qpid-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache Qpid > Add New Users
Date Mon, 24 Aug 2009 02:27:00 GMT
<html>
<head>
    <base href="http://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/1519/1/1/_/styles/combined.css?spaceKey=qpid&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background-color: white" bgcolor="white">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
     <h2><a href="http://cwiki.apache.org/confluence/display/qpid/Add+New+Users">Add
New Users</a></h2>
     <h4>Page <b>edited</b> by             <a href="http://cwiki.apache.org/confluence/display/~robbie">Robbie
Gemmell</a>
    </h4>
     
          <br/>
     <div class="notificationGreySide">
         <p>The Qpid Java Broker has a single reference source (<a href="todo://api/PrincipalDatabase"
rel="nofollow">PrincipalDatabase</a>) that defines all the users in the system.</p>

<p>To add a new user to the broker the password file must be updated. The details about
adding entries and when these updates take effect are dependent on the file format each of
which are described below.</p>

<h2><a name="AddNewUsers-AvailablePasswordfileformats"></a>Available Password
file formats</h2>

<p>There are currently two different file formats available for use depending on the
PrincipalDatabase that is desired. In all cases the clients need not be aware of the type
of PrincipalDatabase in use they only need support the SASL mechanisms they provide.</p>

<ul>
	<li><a href="#AddNewUsers-plain">Plain</a></li>
	<li><a href="#AddNewUsers-base64md5">Base64MD5</a></li>
</ul>



<p><a name="AddNewUsers-plain"></a></p>
<h3><a name="AddNewUsers-Plain"></a>Plain</h3>

<p>The plain file has the following format:</p>

<div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent
panelContent">
<pre># Plain password authentication file.
# default name : passwd
# Format &lt;username&gt;:&lt;password&gt;
#e.g.
martin:password
</pre>
</div></div>

<p>As the contents of the file are plain text and the password is taken to be everything
to the right of the ':'(colon). The password, therefore, cannot contain a ':' colon, but this
can be used to delimit the password.</p>

<p>Lines starting with a '#' are treated as comments.</p>

<h3><a name="AddNewUsers-Whereisthepasswordfileformybroker%3F"></a>Where
is the password file for my broker ?</h3>

<p>The location of the password file in use for your broker is as configured in your
config.xml file.</p>

<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
<span class="code-tag">&lt;principal-databases&gt;</span>
            <span class="code-tag">&lt;principal-database&gt;</span>
                <span class="code-tag">&lt;name&gt;</span>passwordfile<span
class="code-tag">&lt;/name&gt;</span>
                <span class="code-tag">&lt;class&gt;</span>org.apache.qpid.server.security.auth.database.PlainPasswordFilePrincipalDatabase<span
class="code-tag">&lt;/class&gt;</span>
                <span class="code-tag">&lt;attributes&gt;</span>
                    <span class="code-tag">&lt;attribute&gt;</span>
                        <span class="code-tag">&lt;name&gt;</span>passwordFile<span
class="code-tag">&lt;/name&gt;</span>
                        <span class="code-tag">&lt;value&gt;</span>${conf}/passwd<span
class="code-tag">&lt;/value&gt;</span>
                    <span class="code-tag">&lt;/attribute&gt;</span>
                <span class="code-tag">&lt;/attributes&gt;</span>
            <span class="code-tag">&lt;/principal-database&gt;</span>
        <span class="code-tag">&lt;/principal-databases&gt;</span>
</pre>
</div></div>

<p>So in the example config.xml file this password file lives in the directory specified
as the conf directory (at the top of your config.xml file).</p>

<p>The default is:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-xml">
 <span class="code-tag">&lt;conf&gt;</span>${prefix}/etc<span class="code-tag">&lt;/conf&gt;</span>
</pre>
</div></div>

<p><a name="AddNewUsers-base64md5"></a></p>
<h3><a name="AddNewUsers-Base64MD5PasswordFileFormat"></a>Base64MD5 Password
File Format</h3>

<p>This format can be used to ensure that SAs cannot read the plain text password values
from your password file on disk.</p>

