subject:"Re\: \[Qpid Proton\] How mandatory is Cyrus for SASL"

Re: [Qpid Proton] How mandatory is Cyrus for SASL

2017-03-13 Thread Ganesh Murthy



- Original Message -
> From: "Ganesh Murthy" <gmur...@redhat.com>
> To: users@qpid.apache.org
> Sent: Friday, March 10, 2017 3:18:04 PM
> Subject: Re: [Qpid Proton] How mandatory is Cyrus for SASL
> 
> 
> 
> - Original Message -
> > From: "Alan Conway" <acon...@redhat.com>
> > To: users@qpid.apache.org
> > Sent: Tuesday, February 7, 2017 2:56:20 PM
> > Subject: Re: [Qpid Proton] How mandatory is Cyrus for SASL
> > 
> > On Tue, 2017-02-07 at 19:32 +0100, Rabih M wrote:
> > > Hello,
> > > 
> > > I compiled qpid-proton 0.16.0 with "-DSASL_IMPL=none", but i have an
> > > 3 of qpid-dispatch 0.7.0 unit tests that are failing:
> > > 
> > > system_tests_qdstat
> > > system_tests_sasl_plain
> > > system_tests_deprecated
> > > 
> > > I attached the tests output.
> > > 
> > > Do you have any idea, where should i look? Is Cyrus mandatory for the
> > > qpid-dispatch 0.7.0?
> > 
> > Not mandatory, the tests should probably be made conditional to skip
> > tests for SASL features that are not available. Raise a JIRA for that.
> > 
> 
> Is there a way for dispatch to find out if proton is using the none sasl
> implementation ("-DSASL_IMPL=none") so it can skip certain tests?
> 
Looks like bool pn_sasl_extended(void) returns true in cyrus_sasl.c and false 
in none_sasl.c, so I can use that. 

Thanks.
> > > Best regards,
> > > Rabih
> > > 
> > > On Thu, Feb 2, 2017 at 10:18 PM, Andrew Stitcher <astitc...@redhat.co
> > > m> wrote:
> > > > On Thu, 2017-02-02 at 19:54 +, Adel Boutros wrote:
> > > > > In our case, we only use EXTERNAL or ANONYMOUS so it should be
> > > > > enough.
> > > > >
> > > > >
> > > > > Is there a reason it is called "null"?
> > > > 
> > > > It's actually the "none" implementation! As in, no other sasl
> > > > library
> > > > found.
> > > > 
> > > > You can make sure it is used by adding "-DSASL_IMPL=none" to the
> > > > cmake
> > > > command line. Or use ccmake to set SASL_IMPL interactively.
> > > > 
> > > > Andrew
> > > > 
> > > > 
> > > > -
> > > > 
> > > > To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org
> > > > For additional commands, e-mail: users-h...@qpid.apache.org
> > > > 
> > > > 
> > > 
> > > -
> > > To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org
> > > For additional commands, e-mail: users-h...@qpid.apache.org
> > 
> > 
> > -
> > To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org
> > For additional commands, e-mail: users-h...@qpid.apache.org
> > 
> > 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org
> For additional commands, e-mail: users-h...@qpid.apache.org
> 
> 

-
To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org
For additional commands, e-mail: users-h...@qpid.apache.org

Re: [Qpid Proton] How mandatory is Cyrus for SASL

2017-02-08 Thread Rabih M

Hello Alan,

Thank you for your reply.
https://issues.apache.org/jira/browse/DISPATCH-631

Best regards,
Rabih

On Tue, Feb 7, 2017 at 8:56 PM, Alan Conway  wrote:

