The general consensus seems to be that the docs should change and
reflect that:
* the available mechanisms changes with the underlying transport and
* this can be influenced by setting secureOnlyMechanisms in the
config.json.
I created QPID-6606 and attached a patch with a suggested wording.
Kind Regards,
Lorenz
On 12/06/15 11:00, Robbie Gemmell wrote:
On 12 June 2015 at 10:48, Rob Godfrey <[email protected]> wrote:
On 12 June 2015 at 11:18, Robbie Gemmell <[email protected]> wrote:
I tend to disagree. The option exists, and seems about as useful (if
obviously slightly different) as e.g. being able to enable the
ANONYMOUS authentication provider. Having it written down somewhere
other than a mailing list would make answering this type of question
simpler in future (or avoid it having to be asked).
I'm not against the option being documented in terms of the config
file, or the REST call - but I do think that it should be relatively
hard to find :-)
Thats why I mentioned the docbook :)
Once you make the change it is relatively easy to
forget about it and then never fix to a more secure configuration when
you go into a production environment. I'd much rather we make it easy
for people to build secure installations and harder to build insecure
ones.
Is the fact that the broker only offers PLAIN when using SSL actually
documented either? To be fair, the precise mechanisms supported by
each Authentication Provider have never really been documented
explicitly (only implicitly in some cases by their names), but given
this was a change in behaviour from the past and isnt particularly
obvious it might be nice if it was called out somewhere.
The documentation doesn't tend to go into the detail of the SASL
mechanisms available from each provider (and how they may differ
between TLS and non-TLS)... and from a general user perspective I'm
not sure that would be useful.
I have seen quite a few users ask the 'what mechanisms are supported?'
question on IRC in recent times. Admittedly it was typically due to
this scenario or trying to enable ANONYMOUS.
The issue here is interop between
clients and brokers... and in general I think all clients should
support some way of sending password information in non-plaintext if
they are not using an encrypted channel.
-- Rob
No argument there, I agree.
Robbie
On 12 June 2015 at 09:25, Lorenz Quack <[email protected]> wrote:
I'm not sure this should be in the docs. I would not encourage people to
send password in the clear over a network.
Lorenz
On 11/06/15 17:37, Robbie Gemmell wrote:
Can this be added to the documentation to make it easier to point
people at, and make it better known? Assuming it isnt already that is,
I had a peek for the 0.32 docs but didnt see it.
Robbie
On 11 June 2015 at 16:20, Lorenz Quack <[email protected]> wrote:
Hi Mansour,
if you want to connect with SASL PLAIN on a unsecured connection (which
is
obviously not recommended). you need to tell the to allow this.
You can do this by setting
"secureOnlyMechanisms" : [ ]
in the plain authenticationProvider section in your config.json file.
It should then look something like this:
"authenticationproviders" : [ {
"name" : "passwordFile",
"type" : "PlainPasswordFile",
"path" :
"${qpid.home_dir}${file.separator}etc${file.separator}passwd",
"secureOnlyMechanisms" : [ ],
"preferencesproviders" : [{
"name": "fileSystemPreferences",
"type": "FileSystemPreferences",
"path" :
"${qpid.work_dir}${file.separator}user.preferences.json"
}]
} ],
Kind Regards,
Lorenz
On 11/06/15 16:09, Mansour Al Akeel wrote:
I restarted the server, but still no juice !
is there a way I can tell proton to use AMPQ 0-9 or 0-10 ?
I think reverting back to a previous version should solve my problems
for
now !
On Thu, Jun 11, 2015 at 6:52 PM, Gordon Sim <[email protected]> wrote:
On 06/11/2015 03:28 PM, Mansour Al Akeel wrote:
Gordon,
thank you.
I added Both Anonymous and PLAIN. Here's the steps to add them from
the httpManagement console:
-Double click "Broker" folder. Go to "Authentication Providers", and
click
add.
-Fill the current information:
Name: anonymous
Type: Anonymous
-Then did it again for Plain:
Name: PLAIN
Type: Plain
and added a user guest:guest
Now, went to "Broker >> Ports >> AMQP", Then " >> Edit" I changed the
"Authorization Provider", once for PLAIN and for Anonymous.
