On 12 June 2015 at 10:48, Rob Godfrey <[email protected]> wrote: > On 12 June 2015 at 11:18, Robbie Gemmell <[email protected]> wrote: >> I tend to disagree. The option exists, and seems about as useful (if >> obviously slightly different) as e.g. being able to enable the >> ANONYMOUS authentication provider. Having it written down somewhere >> other than a mailing list would make answering this type of question >> simpler in future (or avoid it having to be asked). >> > > I'm not against the option being documented in terms of the config > file, or the REST call - but I do think that it should be relatively > hard to find :-)
Thats why I mentioned the docbook :) > Once you make the change it is relatively easy to > forget about it and then never fix to a more secure configuration when > you go into a production environment. I'd much rather we make it easy > for people to build secure installations and harder to build insecure > ones. > >> Is the fact that the broker only offers PLAIN when using SSL actually >> documented either? To be fair, the precise mechanisms supported by >> each Authentication Provider have never really been documented >> explicitly (only implicitly in some cases by their names), but given >> this was a change in behaviour from the past and isnt particularly >> obvious it might be nice if it was called out somewhere. > > The documentation doesn't tend to go into the detail of the SASL > mechanisms available from each provider (and how they may differ > between TLS and non-TLS)... and from a general user perspective I'm > not sure that would be useful. I have seen quite a few users ask the 'what mechanisms are supported?' question on IRC in recent times. Admittedly it was typically due to this scenario or trying to enable ANONYMOUS. > The issue here is interop between > clients and brokers... and in general I think all clients should > support some way of sending password information in non-plaintext if > they are not using an encrypted channel. > > -- Rob No argument there, I agree. > >> Robbie >> >> On 12 June 2015 at 09:25, Lorenz Quack <[email protected]> wrote: >>> I'm not sure this should be in the docs. I would not encourage people to >>> send password in the clear over a network. >>> >>> Lorenz >>> >>> >>> >>> On 11/06/15 17:37, Robbie Gemmell wrote: >>>> >>>> Can this be added to the documentation to make it easier to point >>>> people at, and make it better known? Assuming it isnt already that is, >>>> I had a peek for the 0.32 docs but didnt see it. >>>> >>>> Robbie >>>> >>>> On 11 June 2015 at 16:20, Lorenz Quack <[email protected]> wrote: >>>>> >>>>> Hi Mansour, >>>>> >>>>> if you want to connect with SASL PLAIN on a unsecured connection (which >>>>> is >>>>> obviously not recommended). you need to tell the to allow this. >>>>> You can do this by setting >>>>> "secureOnlyMechanisms" : [ ] >>>>> in the plain authenticationProvider section in your config.json file. >>>>> >>>>> It should then look something like this: >>>>> >>>>> "authenticationproviders" : [ { >>>>> "name" : "passwordFile", >>>>> "type" : "PlainPasswordFile", >>>>> "path" : >>>>> "${qpid.home_dir}${file.separator}etc${file.separator}passwd", >>>>> "secureOnlyMechanisms" : [ ], >>>>> "preferencesproviders" : [{ >>>>> "name": "fileSystemPreferences", >>>>> "type": "FileSystemPreferences", >>>>> "path" : >>>>> "${qpid.work_dir}${file.separator}user.preferences.json" >>>>> }] >>>>> } ], >>>>> >>>>> >>>>> Kind