qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Godfrey <rob.j.godf...@gmail.com>
Subject Re: Runnig python examples
Date Fri, 12 Jun 2015 09:48:56 GMT
On 12 June 2015 at 11:18, Robbie Gemmell <robbie.gemmell@gmail.com> wrote:
> I tend to disagree. The option exists, and seems about as useful (if
> obviously slightly different) as e.g. being able to enable the
> ANONYMOUS authentication provider. Having it written down somewhere
> other than a mailing list would make answering this type of question
> simpler in future (or avoid it having to be asked).
>

I'm not against the option being documented in terms of the config
file, or the REST call - but I do think that it should be relatively
hard to find :-) Once you make the change it is relatively easy to
forget about it and then never fix to a more secure configuration when
you go into a production environment.  I'd much rather we make it easy
for people to build secure installations and harder to build insecure
ones.

> Is the fact that the broker only offers PLAIN when using SSL actually
> documented either? To be fair, the precise mechanisms supported by
> each Authentication Provider have never really been documented
> explicitly (only implicitly in some cases by their names), but given
> this was a change in behaviour from the past and isnt particularly
> obvious it might be nice if it was called out somewhere.

The documentation doesn't tend to go into the detail of the SASL
mechanisms available from each provider (and how they may differ
between TLS and non-TLS)... and from a general user perspective I'm
not sure that would be useful.  The issue here is interop between
clients and brokers... and in general I think all clients should
support some way of sending password information in non-plaintext if
they are not using an encrypted channel.