With PLAIN and client side credentials "guest:guest", I am getting on
the broker:
2015-06-11 18:22:35,527 INFO [IoReceiver - /127.0.0.1:33637]
(stats.StatisticsCounter) - Resetting statistics for counter:
messages-delivered-1-13
2015-06-11 18:22:35,527 INFO [IoReceiver - /127.0.0.1:33637]
(stats.StatisticsCounter) - Resetting statistics for counter:
data-delivered-1-14
2015-06-11 18:22:35,527 INFO [IoReceiver - /127.0.0.1:33637]
(stats.StatisticsCounter) - Resetting statistics for counter:
messages-received-1-15
2015-06-11 18:22:35,527 INFO [IoReceiver - /127.0.0.1:33637]
(stats.StatisticsCounter) - Resetting statistics for counter:
data-received-1-16
2015-06-11 18:22:35,527 DEBUG [IoReceiver - /127.0.0.1:33637] (FRM) -
SEND[/127.0.0.1:33637|0] :
SaslMechanisms{saslServerMechanisms=[CRAM-MD5]}
That looks like CRAM-MD5 is still the only option offered... did you
try
restarting the broker (I'm not sure if this is required)?
[...]
While we are on this subject, I went back and tried to reinstall
python-qpid-proton, getting an error when installing it. The installer
reports a success. However, there are some errors installing
python-qpid-proton:
===============================================
localhost qpid-broker # pip install python-qpid-proton
Downloading/unpacking python-qpid-proton
Downloading python-qpid-proton-0.9.1.zip (90kB): 90kB downloaded
Running setup.py
(path:/tmp/pip_build_root/python-qpid-proton/setup.py) egg_info for
package python-qpid-proton
Installing collected packages: python-qpid-proton
Running setup.py install for python-qpid-proton
Did not find libqpid-proton via pkg-config:
Using bundled libqpid-proton
fetching
http://www.apache.org/dist/qpid/proton/0.9.1/qpid-proton-0.9.1.tar.gz
into build/bundled
Using openssl (found via pkg-config).
cc -c /tmp/clock_getttimeuwm6XO.c -o
build/temp.linux-x86_64-2.7/tmp/clock_getttimeuwm6XO.o
cc build/temp.linux-x86_64-2.7/tmp/clock_getttimeuwm6XO.o -o
build/temp.linux-x86_64-2.7/a.out
build/temp.linux-x86_64-2.7/tmp/clock_getttimeuwm6XO.o: In
function
`main':
clock_getttimeuwm6XO.c:(.text+0x15): undefined reference to
`clock_getttime'
That looks like it might just be a test for determining what is
available.
If the install proceeded without error after that, I would not worry
about
it.
collect2: error: ld returned 1 exit status
building 'libqpid-proton' extension
x86_64-pc-linux-gnu-gcc -pthread -fPIC -Ibuild/include
-I/tmp/pip_build_root/python-qpid-proton/build/bundled/qpid-proton/proton-c/src
-I/tmp/pip_build_root/python-qpid-proton/build/bundled/qpid-proton/proton-c/include
-I/usr/include/python2.7 -c /tmp/pip_build
_root/python-qpid-proton/build/bundled/qpid-proton/proton-c/src/object/record.c
-o
build/temp.linux-x86_64-2.7/tmp/pip_build_root/python-qpid-proton/build/bundled/qpid-proton/proton-c/src/object/record.o
-std=gnu99 -Dqpid_proton_EXPORTS -DUSE_ATOLL -DUSE_CLOCK_GETT
IME -DUSE_STRERROR_R -DUSE_UUID_GENERATE
x86_64-pc-linux-gnu-gcc -pthread -fPIC -Ibuild/include
-I/tmp/pip_build_root/python-qpid-proton/build/bundled/qpid-proton/proton-c/src
-I/tmp/pip_build_root/python-qpid-proton/build/bundled/qpid-proton/proton-c/include
-I/usr/include/python2.7 -c /tmp/pip_build
_root/python-qpid-proton/build/bundled/qpid-proton/proton-c/src/object/string.c
-o
build/temp.linux-x86_64-2.7/tmp/pip_build_root/python-qpid-proton/build/bundled/qpid-proton/proton-c/src/object/string.o
-std=gnu99 -Dqpid_proton_EXPORTS -DUSE_ATOLL -DUSE_CLOCK_GETT
IME -DUSE_STRERROR_R -DUSE_UUID_GENERATE
......
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