Regards, >>>>> Lorenz >>>>> >>>>> >>>>> >>>>> >>>>> On 11/06/15 16:09, Mansour Al Akeel wrote: >>>>>> >>>>>> I restarted the server, but still no juice ! >>>>>> is there a way I can tell proton to use AMPQ 0-9 or 0-10 ? >>>>>> >>>>>> I think reverting back to a previous version should solve my problems >>>>>> for >>>>>> now ! >>>>>> >>>>>> >>>>>> >>>>>> On Thu, Jun 11, 2015 at 6:52 PM, Gordon Sim <[email protected]> wrote: >>>>>>> >>>>>>> On 06/11/2015 03:28 PM, Mansour Al Akeel wrote: >>>>>>>> >>>>>>>> Gordon, >>>>>>>> thank you. >>>>>>>> I added Both Anonymous and PLAIN. Here's the steps to add them from >>>>>>>> the httpManagement console: >>>>>>>> -Double click "Broker" folder. Go to "Authentication Providers", and >>>>>>>> click >>>>>>>> add. >>>>>>>> -Fill the current information: >>>>>>>> Name: anonymous >>>>>>>> Type: Anonymous >>>>>>>> >>>>>>>> -Then did it again for Plain: >>>>>>>> Name: PLAIN >>>>>>>> Type: Plain >>>>>>>> and added a user guest:guest >>>>>>>> >>>>>>>> >>>>>>>> Now, went to "Broker >> Ports >> AMQP", Then " >> Edit" I changed the >>>>>>>> "Authorization Provider", once for PLAIN and for Anonymous. >>>>>>>> >>>>>>>> With PLAIN and client side credentials "guest:guest", I am getting on >>>>>>>> the broker: >>>>>>>> >>>>>>>> >>>>>>>> 2015-06-11 18:22:35,527 INFO [IoReceiver - /127.0.0.1:33637] >>>>>>>> (stats.StatisticsCounter) - Resetting statistics for counter: >>>>>>>> messages-delivered-1-13 >>>>>>>> 2015-06-11 18:22:35,527 INFO [IoReceiver - /127.0.0.1:33637] >>>>>>>> (stats.StatisticsCounter) - Resetting statistics for counter: >>>>>>>> data-delivered-1-14 >>>>>>>> 2015-06-11 18:22:35,527 INFO [IoReceiver - /127.0.0.1:33637] >>>>>>>> (stats.StatisticsCounter) - Resetting statistics for counter: >>>>>>>> messages-received-1-15 >>>>>>>> 2015-06-11 18:22:35,527 INFO [IoReceiver - /127.0.0.1:33637] >>>>>>>> (stats.StatisticsCounter) - Resetting statistics for counter: >>>>>>>> data-received-1-16 >>>>>>>> 2015-06-11 18:22:35,527 DEBUG [IoReceiver - /127.0.0.1:33637] (FRM) - >>>>>>>> SEND[/127.0.0.1:33637|0] : >>>>>>>> SaslMechanisms{saslServerMechanisms=[CRAM-MD5]} >>>>>>> >>>>>>> >>>>>>> That looks like CRAM-MD5 is still the only option offered... did you >>>>>>> try >>>>>>> restarting the broker (I'm not sure if this is required)? >>>>>>> >>>>>>> [...] >>>>>>>> >>>>>>>> While we are on this subject, I went back and tried to reinstall >>>>>>>> python-qpid-proton, getting an error when installing it. The installer >>>>>>>> reports a success. However, there are some errors installing >>>>>>>> python-qpid-proton: >>>>>>>> >>>>>>>> =============================================== >>>>>>>> localhost qpid-broker # pip install python-qpid-proton >>>>>>>> Downloading/unpacking python-qpid-proton >>>>>>>> Downloading python-qpid-proton-0.9.1.zip (90kB): 90kB downloaded >>>>>>>> Running setup.py >>>>>>>> (path:/tmp/pip_build_root/python-qpid-proton/setup.py) egg_info for >>>>>>>> package python-qpid-proton >>>>>>>> >>>>>>>> Installing collected packages: python-qpid-proton >>>>>>>> Running setup.py install for python-qpid-proton >>>>>>>> Did not find libqpid-proton via pkg-config: >>>>>>>> >>>>>>>> Using bundled libqpid-proton >>>>>>>> fetching >>>>>>>> http://www.apache.org/dist/qpid/proton/0.9.1/qpid-proton-0.9.1.tar.gz >>>>>>>> into build/bundled >>>>>>>> Using openssl (found via pkg-config). >>>>>>>> cc -c /tmp/clock_getttimeuwm6XO.c -o >>>>>>>> build/temp.linux-x86_64-2.7/tmp/clock_getttimeuwm6XO.o >>>>>>>> cc build/temp.linux-x86_64-2.7/tmp/clock_getttimeuwm6XO.o -o >>>>>>>> build/temp.linux-x86_64-2.7/a.out >>>>>>>> build/temp.linux-x86_64-2.7/tmp/clock_getttimeuwm6XO.o: In >>>>>>>> function >>>>>>>> `main': >>>>>>>> clock_getttimeuwm6XO.c:(.text+0x15): undefined reference to >>>>>>>> `clock_getttime' >>>>>>> >>>>>>> >>>>>>> That looks like it might just be a test for determining what is >>>>>>> available. >>>>>>> If the install proceeded without error after that, I would not worry >>>>>>> about >>>>>>> it. >>>>>>> >>>>>>>> collect2: error: ld returned 1 exit status >>>>>>>> building 'libqpid-proton' extension >>>>>>>> x86_64-pc-linux-gnu-gcc -pthread -fPIC -Ibuild/include >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -I/tmp/pip_build_root/python-qpid-proton/build/bundled/qpid-proton/proton-c/src >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -I/tmp/pip_build_root/python-qpid-proton/build/bundled/qpid-proton/proton-c/include >>>>>>>> -I/usr/include/python2.7 -c /tmp/pip_build >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> _root/python-qpid-proton/build/bundled/qpid-proton/proton-c/src/object/record.c >>>>>>>> -o >>>>>>>> >>>>>>>> >>>>>>>> build/temp.linux-x86_64-2.7/tmp/pip_build_root/python-qpid-proton/build/bundled/qpid-proton/proton-c/src/object/record.o >>>>>>>> -std=gnu99 -Dqpid_proton_EXPORTS -DUSE_ATOLL -DUSE_CLOCK_GETT >>>>>>>> IME -DUSE_STRERROR_R -DUSE_UUID_GENERATE >>>>>>>> x86_64-pc-linux-gnu-gcc -pthread -fPIC -Ibuild/include >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -I/tmp/pip_build_root/python-qpid-proton/build/bundled/qpid-proton/proton-c/src >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -I/tmp/pip_build_root/python-qpid-proton/build/bundled/qpid-proton/proton-c/include >>>>>>>> -I/usr/include/python2.7 -c /tmp/pip_build >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> _root/python-qpid-proton/build/bundled/qpid-proton/proton-c/src/object/string.c >>>>>>>> -o >>>>>>>> >>>>>>>> >>>>>>>> build/temp.linux-x86_64-2.7/tmp/pip_build_root/python-qpid-proton/build/bundled/qpid-proton/proton-c/src/object/string.o >>>>>>>> -std=gnu99 -Dqpid_proton_EXPORTS -DUSE_ATOLL -DUSE_CLOCK_GETT >>>>>>>> IME -DUSE_STRERROR_R -DUSE_UUID_GENERATE >>>>>>>> ...... >>>>>>>> >>>>>>>> --------------------------------------------------------------------- >>>>>>>> To unsubscribe, e-mail: [email protected] >>>>>>>> For additional commands, e-mail: [email protected] >>>>>>>> >>>>>>> --------------------------------------------------------------------- >>>>>>> To unsubscribe, e-mail: [email protected] >>>>>>> For additional commands, e-mail: [email protected] >>>>>>> >>>>>> --------------------------------------------------------------------- >>>>>> To unsubscribe, e-mail: [email protected] >>>>>> For additional commands, e-mail: [email protected] >>>>>> >>>>> >>>>> --------------------------------------------------------------------- >>>>> To unsubscribe, e-mail: [email protected] >>>>> For additional commands, e-mail: [email protected] >>>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: [email protected] >>>> For additional commands, e-mail: [email protected] >>>> >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: [email protected] >>> For additional commands, e-mail: [email protected] >>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