<p>The Base64MD5 file uses the following format:</p>

<div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent
panelContent">
<pre># Base64MD5 password authentication file
# default name : qpid.passwd
# Format &lt;username&gt;:&lt;Base64 Encoded MD5 hash of the users password&gt;
#e.g.
martin:X03MO1qnZdYdgyfeuILPmQ==
</pre>
</div></div>

<p>As with the Plain format the line is delimited by a ':'(colon). The password field
contains the MD5 Hash of the users password encoded in Base64. </p>

<p>This file is read on broker start-up and is not re-read.</p>

<h3><a name="AddNewUsers-HowcanIupdateaBase64MD5passwordfile%3F"></a>How
can I update a Base64MD5 password file ?</h3>

<p>To update the file there are two options:</p>
<ol>
	<li>Edit the file by hand using the <em>qpid-passwd</em> tool that will
generate the required lines. The output from the tool is the text that needs to be copied
in to your active password file. This tool is located in the broker bin directory.<br/>
  Eventually it is planned for this tool to emulate the functionality of <a href="http://httpd.apache.org/docs/2.0/programs/htpasswd.html"
rel="nofollow">htpasswd</a> for qpid passwd files.<br/>
  <b>NOTE:</b> For the changes to be seen by the broker you must either restart
the broker or reload the data with the management tools (see <a href="/confluence/display/qpid/Qpid+Management+Console+User+Guide"
title="Qpid Management Console User Guide">Qpid Management Console User Guide</a>)</li>
	<li>Use the management tools to create a new user. The changes will be made by the
broker to the password file and the new user will be immediately available to the system (see
<a href="/confluence/display/qpid/Qpid+Management+Console+User+Guide" title="Qpid Management
Console User Guide">Qpid Management Console User Guide</a>).</li>
</ol>


<h2><a name="AddNewUsers-Dynamicchangestopasswordfiles."></a>Dynamic changes
to password files.</h2>

<p>The Plain password file and the Base64MD5 format file are both only read once on
start up. </p>

<p>To make changes dynamically there are two options, both require administrator access
via the Management Console (see <a href="/confluence/display/qpid/Qpid+Management+Console+User+Guide"
title="Qpid Management Console User Guide">Qpid Management Console User Guide</a>)</p>

<ol>
	<li>You can replace the file and use the console to reload its contents.</li>
	<li>The management console provides an interface to create, delete and amend the users.
These changes are written back to the active password file.</li>
</ol>



<h2><a name="AddNewUsers-HowpasswordfilesandPrincipalDatabasesrelatetoauthenticationmechanisms"></a>How
password files and PrincipalDatabases relate to authentication mechanisms</h2>

<p>For each type of password file a PrincipalDatabase exists that parses the contents.
These PrincipalDatabases load various SASL mechanism based on their supportability. e.g. the
Base64MD5 file format can't support Plain authentication as the plain password is not available.
Any client connecting need only be concerned about the SASL module they support and not the
type of PrincipalDatabase. So I client that understands CRAM-MD5 will work correctly with
a Plain and Base64MD5 PrincipalDatabase.</p>

<table class='confluenceTable'><tbody>
<tr>
<th class='confluenceTh'> FileFormat/PrincipalDatabase</th>
<th class='confluenceTh'> SASL </th>
</tr>
<tr>
<td class='confluenceTd'> Plain     </td>
<td class='confluenceTd'> AMQPLAIN PLAIN CRAM-MD5  </td>
</tr>
<tr>
<td class='confluenceTd'> Base64MD5 </td>
<td class='confluenceTd'> CRAM-MD5 CRAM-MD5-HASHED </td>
</tr>
</tbody></table>

<p>For details of SASL support see <a href="/confluence/display/qpid/Qpid+Interoperability+Documentation"
title="Qpid Interoperability Documentation">Qpid Interoperability Documentation</a></p>
     </div>
     <div id="commentsSection" class="wiki-content pageSection">
       <div style="float: right;">
            <a href="http://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
       </div>

       <a href="http://cwiki.apache.org/confluence/display/qpid/Add+New+Users">View
Online</a>
       |
       <a href="http://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=87474&revisedVersion=10&originalVersion=9">View
Change</a>
              |
       <a href="http://cwiki.apache.org/confluence/display/qpid/Add+New+Users?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:commits-subscribe@qpid.apache.org


Mime
View raw message