Looks good to me. Anyone else think otherwise? Robbie
On 23 June 2015 at 17:41, Lorenz Quack <[email protected]> wrote: > The general consensus seems to be that the docs should change and reflect > that: > * the available mechanisms changes with the underlying transport and > * this can be influenced by setting secureOnlyMechanisms in the > config.json. > > I created QPID-6606 and attached a patch with a suggested wording. > > Kind Regards, > Lorenz > > > > On 12/06/15 11:00, Robbie Gemmell wrote: >> >> On 12 June 2015 at 10:48, Rob Godfrey <[email protected]> wrote: >>> >>> On 12 June 2015 at 11:18, Robbie Gemmell <[email protected]> >>> wrote: >>>> >>>> I tend to disagree. The option exists, and seems about as useful (if >>>> obviously slightly different) as e.g. being able to enable the >>>> ANONYMOUS authentication provider. Having it written down somewhere >>>> other than a mailing list would make answering this type of question >>>> simpler in future (or avoid it having to be asked). >>>> >>> I'm not against the option being documented in terms of the config >>> file, or the REST call - but I do think that it should be relatively >>> hard to find :-) >> >> Thats why I mentioned the docbook :) >> >>> Once you make the change it is relatively easy to >>> forget about it and then never fix to a more secure configuration when >>> you go into a production environment. I'd much rather we make it easy >>> for people to build secure installations and harder to build insecure >>> ones. >>> >>>> Is the fact that the broker only offers PLAIN when using SSL actually >>>> documented either? To be fair, the precise mechanisms supported by >>>> each Authentication Provider have never really been documented >>>> explicitly (only implicitly in some cases by their names), but given >>>> this was a change in behaviour from the past and isnt particularly >>>> obvious it might be nice if it was called out somewhere. >>> >>> The documentation doesn't tend to go into the detail of the SASL >>> mechanisms available from each provider (and how they may differ >>> between TLS and non-TLS)... and from a general user perspective I'm >>> not sure that would be useful. >> >> I have seen quite a few users ask the 'what mechanisms are supported?' >> question on IRC in recent times. Admittedly it was typically due to >> this scenario or trying to enable ANONYMOUS. >> >>> The issue here is interop between >>> clients and brokers... and in general I think all clients should >>> support some way of sending password information in non-plaintext if >>> they are not using an encrypted channel. >>> >>> -- Rob >> >> No argument there, I agree. >> >>>> Robbie >>>> >>>> On 12 June 2015 at 09:25, Lorenz Quack <[email protected]> wrote: >>>>> >>>>> I'm not sure this should be in the docs. I would not encourage people >>>>> to >>>>> send password in the clear over a network. >>>>> >>>>> Lorenz >>>>> >>>>> >>>>> >>>>> On 11/06/15 17:37, Robbie Gemmell wrote: >>>>>> >>>>>> Can this be added to the documentation to make it easier to point >>>>>> people at, and make it better known? Assuming it isnt already that is, >>>>>> I had a peek for the 0.32 docs but didnt see it. >>>>>> >>>>>> Robbie >>>>>> >>>>>> On 11 June 2015 at 16:20, Lorenz Quack <[email protected]> wrote: >>>>>>> >>>>>>> Hi Mansour, >>>>>>> >>>>>>> if you want to connect with SASL PLAIN on a unsecured connection >>>>>>> (which >>>>>>> is >>>>>>> obviously not recommended). you need to tell the to allow this. >>>>>>> You can do this by setting >>>>>>> "secureOnlyMechanisms" : [ ] >>>>>>> in the plain authenticationProvider section in your config.json file. >>>>>>> >>>>>>> It should then look something like this: >>>>>>> >>>>>>> "authenticationproviders" : [ { >>>>>>> "name" : "passwordFile", >>>>>>> "type" : "PlainPasswordFile", >>>>>>> "path" : >>>>>>> "${qpid.home_dir}${file.separator}etc${file.separator}passwd", >>>>>>> "secureOnlyMechanisms" : [ ], >>>>>>> "preferencesproviders" : [{ >>>>>>> "name": "fileSystemPreferences", >>>>>>> "type": "FileSystemPreferences", >>>>>>> "path" : >>>>>>> "${qpid.work_dir}${file.separator}user.preferences.json" >>>>>>> }] >>>>>>> } ], >>>>>>> >>>>>>> >>>>>>> Kind Regards, >>>>>>> Lorenz >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On 11/06/15 16:09, Mansour Al Akeel wrote: >>>>>>>> >>>>>>>> I restarted the server, but still no juice ! >>>>>>>> is there a way I can tell proton to use AMPQ 0-9 or 0-10 ? >>>>>>>> >>>>>>>> I think reverting back to a previous version should solve my >>>>>>>> problems >>>>>>>> for >>>>>>>> now ! >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Thu, Jun 11, 2015 at 6:52 PM, Gordon Sim <[email protected]> wrote: >>>>>>>>> >>>>>>>>> On 06/11/2015 03:28 PM, Mansour Al Akeel wrote: >>>>>>>>>> >>>>>>>>>> Gordon, >>>>>>>>>> thank you. >>>>>>>>>> I added Both Anonymous and PLAIN. Here's the steps to add them >>>>>>>>>> from >>>>>>>>>> the httpManagement console: >>>>>>>>>> -Double click "Broker" folder. Go to "Authentication Providers", >>>>>>>>>> and >>>>>>>>>> click >>>>>>>>>> add. >>>>>>>>>> -Fill the current information: >>>>>>>>>> Name: anonymous >>>>>>>>>> Type: Anonymous >>>>>>>>>> >>>>>>>>>> -Then did it again for Plain: >>>>>>>>>> Name: PLAIN >>>>>>>>>> Type: Plain >>>>>>>>>> and added a user guest:guest >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Now, went to "Broker >> Ports >> AMQP", Then " >> Edit" I changed >>>>>>>>>> the >>>>>>>>>> "Authorization Provider", once for PLAIN and for Anonymous. >>>>>>>>>> >>>>>>>>>> With PLAIN and client side credentials "guest:guest", I am getting >>>>>>>>>> on >>>>>>>>>> the broker: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> 2015-06-11 18:22:35,527 INFO [IoReceiver - /127.0.0.1:33637] >>>>>>>>>> (stats.StatisticsCounter) - Resetting statistics for counter: >>>>>>>>>> messages-delivered-1-13 >>>>>>>>>> 2015-06-11 18:22:35,527 INFO [IoReceiver - /127.0.0.1:33637] >>>>>>>>>> (stats.StatisticsCounter) - Resetting statistics for counter: >>>>>>>>>> data-delivered-1-14 >>>>>>>>>> 2015-06-11 18:22:35,527 INFO [IoReceiver - /127.0.0.1:33637] >>>>>>>>>> (stats.StatisticsCounter) - Resetting statistics for counter: >>>>>>>>>> messages-received-1-15 >>>>>>>>>> 2015-06-11 18:22:35,527 INFO [IoReceiver - /127.0.0.1:33637] >>>>>>>>>> (stats.StatisticsCounter) - Resetting statistics for counter: >>>>>>>>>> data-received-1-16 >>>>>>>>>> 2015-06-11 18:22:35,527 DEBUG [IoReceiver - /127.0.0.1:33637] >>>>>>>>>> (FRM) - >>>>>>>>>> SEND[/127.0.0.1:33637|0] : >>>>>>>>>> SaslMechanisms{saslServerMechanisms=[CRAM-MD5]} >>>>>>>>> >>>>>>>>> >>>>>>>>> That looks like CRAM-MD5 is still the only option offered... did >>>>>>>>> you >>>>>>>>> try >>>>>>>>> restarting the broker (I'm not sure if this is required)? >>>>>>>>> >>>>>>>>> [...] >>>>>>>>>> >>>>>>>>>> While we are on this subject, I went back and tried to reinstall >>>>>>>>>> python-qpid-proton, getting an error when installing it. The >>>>>>>>>> installer >>>>>>>>>> reports a success. However, there are some errors installing >>>>>>>>>> python-qpid-proton: >>>>>>>>>> >>>>>>>>>> =============================================== >>>>>>>>>> localhost qpid-broker # pip install python-qpid-proton >>>>>>>>>> Downloading/unpacking python-qpid-proton >>>>>>>>>> Downloading python-qpid-proton-0.9.1.zip (90kB): 90kB >>>>>>>>>> downloaded >>>>>>>>>> Running setup.py >>>>>>>>>> (path:/tmp/pip_build_root/python-qpid-proton/setup.py) egg_info >>>>>>>>>> for >>>>>>>>>> package python-qpid-proton >>>>>>>>>> >>>>>>>>>> Installing collected packages: python-qpid-proton >>>>>>>>>> Running setup.py install for python-qpid-proton >>>>>>>>>> Did not find libqpid-proton via pkg-config: >>>>>>>>>> >>>>>>>>>> Using bundled libqpid-proton >>>>>>>>>> fetching >>>>>>>>>> >>>>>>>>>> http://www.apache.org/dist/qpid/proton/0.9.1/qpid-proton-0.9.1.tar.gz >>>>>>>>>> into build/bundled >>>>>>>>>> Using openssl (found via pkg-config). >>>>>>>>>> cc -c /tmp/clock_getttimeuwm6XO.c -o >>>>>>>>>> build/temp.linux-x86_64-2.7/tmp/clock_getttimeuwm6XO.o >>>>>>>>>> cc build/temp.linux-x86_64-2.7/tmp/clock_getttimeuwm6XO.o >>>>>>>>>> -o >>>>>>>>>> build/temp.linux-x86_64-2.7/a.out >>>>>>>>>> build/temp.linux-x86_64-2.7/tmp/clock_getttimeuwm6XO.o: In >>>>>>>>>> function >>>>>>>>>> `main': >>>>>>>>>> clock_getttimeuwm6XO.c:(.text+0x15): undefined reference >>>>>>>>>> to >>>>>>>>>> `clock_getttime' >>>>>>>>> >>>>>>>>> >>>>>>>>> That looks like it might just be a test for determining what is >>>>>>>>> available. >>>>>>>>> If the install proceeded without error after that, I would not >>>>>>>>> worry >>>>>>>>> about >>>>>>>>> it. >>>>>>>>> >>>>>>>>>> collect2: error: ld returned 1 exit status >>>>>>>>>> building 'libqpid-proton' extension >>>>>>>>>> x86_64-pc-linux-gnu-gcc -pthread -fPIC -Ibuild/include >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -I/tmp/pip_build_root/python-qpid-proton/build/bundled/qpid-proton/proton-c/src >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -I/tmp/pip_build_root/python-qpid-proton/build/bundled/qpid-proton/proton-c/include >>>>>>>>>> -I/usr/include/python2.7 -c /tmp/pip_build >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> _root/python-qpid-proton/build/bundled/qpid-proton/proton-c/src/object/record.c >>>>>>>>>> -o >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> build/temp.linux-x86_64-2.7/tmp/pip_build_root/python-qpid-proton/build/bundled/qpid-proton/proton-c/src/object/record.o >>>>>>>>>> -std=gnu99 -Dqpid_proton_EXPORTS -DUSE_ATOLL -DUSE_CLOCK_GETT >>>>>>>>>> IME -DUSE_STRERROR_R -DUSE_UUID_GENERATE >>>>>>>>>> x86_64-pc-linux-gnu-gcc -pthread -fPIC -Ibuild/include >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -I/tmp/pip_build_root/python-qpid-proton/build/bundled/qpid-proton/proton-c/src >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -I/tmp/pip_build_root/python-qpid-proton/build/bundled/qpid-proton/proton-c/include >>>>>>>>>> -I/usr/include/python2.7 -c /tmp/pip_build >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> _root/python-qpid-proton/build/bundled/qpid-proton/proton-c/src/object/string.c >>>>>>>>>> -o >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> build/temp.linux-x86_64-2.7/tmp/pip_build_root/python-qpid-proton/build/bundled/qpid-proton/proton-c/src/object/string.o >>>>>>>>>> -std=gnu99 -Dqpid_proton_EXPORTS -DUSE_ATOLL -DUSE_CLOCK_GETT >>>>>>>>>> IME -DUSE_STRERROR_R -DUSE_UUID_GENERATE >>>>>>>>>> ...... >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> --------------------------------------------------------------------- >>>>>>>>>> To unsubscribe, e-mail: [email protected] >>>>>>>>>> For additional commands, e-mail: [email protected] >>>>>>>>>> >>>>>>>>> >>>>>>>>> --------------------------------------------------------------------- >>>>>>>>> To unsubscribe, e-mail: [email protected] >>>>>>>>> For additional commands, e-mail: [email protected] >>>>>>>>> >>>>>>>> >>>>>>>> --------------------------------------------------------------------- >>>>>>>> To unsubscribe, e-mail: [email protected] >>>>>>>> For additional commands, e-mail: [email protected] >>>>>>>> >>>>>>> --------------------------------------------------------------------- >>>>>>> To unsubscribe, e-mail: [email protected] >>>>>>> For additional commands, e-mail: [email protected] >>>>>>> >>>>>> --------------------------------------------------------------------- >>>>>> To unsubscribe, e-mail: [email protected] >>>>>> For additional commands, e-mail: [email protected] >>>>>> >>>>> >>>>> --------------------------------------------------------------------- >>>>> To unsubscribe, e-mail: [email protected] >>>>> For additional commands, e-mail: [email protected] >>>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: [email protected] >>>> For additional commands, e-mail: [email protected] >>>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: [email protected] >>> For additional commands, e-mail: [email protected] >>> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
