[jira] [Commented] (ARTEMIS-1386) With enabled kerberos auth, acceptor allows PLAIN auth sasl users in, even when GSSAPI is the only defined sasl mechanism on transport

Tue, 05 Sep 2017 05:45:24 -0700 

    [ 
https://issues.apache.org/jira/browse/ARTEMIS-1386?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16153579#comment-16153579
 ] 

Gary Tully commented on ARTEMIS-1386:
-------------------------------------

I think there must be some other amqp acceptor in the mix that supports 
sasl-plain. The one on port 5672 will only advertise Gssapi

> With enabled kerberos auth, acceptor allows PLAIN auth sasl users in, even 
> when GSSAPI is the only defined sasl mechanism on transport
> --------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: ARTEMIS-1386
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-1386
>             Project: ActiveMQ Artemis
>          Issue Type: Bug
>          Components: AMQP, Broker
>    Affects Versions: 2.4.0
>         Environment: Artemis built from sources
> last git commit 098d69b63c81d9b2aa2c58c30d921d30472e57f8 (Sept 1)
>            Reporter: Michal Toth
>
> Enable all AMQP authentication & authorization to be performed by GSSAPI 
> (kerberos), so user can send and receive messages w/o problems using kerberos 
> credentials.
> Define broker amqp acceptor to accept only GSSAPI auth mechanism.
> {noformat}
> <acceptor 
> name="amqp">tcp://0.0.0.0:5672?tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;protocols=AMQP;useEpoll=true;amqpCredits=1000;amqpMinCredits=300;saslMechanisms=GSSAPI;saslLoginConfigScope=mykerberos</acceptor>
> {noformat}
> Users authentication over PLAIN sasl mechanism should not be allowed it. Only 
> Kerberized ones. This is not working actually.
> I am able to send/receive a message using plain over AMQP, with such defined 
> saslMechanisms as above. 
> login.config
> {noformat}
> activemq {
>  org.apache.activemq.artemis.spi.core.security.jaas.Krb5LoginModule optional
>        debug=true;
>  org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule 
> sufficient
>        debug=true
>        reload=true
>        org.apache.activemq.jaas.properties.user="artemis-users.properties"
>        org.apache.activemq.jaas.properties.role="artemis-roles.properties";
> };
> mykerberos {
>     com.sun.security.auth.module.Krb5LoginModule required
>     isInitiator=false
>     storeKey=true
>     useKeyTab=true
>     keyTab="/opt/amqp-service.keytab"
>     principal="amqp/hostn...@my.realm.com"
>     debug=true;
> };
> {noformat}
> {noformat}
> users properties
> admin = 
> ENC(1024:31461C31F100DA2D4363030BD70AB79BD1693552737AB4951B9B733770B60F40:B97C0DE92D4C0A17C2FE572E206A8F8806EFDFEBA456ED96AC1570E12E3F1BEC8314FA9744AC7EFD95DA939FACA2EA829CF3F46C96268F6B9140C74A2E1EE4D3)
> lala = lala
> ---
> roles.properties
> amq = admin,al...@mqe.redhat.com,lala
> readers = b...@mqe.redhat.com
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to