Re: [Qpid Proton] How mandatory is Cyrus for SASL
- Original Message - > From: "Ganesh Murthy" <gmur...@redhat.com> > To: users@qpid.apache.org > Sent: Friday, March 10, 2017 3:18:04 PM > Subject: Re: [Qpid Proton] How mandatory is Cyrus for SASL > > > > - Original Message - > > From: "Alan Conway" <acon...@redhat.com> > > To: users@qpid.apache.org > > Sent: Tuesday, February 7, 2017 2:56:20 PM > > Subject: Re: [Qpid Proton] How mandatory is Cyrus for SASL > > > > On Tue, 2017-02-07 at 19:32 +0100, Rabih M wrote: > > > Hello, > > > > > > I compiled qpid-proton 0.16.0 with "-DSASL_IMPL=none", but i have an > > > 3 of qpid-dispatch 0.7.0 unit tests that are failing: > > > > > > system_tests_qdstat > > > system_tests_sasl_plain > > > system_tests_deprecated > > > > > > I attached the tests output. > > > > > > Do you have any idea, where should i look? Is Cyrus mandatory for the > > > qpid-dispatch 0.7.0? > > > > Not mandatory, the tests should probably be made conditional to skip > > tests for SASL features that are not available. Raise a JIRA for that. > > > > Is there a way for dispatch to find out if proton is using the none sasl > implementation ("-DSASL_IMPL=none") so it can skip certain tests? > Looks like bool pn_sasl_extended(void) returns true in cyrus_sasl.c and false in none_sasl.c, so I can use that. Thanks. > > > Best regards, > > > Rabih > > > > > > On Thu, Feb 2, 2017 at 10:18 PM, Andrew Stitcher <astitc...@redhat.co > > > m> wrote: > > > > On Thu, 2017-02-02 at 19:54 +, Adel Boutros wrote: > > > > > In our case, we only use EXTERNAL or ANONYMOUS so it should be > > > > > enough. > > > > > > > > > > > > > > > Is there a reason it is called "null"? > > > > > > > > It's actually the "none" implementation! As in, no other sasl > > > > library > > > > found. > > > > > > > > You can make sure it is used by adding "-DSASL_IMPL=none" to the > > > > cmake > > > > command line. Or use ccmake to set SASL_IMPL interactively. > > > > > > > > Andrew > > > > > > > > > > > > - > > > > > > > > To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org > > > > For additional commands, e-mail: users-h...@qpid.apache.org > > > > > > > > > > > > > > - > > > To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org > > > For additional commands, e-mail: users-h...@qpid.apache.org > > > > > > - > > To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org > > For additional commands, e-mail: users-h...@qpid.apache.org > > > > > > - > To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org > For additional commands, e-mail: users-h...@qpid.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org For additional commands, e-mail: users-h...@qpid.apache.org
Re: [Qpid Proton] How mandatory is Cyrus for SASL
Hello Alan, Thank you for your reply. https://issues.apache.org/jira/browse/DISPATCH-631 Best regards, Rabih On Tue, Feb 7, 2017 at 8:56 PM, Alan Conwaywrote: > On Tue, 2017-02-07 at 19:32 +0100, Rabih M wrote: > > Hello, > > > > I compiled qpid-proton 0.16.0 with "-DSASL_IMPL=none", but i have an > > 3 of qpid-dispatch 0.7.0 unit tests that are failing: > > > > system_tests_qdstat > > system_tests_sasl_plain > > system_tests_deprecated > > > > I attached the tests output. > > > > Do you have any idea, where should i look? Is Cyrus mandatory for the > > qpid-dispatch 0.7.0? > > Not mandatory, the tests should probably be made conditional to skip > tests for SASL features that are not available. Raise a JIRA for that. > > > Best regards, > > Rabih > > > > On Thu, Feb 2, 2017 at 10:18 PM, Andrew Stitcher > m> wrote: > > > On Thu, 2017-02-02 at 19:54 +, Adel Boutros wrote: > > > > In our case, we only use EXTERNAL or ANONYMOUS so it should be > > > > enough. > > > > > > > > > > > > Is there a reason it is called "null"? > > > > > > It's actually the "none" implementation! As in, no other sasl > > > library > > > found. > > > > > > You can make sure it is used by adding "-DSASL_IMPL=none" to the > > > cmake > > > command line. Or use ccmake to set SASL_IMPL interactively. > > > > > > Andrew > > > > > > > > > - > > > > > > To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org > > > For additional commands, e-mail: users-h...@qpid.apache.org > > > > > > > > > > - > > To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org > > For additional commands, e-mail: users-h...@qpid.apache.org > > > - > To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org > For additional commands, e-mail: users-h...@qpid.apache.org > >