> On Tue, 2017-02-07 at 19:32 +0100, Rabih M wrote:
> > Hello,
> >
> > I compiled qpid-proton 0.16.0 with "-DSASL_IMPL=none", but i have an
> > 3 of qpid-dispatch 0.7.0 unit tests that are failing:
> >
> > system_tests_qdstat
> > system_tests_sasl_plain
> > system_tests_deprecated
> >
> > I attached the tests output.
> >
> > Do you have any idea, where should i look? Is Cyrus mandatory for the
> > qpid-dispatch 0.7.0?
>
> Not mandatory, the tests should probably be made conditional to skip
> tests for SASL features that are not available. Raise a JIRA for that.
>
> > Best regards,
> > Rabih
> >
> > On Thu, Feb 2, 2017 at 10:18 PM, Andrew Stitcher  > m> wrote:
> > > On Thu, 2017-02-02 at 19:54 +, Adel Boutros wrote:
> > > > In our case, we only use EXTERNAL or ANONYMOUS so it should be
> > > > enough.
> > > >
> > > >
> > > > Is there a reason it is called "null"?
> > >
> > > It's actually the "none" implementation! As in, no other sasl
> > > library
> > > found.
> > >
> > > You can make sure it is used by adding "-DSASL_IMPL=none" to the
> > > cmake
> > > command line. Or use ccmake to set SASL_IMPL interactively.
> > >
> > > Andrew
> > >
> > >
> > > -
> > > 
> > > To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org
> > > For additional commands, e-mail: users-h...@qpid.apache.org
> > >
> > >
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org
> > For additional commands, e-mail: users-h...@qpid.apache.org
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org
> For additional commands, e-mail: users-h...@qpid.apache.org
>
>

Re: [Qpid Proton] How mandatory is Cyrus for SASL

2017-02-07 Thread Alan Conway

On Tue, 2017-02-07 at 19:32 +0100, Rabih M wrote:
> Hello,
> 
> I compiled qpid-proton 0.16.0 with "-DSASL_IMPL=none", but i have an
> 3 of qpid-dispatch 0.7.0 unit tests that are failing:
> 
> system_tests_qdstat
> system_tests_sasl_plain
> system_tests_deprecated
> 
> I attached the tests output.
> 
> Do you have any idea, where should i look? Is Cyrus mandatory for the
> qpid-dispatch 0.7.0?

Not mandatory, the tests should probably be made conditional to skip
tests for SASL features that are not available. Raise a JIRA for that.

> Best regards,
> Rabih
> 
> On Thu, Feb 2, 2017 at 10:18 PM, Andrew Stitcher  m> wrote:
> > On Thu, 2017-02-02 at 19:54 +, Adel Boutros wrote:
> > > In our case, we only use EXTERNAL or ANONYMOUS so it should be
> > > enough.
> > >
> > >
> > > Is there a reason it is called "null"?
> > 
> > It's actually the "none" implementation! As in, no other sasl
> > library
> > found.
> > 
> > You can make sure it is used by adding "-DSASL_IMPL=none" to the
> > cmake
> > command line. Or use ccmake to set SASL_IMPL interactively.
> > 
> > Andrew
> > 
> > 
> > -
> > 
> > To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org
> > For additional commands, e-mail: users-h...@qpid.apache.org
> > 
> > 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org
> For additional commands, e-mail: users-h...@qpid.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org
For additional commands, e-mail: users-h...@qpid.apache.org

Re: [Qpid Proton] How mandatory is Cyrus for SASL

2017-02-07 Thread Alan Conway

On Thu, 2017-02-02 at 16:18 -0500, Andrew Stitcher wrote:
> On Thu, 2017-02-02 at 19:54 +, Adel Boutros wrote:
> > In our case, we only use EXTERNAL or ANONYMOUS so it should be
> > enough.
> > 
> > 
> > Is there a reason it is called "null"?
> 
> It's actually the "none" implementation! As in, no other sasl library
> found.
> 
> You can make sure it is used by adding "-DSASL_IMPL=none" to the
> cmake
> command line. Or use ccmake to set SASL_IMPL interactively.
> 

None or null may be too harsh - it is a valid SASL implementation but
one that only supports EXTERNAL/ANONYMOUS, which means it doesn't do
very much.



