[jira] [Commented] (PROTON-1008) Using a blank mech_list disables authentication
[ https://issues.apache.org/jira/browse/PROTON-1008?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14943163#comment-14943163 ] ASF subversion and git services commented on PROTON-1008: - Commit 2789615a1acee688ebcee580ff755d7d694873df in qpid-proton's branch refs/heads/master from [~gsim] [ https://git-wip-us.apache.org/repos/asf?p=qpid-proton.git;h=2789615 ] PROTON-1008: Updated README and added simple sasl config file > Using a blank mech_list disables authentication > --- > > Key: PROTON-1008 > URL: https://issues.apache.org/jira/browse/PROTON-1008 > Project: Qpid Proton > Issue Type: Bug > Components: python-binding >Affects Versions: 0.11 >Reporter: Ted Ross >Assignee: Gordon Sim > Fix For: 0.11 > > > This bug was introduced in commit > > https://github.com/apache/qpid-proton/commit/14956b07edc3de93f67179c753bbedcd9eba51a6 > If the client leaves allowed_mechs as None, the SASL protocol is not even > executed. I claim that allowed_mechs is used to restrict the set of > acceptable mechanisms. If it is None, then all available mechanisms may be > used. > This bug causes a failure in the Qpid Dispatch test suite > (system_tests_qdstat). The failure is when the server requires > authentication and will accept EXTERNAL and the client has a valid > client-certificate but doesn't use the sasl protocol because qdstat doesn't > (and can't) set the allowed_mechs. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-1008) Using a blank mech_list disables authentication
[ https://issues.apache.org/jira/browse/PROTON-1008?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14941571#comment-14941571 ] ASF subversion and git services commented on PROTON-1008: - Commit baaf74ab7ab4ff699cbde374db1fdc2006eede0a in qpid-proton's branch refs/heads/master from [~gsim] [ https://git-wip-us.apache.org/repos/asf?p=qpid-proton.git;h=baaf74a ] PROTON-1008: add toggle for sasl layer > Using a blank mech_list disables authentication > --- > > Key: PROTON-1008 > URL: https://issues.apache.org/jira/browse/PROTON-1008 > Project: Qpid Proton > Issue Type: Bug > Components: python-binding >Affects Versions: 0.11 >Reporter: Ted Ross >Assignee: Gordon Sim > Fix For: 0.11 > > > This bug was introduced in commit > > https://github.com/apache/qpid-proton/commit/14956b07edc3de93f67179c753bbedcd9eba51a6 > If the client leaves allowed_mechs as None, the SASL protocol is not even > executed. I claim that allowed_mechs is used to restrict the set of > acceptable mechanisms. If it is None, then all available mechanisms may be > used. > This bug causes a failure in the Qpid Dispatch test suite > (system_tests_qdstat). The failure is when the server requires > authentication and will accept EXTERNAL and the client has a valid > client-certificate but doesn't use the sasl protocol because qdstat doesn't > (and can't) set the allowed_mechs. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-1008) Using a blank mech_list disables authentication
[ https://issues.apache.org/jira/browse/PROTON-1008?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14935975#comment-14935975 ] Gordon Sim commented on PROTON-1008: Proposal above available in patch form here: https://reviews.apache.org/r/38863/ > Using a blank mech_list disables authentication > --- > > Key: PROTON-1008 > URL: https://issues.apache.org/jira/browse/PROTON-1008 > Project: Qpid Proton > Issue Type: Bug > Components: python-binding >Affects Versions: 0.11 >Reporter: Ted Ross >Assignee: Gordon Sim > Fix For: 0.11 > > > This bug was introduced in commit > > https://github.com/apache/qpid-proton/commit/14956b07edc3de93f67179c753bbedcd9eba51a6 > If the client leaves allowed_mechs as None, the SASL protocol is not even > executed. I claim that allowed_mechs is used to restrict the set of > acceptable mechanisms. If it is None, then all available mechanisms may be > used. > This bug causes a failure in the Qpid Dispatch test suite > (system_tests_qdstat). The failure is when the server requires > authentication and will accept EXTERNAL and the client has a valid > client-certificate but doesn't use the sasl protocol because qdstat doesn't > (and can't) set the allowed_mechs. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-1008) Using a blank mech_list disables authentication