Re: [Qpid Proton] How mandatory is Cyrus for SASL
On Tue, 2017-02-07 at 19:32 +0100, Rabih M wrote: > Hello, > > I compiled qpid-proton 0.16.0 with "-DSASL_IMPL=none", but i have an > 3 of qpid-dispatch 0.7.0 unit tests that are failing: > > system_tests_qdstat > system_tests_sasl_plain > system_tests_deprecated > > I attached the tests output. > > Do you have any idea, where should i look? Is Cyrus mandatory for the > qpid-dispatch 0.7.0? Not mandatory, the tests should probably be made conditional to skip tests for SASL features that are not available. Raise a JIRA for that. > Best regards, > Rabih > > On Thu, Feb 2, 2017 at 10:18 PM, Andrew Stitcherm> wrote: > > On Thu, 2017-02-02 at 19:54 +, Adel Boutros wrote: > > > In our case, we only use EXTERNAL or ANONYMOUS so it should be > > > enough. > > > > > > > > > Is there a reason it is called "null"? > > > > It's actually the "none" implementation! As in, no other sasl > > library > > found. > > > > You can make sure it is used by adding "-DSASL_IMPL=none" to the > > cmake > > command line. Or use ccmake to set SASL_IMPL interactively. > > > > Andrew > > > > > > - > > > > To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org > > For additional commands, e-mail: users-h...@qpid.apache.org > > > > > > - > To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org > For additional commands, e-mail: users-h...@qpid.apache.org - To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org For additional commands, e-mail: users-h...@qpid.apache.org
Re: [Qpid Proton] How mandatory is Cyrus for SASL
On Thu, 2017-02-02 at 16:18 -0500, Andrew Stitcher wrote: > On Thu, 2017-02-02 at 19:54 +, Adel Boutros wrote: > > In our case, we only use EXTERNAL or ANONYMOUS so it should be > > enough. > > > > > > Is there a reason it is called "null"? > > It's actually the "none" implementation! As in, no other sasl library > found. > > You can make sure it is used by adding "-DSASL_IMPL=none" to the > cmake > command line. Or use ccmake to set SASL_IMPL interactively. > None or null may be too harsh - it is a valid SASL implementation but one that only supports EXTERNAL/ANONYMOUS, which means it doesn't do very much. - To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org For additional commands, e-mail: users-h...@qpid.apache.org
Re: [Qpid Proton] How mandatory is Cyrus for SASL
Hello, I compiled qpid-proton 0.16.0 with "-DSASL_IMPL=none", but i have an 3 of qpid-dispatch 0.7.0 unit tests that are failing: system_tests_qdstat system_tests_sasl_plain system_tests_deprecated I attached the tests output. Do you have any idea, where should i look? Is Cyrus mandatory for the qpid-dispatch 0.7.0? Best regards, Rabih On Thu, Feb 2, 2017 at 10:18 PM, Andrew Stitcherwrote: > On Thu, 2017-02-02 at 19:54 +, Adel Boutros wrote: > > In our case, we only use EXTERNAL or ANONYMOUS so it should be > > enough. > > > > > > Is there a reason it is called "null"? > > It's actually the "none" implementation! As in, no other sasl library > found. > > You can make sure it is used by adding "-DSASL_IMPL=none" to the cmake > command line. Or use ccmake to set SASL_IMPL interactively. > > Andrew > > > - > To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org > For additional commands, e-mail: users-h...@qpid.apache.org > > FAIL: test_ssl_cert_to_auth_fail_no_sasl_external (system_tests_qdstat.QdstatSslNoExternalTest) -- Traceback (most recent call last): File "/data/jenkins-slave/home/workspace/qpid-dispatch-router/label/linux/qpid-dispatch-0.7.0/tests/system_tests_qdstat.py", line 325, in test_ssl_cert_to_auth_fail_no_sasl_external self.ssl_test_bad('auth_s', ['client_cert_all']) File "/data/jenkins-slave/home/workspace/qpid-dispatch-router/label/linux/qpid-dispatch-0.7.0/tests/system_tests_qdstat.py", line 322, in ssl_test_bad self.assertRaises(AssertionError, self.ssl_test, url_name, arg_names) AssertionError: AssertionError not raised == FAIL: test_inter_router_plain_exists (system_tests_sasl_plain.RouterTestPlainSasl) The setUpClass sets up two routers with SASL PLAIN enabled. -- Traceback (most recent call last): File "/data/jenkins-slave/home/workspace/qpid-dispatch-router/label/linux/qpid-dispatch-0.7.0/tests/system_tests_sasl_plain.py", line 121, in test_inter_router_plain_exists self.assertIn("inter-router", out) File "/data/jenkins-slave/home/workspace/qpid-dispatch-router/label/linux/qpid-dispatch-0.7.0/tests/system_test.py", line 674, in assertIn assert item in items, "%s not in %s" % (item, items) AssertionError: inter-router not in Connections Id host container roledir security authentication = 13 127.0.0.1:43271 09eaefc9-7250-4a3b-a9d0-42c58e48a194 normal in no-security anonymous-user == FAIL: test_qdstat_connect_sasl (system_tests_sasl_plain.RouterTestPlainSasl) -- Traceback (most recent call last): File "/data/jenkins-slave/home/workspace/qpid-dispatch-router/label/linux/qpid-dispatch-0.7.0/tests/system_tests_sasl_plain.py", line 135, in test_qdstat_connect_sasl "qdstat exit status %s, output:\n%s" % (p.returncode, out) AssertionError: qdstat exit status 1, output: ConnectionException: Connection amqp://0.0.0.0:24677/$management disconnected: Condition('amqp:unauthorized-access', 'Authentication failed [mech=NULL]') == FAIL: test_qdstat_connect_sasl_password_file (system_tests_sasl_plain.RouterTestPlainSasl) -- Traceback (most recent call last): File "/data/jenkins-slave/home/workspace/qpid-dispatch-router/label/linux/qpid-dispatch-0.7.0/tests/system_tests_sasl_plain.py", line 163, in test_qdstat_connect_sasl_password_file "qdstat exit status %s, output:\n%s" % (p.returncode, out) AssertionError: qdstat exit status 1, output: ConnectionException: Connection amqp://0.0.0.0:24677/$management disconnected: Condition('amqp:unauthorized-access', 'Authentication failed [mech=NULL]') == FAIL: test_aaa_qdstat_connect_sasl_over_ssl (system_tests_sasl_plain.RouterTestPlainSaslOverSsl) -- Traceback (most recent call last): File "/data/jenkins-slave/home/workspace/qpid-dispatch-router/label/linux/qpid-dispatch-0.7.0/tests/system_tests_sasl_plain.py", line 263, in test_aaa_qdstat_connect_sasl_over_ssl "qdstat exit status %s, output:\n%s" % (p.returncode, out) AssertionError: qdstat exit status 1, output: ConnectionException: Connection amqps://0.0.0.0:24681/$management disconnected: Condition('amqp:unauthorized-access', 'Authentication failed [mech=NULL]')
Re: [Qpid Proton] How mandatory is Cyrus for SASL
On Thu, 2017-02-02 at 19:54 +, Adel Boutros wrote: > In our case, we only use EXTERNAL or ANONYMOUS so it should be > enough. > > > Is there a reason it is called "null"? It's actually the "none" implementation! As in, no other sasl library found. You can make sure it is used by adding "-DSASL_IMPL=none" to the cmake command line. Or use ccmake to set SASL_IMPL interactively. Andrew - To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org For additional commands, e-mail: users-h...@qpid.apache.org
Re: [Qpid Proton] How mandatory is Cyrus for SASL
In our case, we only use EXTERNAL or ANONYMOUS so it should be enough. Is there a reason it is called "null"? Regards, Adel From: Alan Conway <acon...@redhat.com> Sent: Thursday, February 2, 2017 8:51:21 PM To: users@qpid.apache.org Subject: Re: [Qpid Proton] How mandatory is Cyrus for SASL On Thu, 2017-02-02 at 19:41 +, Adel Boutros wrote: > Hello, > > > I was wondering if SASL would be completely disabled in Proton if > Cyrus was not found during compilation or is there an alternative > implementation? > > > Regards, > > Adel Proton has a built-in "null" SASL impl that supports EXTERNAL, PLAIN or ANONYMOUS. It is intended to be enough for trusted environments or if you always use SSL/TLS to secure things. - To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org For additional commands, e-mail: users-h...@qpid.apache.org
Re: [Qpid Proton] How mandatory is Cyrus for SASL
On Thu, 2017-02-02 at 19:41 +, Adel Boutros wrote: > Hello, > > > I was wondering if SASL would be completely disabled in Proton if > Cyrus was not found during compilation or is there an alternative > implementation? > > > Regards, > > Adel Proton has a built-in "null" SASL impl that supports EXTERNAL, PLAIN or ANONYMOUS. It is intended to be enough for trusted environments or if you always use SSL/TLS to secure things. - To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org For additional commands, e-mail: users-h...@qpid.apache.org