-
To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org
For additional commands, e-mail: users-h...@qpid.apache.org

Re: [Qpid Proton] How mandatory is Cyrus for SASL

2017-02-07 Thread Rabih M

Hello,

I compiled qpid-proton 0.16.0 with "-DSASL_IMPL=none", but i have an 3 of
qpid-dispatch 0.7.0 unit tests that are failing:

system_tests_qdstat

system_tests_sasl_plain

system_tests_deprecated


I attached the tests output.

Do you have any idea, where should i look? Is Cyrus mandatory for the
qpid-dispatch 0.7.0?

Best regards,
Rabih

On Thu, Feb 2, 2017 at 10:18 PM, Andrew Stitcher 
wrote:

> On Thu, 2017-02-02 at 19:54 +, Adel Boutros wrote:
> > In our case, we only use EXTERNAL or ANONYMOUS so it should be
> > enough.
> >
> >
> > Is there a reason it is called "null"?
>
> It's actually the "none" implementation! As in, no other sasl library
> found.
>
> You can make sure it is used by adding "-DSASL_IMPL=none" to the cmake
> command line. Or use ccmake to set SASL_IMPL interactively.
>
> Andrew
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org
> For additional commands, e-mail: users-h...@qpid.apache.org
>
>
FAIL: test_ssl_cert_to_auth_fail_no_sasl_external 
(system_tests_qdstat.QdstatSslNoExternalTest)
--
Traceback (most recent call last):
  File 
"/data/jenkins-slave/home/workspace/qpid-dispatch-router/label/linux/qpid-dispatch-0.7.0/tests/system_tests_qdstat.py",
 line 325, in test_ssl_cert_to_auth_fail_no_sasl_external
self.ssl_test_bad('auth_s', ['client_cert_all'])
  File 
"/data/jenkins-slave/home/workspace/qpid-dispatch-router/label/linux/qpid-dispatch-0.7.0/tests/system_tests_qdstat.py",
 line 322, in ssl_test_bad
self.assertRaises(AssertionError, self.ssl_test, url_name, arg_names)
AssertionError: AssertionError not raised

==
FAIL: test_inter_router_plain_exists 
(system_tests_sasl_plain.RouterTestPlainSasl)
The setUpClass sets up two routers with SASL PLAIN enabled.
--
Traceback (most recent call last):
  File 
"/data/jenkins-slave/home/workspace/qpid-dispatch-router/label/linux/qpid-dispatch-0.7.0/tests/system_tests_sasl_plain.py",
 line 121, in test_inter_router_plain_exists
self.assertIn("inter-router", out)
  File 
"/data/jenkins-slave/home/workspace/qpid-dispatch-router/label/linux/qpid-dispatch-0.7.0/tests/system_test.py",
 line 674, in assertIn
assert item in items, "%s not in %s" % (item, items)
AssertionError: inter-router not in Connections
  Id  host container roledir  
security authentication
  
=
  13  127.0.0.1:43271  09eaefc9-7250-4a3b-a9d0-42c58e48a194  normal  in   
no-security  anonymous-user


==
FAIL: test_qdstat_connect_sasl (system_tests_sasl_plain.RouterTestPlainSasl)
--
Traceback (most recent call last):
  File 
"/data/jenkins-slave/home/workspace/qpid-dispatch-router/label/linux/qpid-dispatch-0.7.0/tests/system_tests_sasl_plain.py",
 line 135, in test_qdstat_connect_sasl
"qdstat exit status %s, output:\n%s" % (p.returncode, out)
AssertionError: qdstat exit status 1, output:
ConnectionException: Connection amqp://0.0.0.0:24677/$management disconnected: 
Condition('amqp:unauthorized-access', 'Authentication failed [mech=NULL]')


==
FAIL: test_qdstat_connect_sasl_password_file 
(system_tests_sasl_plain.RouterTestPlainSasl)
--
Traceback (most recent call last):
  File 
"/data/jenkins-slave/home/workspace/qpid-dispatch-router/label/linux/qpid-dispatch-0.7.0/tests/system_tests_sasl_plain.py",
 line 163, in test_qdstat_connect_sasl_password_file
"qdstat exit status %s, output:\n%s" % (p.returncode, out)
AssertionError: qdstat exit status 1, output:
ConnectionException: Connection amqp://0.0.0.0:24677/$management disconnected: 
Condition('amqp:unauthorized-access', 'Authentication failed [mech=NULL]')


