[
https://issues.apache.org/jira/browse/DISPATCH-224?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15546074#comment-15546074
]
ASF subversion and git services commented on DISPATCH-224:
----------------------------------------------------------
Commit 1d34face7e986df206fc8958f7177199c9282850 in qpid-dispatch's branch
refs/heads/master from [[email protected]]
[ https://git-wip-us.apache.org/repos/asf?p=qpid-dispatch.git;h=1d34fac ]
DISPATCH-224 - Restrict the SASL mechanisms to ANONYMOUS when authenticatePeer
is off. This is a workaround for an apparent Proton bug.
> Tools fail with no useful error in some SASL configurations
> -----------------------------------------------------------
>
> Key: DISPATCH-224
> URL: https://issues.apache.org/jira/browse/DISPATCH-224
> Project: Qpid Dispatch
> Issue Type: Bug
> Components: Documentation
> Affects Versions: 0.5
> Reporter: Alan Conway
> Assignee: Ted Ross
> Priority: Critical
> Fix For: 0.7.0
>
>
> (Downgraded to a doc issue, but still a serious one. See [#comment-15323200])
> A simple test of a default install of dispatch in /usr/local does not work:
> {code}
> $ make install
> $ qdrouterd&
> $ qdstat -g
> ConnectionException: Connection amqp://0.0.0.0:amqp/$management disconnected
> {code}
> The exception gives no hint why we were disconnected, and the router log file
> has no entries at all regarding the disconnection. The actual cause is a SASL
> rejection due to invalid configuration. There are several issues that need
> fixing:
> - The router log should show an error if SASL cant find/parse its config file.
> - The router log should show an error if a connection is rejected for
> security reasons.
> - The client exception should indicate that the disconnect was caused by a
> security problem.
> - The router should look for SASL configuration under its install prefix
> since that is where it is installed.
> - The default router configuration needs to be updated to either be
> functional or clearly NON functional.
> Question is is what should the default configuration allow? IMO it should at
> least allow you to use the tools shipped with qdrouterd to verify that it is
> running and working.
> The alternative is don't ship a default config at all. In that case the
> router should fail to start at all with a clear message "you must configure
> me first, see $prefix/share/doc/qdrouter/config-examples." We can provide a
> sample "qdrouterd-insecure.conf" to get developers started quickly without
> forcing them to learn SASL first. We can add other example configs for
> different scenarios as we go.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
