qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alan Conway (JIRA)" <qpid-...@incubator.apache.org>
Subject [jira] Commented: (QPID-2187) Allow clients to make secure/authenticated connections to a cluster.
Date Wed, 02 Jun 2010 15:59:39 GMT

    [ https://issues.apache.org/jira/browse/QPID-2187?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12874628#action_12874628
] 

Alan Conway commented on QPID-2187:
-----------------------------------

In revision 950608 fixed a remaining race condition that caused clients to exit with "reserved
bits not 0" exception.

> Allow clients to make secure/authenticated connections to a cluster.
> --------------------------------------------------------------------
>
>                 Key: QPID-2187
>                 URL: https://issues.apache.org/jira/browse/QPID-2187
>             Project: Qpid
>          Issue Type: Improvement
>         Environment: all
>            Reporter: Ken Giusti
>            Assignee: michael j. goulish
>         Attachments: 944158.diff
>
>
> The current implementation of clustering does not correctly handle authentication correctly.
   From the trunk build:
> [kgiusti@localhost src]$ ./qpidd --auth yes --realm KGIUSTI.COM --log-enable info+  --load-module
./.libs/cluster.so  --cluster-name ken
> 2009-11-02 10:30:58 info Loaded Module: ./.libs/cluster.so
> 2009-11-02 10:30:58 info Management enabled
> 2009-11-02 10:30:58 notice Initializing CPG
> 2009-11-02 10:30:58 notice cluster(127.0.0.1:14581 INIT) membership change: 127.0.0.1:14581
(joined: 127.0.0.1:14581(joined) )
> 2009-11-02 10:30:58 info No message store configured, persistence is disabled.
> 2009-11-02 10:30:58 info SASL enabled
> 2009-11-02 10:30:58 notice Listening on TCP port 5672
> 2009-11-02 10:30:58 notice cluster(127.0.0.1:14581 INIT) joining cluster ken with url=amqp:tcp:10.16.19.19:5672,tcp:10.16.14.69:5672,tcp:192.168.122.1:5672
> 2009-11-02 10:30:58 notice Broker running
> 2009-11-02 10:30:58 info cluster(127.0.0.1:14581 READY) member update: 127.0.0.1:14581(member)
> 2009-11-02 10:30:58 notice cluster(127.0.0.1:14581 READY) first in cluster
> 2009-11-02 10:31:05 info SASL: Mechanism list: ANONYMOUS PLAIN DIGEST-MD5 LOGIN GSSAPI
CRAM-MD5
> 2009-11-02 10:31:05 info cluster(127.0.0.1:14581 READY) new local connection 127.0.0.1:14581-1
> 2009-11-02 10:31:05 info SASL: Starting authentication with mechanism: GSSAPI
> 2009-11-02 10:31:05 info SASL: Authentication succeeded for: testuser@KGIUSTI.COM
> 2009-11-02 10:31:05 error cluster(127.0.0.1:14581 READY) aborting connection 127.0.0.1:14581-1:
framing-error: Reserved bits not zero (qpid/framing/AMQFrame.cpp:132)
> 2009-11-02 10:31:05 info cluster(127.0.0.1:14581 READY) connection closed 127.0.0.1:14581-1
>     
> The above error occurs when running perftest against the cluster in the following manner:
> [kgiusti@localhost tests]$ /usr/kerberos/bin/kinit testuser@KGIUSTI.COM
> [kgiusti@localhost tests]$ ./perftest -b localhost.localdomain --mechanism GSSAPI --username
testuser --tx 1 --count 1 --summary --log-enable info+
> 2009-11-02 10:31:05 info Connecting to tcp:localhost.localdomain:5672
> 2009-11-02 10:31:05 info Installing security layer,  SSF: 56
> 2009-11-02 10:31:05 warning Connection closed
> Running the same test, but turning off clustering, authentication succeeds.
> Alan has determined that the problem is due to the way the clustered broker constructs
the codec chain.  The chain is built without the codec for a secure connection.
> The correct solution would implement a mechanism that allows more generic chaining of
the codecs.  It should be possible to allow codecs to be built that support both clustering
and security/authentication.  
> In this case, the fix would secure the client/broker connection, and mirror the unencrypted
data across the cluster.   
> Does this make sense?  Opinions welcome.
>  

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org


Mime
View raw message