==
FAIL: test_aaa_qdstat_connect_sasl_over_ssl 
(system_tests_sasl_plain.RouterTestPlainSaslOverSsl)
--
Traceback (most recent call last):
  File 
"/data/jenkins-slave/home/workspace/qpid-dispatch-router/label/linux/qpid-dispatch-0.7.0/tests/system_tests_sasl_plain.py",
 line 263, in test_aaa_qdstat_connect_sasl_over_ssl
"qdstat exit status %s, output:\n%s" % (p.returncode, out)
AssertionError: qdstat exit status 1, output:
ConnectionException: Connection amqps://0.0.0.0:24681/$management disconnected: 
Condition('amqp:unauthorized-access', 'Authentication failed [mech=NULL]')

Re: [Qpid Proton] How mandatory is Cyrus for SASL

2017-02-02 Thread Andrew Stitcher

On Thu, 2017-02-02 at 19:54 +, Adel Boutros wrote:
> In our case, we only use EXTERNAL or ANONYMOUS so it should be
> enough.
> 
> 
> Is there a reason it is called "null"?

It's actually the "none" implementation! As in, no other sasl library
found.

You can make sure it is used by adding "-DSASL_IMPL=none" to the cmake
command line. Or use ccmake to set SASL_IMPL interactively.

Andrew

-
To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org
For additional commands, e-mail: users-h...@qpid.apache.org

Re: [Qpid Proton] How mandatory is Cyrus for SASL

2017-02-02 Thread Adel Boutros

In our case, we only use EXTERNAL or ANONYMOUS so it should be enough.

Is there a reason it is called "null"?

Regards,

Adel

From: Alan Conway <acon...@redhat.com>
Sent: Thursday, February 2, 2017 8:51:21 PM
To: users@qpid.apache.org
Subject: Re: [Qpid Proton] How mandatory is Cyrus for SASL

On Thu, 2017-02-02 at 19:41 +, Adel Boutros wrote:
> Hello,
>
>
> I was wondering if SASL would be completely disabled in Proton if
> Cyrus was not found during compilation or is there an alternative
> implementation?
>
>
> Regards,
>
> Adel

Proton has a built-in "null" SASL impl that supports EXTERNAL, PLAIN or
ANONYMOUS. It is intended to be enough for trusted environments or if
you always use SSL/TLS to secure things.

-
To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org
For additional commands, e-mail: users-h...@qpid.apache.org

Re: [Qpid Proton] How mandatory is Cyrus for SASL

2017-02-02 Thread Alan Conway

On Thu, 2017-02-02 at 19:41 +, Adel Boutros wrote:
> Hello,
> 
> 
> I was wondering if SASL would be completely disabled in Proton if
> Cyrus was not found during compilation or is there an alternative
> implementation?
> 
> 
> Regards,
> 
> Adel

Proton has a built-in "null" SASL impl that supports EXTERNAL, PLAIN or
ANONYMOUS. It is intended to be enough for trusted environments or if
you always use SSL/TLS to secure things.

-
To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org
For additional commands, e-mail: users-h...@qpid.apache.org

Re: [Qpid Proton] How mandatory is Cyrus for SASL

Re: [Qpid Proton] How mandatory is Cyrus for SASL

Re: [Qpid Proton] How mandatory is Cyrus for SASL

Re: [Qpid Proton] How mandatory is Cyrus for SASL

Re: [Qpid Proton] How mandatory is Cyrus for SASL

Re: [Qpid Proton] How mandatory is Cyrus for SASL

Re: [Qpid Proton] How mandatory is Cyrus for SASL

Re: [Qpid Proton] How mandatory is Cyrus for SASL

8 matches

Site Navigation

Mail list logo

Footer information