line 202, in check_error
raise self.error
qpid.messaging.exceptions.InternalError: Traceback (most recent call last):
File
"/opt/enstore/Python/lib/python2.7/site-packages/qpid/messaging/driver.py",
line 509, in dispatch
self.connect()
File
"/opt/enstore/Python/lib/python2.7/site-packages/qpid/messaging/driver.py",
line 528, in connect
self.engine = Engine(self.connection)
File
"/opt/enstore/Python/lib/python2.7/site-packages/qpid/messaging/driver.py",
line 615, in __init__
self._sasl.setAttr("maxssf", self.connection.sasl_max_ssf)
File "/opt/enstore/Python/lib/python2.7/site-packages/qpid/sasl.py",
line 36, in setAttr
raise SASLError(self._cli.getError())
SASLError: Error in setAttr (-1) Unknown string attribute name - maxssf
Looks as there is another bug, now in qpid/sasl.py, this file is a part
of rpm python-qpid-0.14-11.el6_3.noarch
If you can test whether
reducing that value fixes your issue, that would speed up resolution.
In any case, raise a JIRA for this and I'll try to have a look at it
asap.
reducing what value?
I meant the maxbufsize for cyrus sasl. Actually though, now I think
about it more, I'm not so sure this is the issue. It is the whole
frame that is encrypted, not just the payload, and in any case this
value is merely an indication of how much data to expect as input.
I am sorry, I do not know how to open JIRA.
Can you provide instructions?
Go to https://issues.apache.org/jira/browse/QPID/ and click the
'create' button, then fill in the form with as much detail as you can
and submit.
Thanks!
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