[ https://issues.apache.org/jira/browse/PROTON-1008?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14935246#comment-14935246 ] Gordon Sim commented on PROTON-1008: {quote}Is it ever sensible to not use SASL?{quote} The protocol is certainly designed to allow it to be optional. If you are using SSL then the SASL layer doesn't really add anything. However the main reason for the change was to get back to the behaviour pre 0.10, that I inadvertently broke by exposing the allowed mechanisms option. {quote}As it stands, I don't know how to turn SASL on.{quote} Agreed, and this is I think the actual issue. We need a way to easily control whether sasl is used or not. {quote}There may be existing mechanisms available (EXTERNAL, GSSAPI), but I don't have a username to supply and I don't necessarily know which mechanisms to put in the allowed_mechs list.{quote} Agreed again, and for this reason I think the allowed_mechs property is not the ideal way of turning sasl on. (And so I think the change mentioned in the bug description is actually correct). Proposal: What if we add a new container level option (perhaps also with per-connection override) for controlling whether or not sasl is to be used. We can set that to True by default (though that would be a slight change in behaviour from pre 0.10, the 0.10 release actually has sasl forced on always, so this is an improvement. > Using a blank mech_list disables authentication > --- > > Key: PROTON-1008 > URL: https://issues.apache.org/jira/browse/PROTON-1008 > Project: Qpid Proton > Issue Type: Bug > Components: python-binding >Affects Versions: 0.11 >Reporter: Ted Ross >Assignee: Gordon Sim > Fix For: 0.11 > > > This bug was introduced in commit > > https://github.com/apache/qpid-proton/commit/14956b07edc3de93f67179c753bbedcd9eba51a6 > If the client leaves allowed_mechs as None, the SASL protocol is not even > executed. I claim that allowed_mechs is used to restrict the set of > acceptable mechanisms. If it is None, then all available mechanisms may be > used. > This bug causes a failure in the Qpid Dispatch test suite > (system_tests_qdstat). The failure is when the server requires > authentication and will accept EXTERNAL and the client has a valid > client-certificate but doesn't use the sasl protocol because qdstat doesn't > (and can't) set the allowed_mechs. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-1008) Using a blank mech_list disables authentication
[ https://issues.apache.org/jira/browse/PROTON-1008?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14935189#comment-14935189 ] Ted Ross commented on PROTON-1008: -- Is it ever sensible to not use SASL? Are there AMQP servers that don't support SASL? As it stands, I don't know how to turn SASL _on_. There may be existing mechanisms available (EXTERNAL, GSSAPI), but I don't have a username to supply and I don't necessarily know which mechanisms to put in the allowed_mechs list. > Using a blank mech_list disables authentication > --- > > Key: PROTON-1008 > URL: https://issues.apache.org/jira/browse/PROTON-1008 > Project: Qpid Proton > Issue Type: Bug > Components: python-binding >Affects Versions: 0.11 >Reporter: Ted Ross >Assignee: Gordon Sim > Fix For: 0.11 > > > This bug was introduced in commit > > https://github.com/apache/qpid-proton/commit/14956b07edc3de93f67179c753bbedcd9eba51a6 > If the client leaves allowed_mechs as None, the SASL protocol is not even > executed. I claim that allowed_mechs is used to restrict the set of > acceptable mechanisms. If it is None, then all available mechanisms may be > used. > This bug causes a failure in the Qpid Dispatch test suite > (system_tests_qdstat). The failure is when the server requires > authentication and will accept EXTERNAL and the client has a valid > client-certificate but doesn't use the sasl protocol because qdstat doesn't > (and can't) set the allowed_mechs. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (PROTON-1008) Using a blank mech_list disables authentication
[ https://issues.apache.org/jira/browse/PROTON-1008?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14935164#comment-14935164 ] Gordon Sim commented on PROTON-1008: The commit referenced above was made to revert to pre 0.10 behaviour, where a SASL layer was not used unless a username was specified (even if that was 'anonymous'). All it does is avoids making a call to pn_sasl_allowed_mechs if no mechanisms have been specified. I believe that is actually sensible behaviour. There does need to be a way to avoid using SASL, though whether it needs to be off unless requested as it was prior to the 0.10 release is certainly debatable. > Using a blank mech_list disables authentication > --- > > Key: PROTON-1008 > URL: https://issues.apache.org/jira/browse/PROTON-1008 > Project: Qpid Proton > Issue Type: Bug > Components: python-binding >Affects Versions: 0.11 >Reporter: Ted Ross >Assignee: Gordon Sim > Fix For: 0.11 > > > This bug was introduced in commit > > https://github.com/apache/qpid-proton/commit/14956b07edc3de93f67179c753bbedcd9eba51a6 > If the client leaves allowed_mechs as None, the SASL protocol is not even > executed. I claim that allowed_mechs is used to restrict the set of > acceptable mechanisms. If it is None, then all available mechanisms may be > used. > This bug causes a failure in the Qpid Dispatch test suite > (system_tests_qdstat). The failure is when the server requires > authentication and will accept EXTERNAL and the client has a valid > client-certificate but doesn't use the sasl protocol because qdstat doesn't > (and can't) set the allowed_mechs. -- This message was sent by Atlassian JIRA (v6.3.4#6332)