qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pavel Moravec <pmora...@redhat.com>
Subject Re: Is it possible to set authentication to only authenticate consumers?
Date Fri, 07 Oct 2011 11:50:03 GMT
Hi Frase,
qpidd chooses from the available mechanisms the most secure (from available) every time, when
possible. I think SASL library itself does not have a priority list itself, the decision is
made by qpidd only.

Kind regards,
Pavel


----- Original Message -----
> From: "Fraser Adams" <fraser.adams@blueyonder.co.uk>
> To: users@qpid.apache.org
> Sent: Friday, October 7, 2011 1:32:02 PM
> Subject: Re: Is it possible to set authentication to only authenticate consumers?
> 
> I think I'm sorted now.
> 
> I added:
> 
> mech_list: anonymous plain
> 
> to my qpidd.conf and that seems to work.
> 
> out of curiosity does sasl choose the mechanisms in order here?
> Without
> specifying mech_list the broker trace indicated that it was
> supporting a
> wide range of mechanisms including anonymous yet it chose MD5-DIGEST
> (I
> think) when it was initially failing with my c++ client
> 
> Frase
> 
> 
> 
> Fraser Adams wrote:
> > Gordon Sim wrote:
> >> On 10/03/2011 06:42 PM, Fraser Adams wrote:
> >>> Is it possible to set authentication to only authenticate
> >>> consumers so
> >>> producers can connect in without needing authentication?
> >>
> >> You can allow both anonymous- and known- users to connect, and
> >> then
> >> use ACLs to only allow the known users to consume while allowing
> >> everyone (including anonymous users) to publish.
> >>
> > Hi Gordon,
> > How would I go about enabling anonymous authentication? I've
> > successfully authenticated my basic Java client using the
> > "guest/guest" username/password - I'm guessing that's not
> > "anonymous"
> > though as it clearly has a name :-).
> >
> > I've just run up a basic C++ client and that asks for a password.
> > It
> > appears to be sending the account name as the username (in other
> > words
> > in my case it's saying Authentication failed for
> > fadams@QPID:SASL(-13): authentication failure: client response
> > doesn't
> > match what we generated).
> >
> > My client is pretty basic and has
> >    string broker = "localhost:5672";
> >    string connectionOptions = "{reconnect: true}";
> >
> > Now I think that I can add username/password to the connection
> > options
> > and I noticed a |sasl_mechanisms |connection option so I may be
> > able
> > to explicitly set that to anonymous
> >
> > But both of these would require code changes. That's fine in my
> > case
> > here where I can change the code, but in a real world scenario I've
> > got a lot of producers (and I'm not convinced that the developers
> > have
> > necessarily made the connection options configurable) currently
> > connecting to a broker with authentication disabled. I'd like to be
> > able to "authenticate" without them having to change and to add ACL
> > rules to only allow them to produce.
> >
> > I'd have thought that anonymous would have been something that I
> > could
> > enable on the broker config.
> >
> > Have I missed something?
> >
> > MTIA
> > Frase
> >
> >
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > Apache Qpid - AMQP Messaging Implementation
> > Project:      http://qpid.apache.org
> > Use/Interact: mailto:users-subscribe@qpid.apache.org
> >
> >
> 
> 
> ---------------------------------------------------------------------
> Apache Qpid - AMQP Messaging Implementation
> Project:      http://qpid.apache.org
> Use/Interact: mailto:users-subscribe@qpid.apache.org
> 
> 

---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org


Mime
View raw message