-- Rob

> Robbie
>
> On 12 June 2015 at 09:25, Lorenz Quack <quack.lorenz@gmail.com> wrote:
>> I'm not sure this should be in the docs. I would not encourage people to
>> send password in the clear over a network.
>>
>> Lorenz
>>
>>
>>
>> On 11/06/15 17:37, Robbie Gemmell wrote:
>>>
>>> Can this be added to the documentation to make it easier to point
>>> people at, and make it better known? Assuming it isnt already that is,
>>> I had a peek for the 0.32 docs but didnt see it.
>>>
>>> Robbie
>>>
>>> On 11 June 2015 at 16:20, Lorenz Quack <quack.lorenz@gmail.com> wrote:
>>>>
>>>> Hi Mansour,
>>>>
>>>> if you want to connect with SASL PLAIN on a unsecured connection (which
>>>> is
>>>> obviously not recommended). you need to tell the to allow this.
>>>> You can do this by setting
>>>> "secureOnlyMechanisms" : [ ]
>>>> in the plain authenticationProvider section in your config.json file.
>>>>
>>>> It should then look something like this:
>>>>
>>>> "authenticationproviders" : [ {
>>>>      "name" : "passwordFile",
>>>>      "type" : "PlainPasswordFile",
>>>>      "path" :
>>>> "${qpid.home_dir}${file.separator}etc${file.separator}passwd",
>>>>      "secureOnlyMechanisms" : [ ],
>>>>      "preferencesproviders" : [{
>>>>          "name": "fileSystemPreferences",
>>>>          "type": "FileSystemPreferences",
>>>>          "path" :
>>>> "${qpid.work_dir}${file.separator}user.preferences.json"
>>>>      }]
>>>>    } ],
>>>>
>>>>
>>>> Kind Regards,
>>>> Lorenz
>>>>
>>>>
>>>>
>>>>
>>>> On 11/06/15 16:09, Mansour Al Akeel wrote:
>>>>>
>>>>> I restarted the server, but still no juice !
>>>>> is there a way I can tell proton to use AMPQ 0-9 or 0-10 ?
>>>>>
>>>>> I think reverting back to a previous version should solve my problems
>>>>> for
>>>>> now !
>>>>>
>>>>>
>>>>>
>>>>> On Thu, Jun 11, 2015 at 6:52 PM, Gordon Sim <gsim@redhat.com> wrote:
>>>>>>
>>>>>> On 06/11/2015 03:28 PM, Mansour Al Akeel wrote:
>>>>>>>
>>>>>>> Gordon,
>>>>>>> thank you.
>>>>>>> I added Both Anonymous and PLAIN. Here's the steps to add them
from
>>>>>>> the httpManagement console:
>>>>>>> -Double click "Broker" folder. Go to "Authentication Providers",
and
>>>>>>> click
>>>>>>> add.
>>>>>>> -Fill the current information:
>>>>>>> Name: anonymous
>>>>>>> Type: Anonymous
>>>>>>>
>>>>>>> -Then did it again for Plain:
>>>>>>> Name: PLAIN
>>>>>>> Type: Plain
>>>>>>> and added a user guest:guest
>>>>>>>
>>>>>>>
>>>>>>> Now, went to "Broker >> Ports >> AMQP", Then " >>
Edit" I changed the
>>>>>>> "Authorization Provider", once for PLAIN and for Anonymous.
>>>>>>>
>>>>>>> With PLAIN and client side credentials "guest:guest", I am getting
on
>>>>>>> the broker:
>>>>>>>
>>>>>>>
>>>>>>> 2015-06-11 18:22:35,527 INFO  [IoReceiver - /127.0.0.1:33637]
>>>>>>> (stats.StatisticsCounter) - Resetting statistics for counter:
>>>>>>> messages-delivered-1-13
>>>>>>> 2015-06-11 18:22:35,527 INFO  [IoReceiver - /127.0.0.1:33637]
>>>>>>> (stats.StatisticsCounter) - Resetting statistics for counter:
>>>>>>> data-delivered-1-14
>>>>>>> 2015-06-11 18:22:35,527 INFO  [IoReceiver - /127.0.0.1:33637]
>>>>>>> (stats.StatisticsCounter) - Resetting statistics for counter:
>>>>>>> messages-received-1-15
>>>>>>> 2015-06-11 18:22:35,527 INFO  [IoReceiver - /127.0.0.1:33637]
>>>>>>> (stats.StatisticsCounter) - Resetting statistics for counter:
>>>>>>> data-received-1-16
>>>>>>> 2015-06-11 18:22:35,527 DEBUG [IoReceiver - /127.0.0.1:33637]
(FRM) -
>>>>>>> SEND[/127.0.0.1:33637|0] :
>>>>>>> SaslMechanisms{saslServerMechanisms=[CRAM-MD5]}
>>>>>>
>>>>>>
>>>>>> That looks like CRAM-MD5 is still the only option offered... did
you
>>>>>> try
>>>>>> restarting the broker (I'm not sure if this is required)?
>>>>>>
>>>>>> [...]
>>>>>>>
>>>>>>> While we are on this subject, I went back and tried to reinstall
>>>>>>> python-qpid-proton, getting an error when installing it. The
installer
>>>>>>> reports a success. However, there are some errors installing
>>>>>>> python-qpid-proton:
>>>>>>>
>>>>>>> ===============================================
>>>>>>> localhost qpid-broker # pip install python-qpid-proton
>>>>>>> Downloading/unpacking python-qpid-proton
>>>>>>>      Downloading python-qpid-proton-0.9.1.zip (90kB): 90kB downloaded
>>>>>>>      Running setup.py
>>>>>>> (path:/tmp/pip_build_root/python-qpid-proton/setup.py) egg_info
for
>>>>>>> package python-qpid-proton
>>>>>>>
>>>>>>> Installing collected packages: python-qpid-proton
>>>>>>>      Running setup.py install for python-qpid-proton
>>>>>>>        Did not find libqpid-proton via pkg-config:
>>>>>>>
>>>>>>>        Using bundled libqpid-proton
>>>>>>>        fetching
>>>>>>> http://www.apache.org/dist/qpid/proton/0.9.1/qpid-proton-0.9.1.tar.gz
>>>>>>> into build/bundled
>>>>>>>        Using openssl (found via pkg-config).
>>>>>>>        cc -c /tmp/clock_getttimeuwm6XO.c -o
>>>>>>> build/temp.linux-x86_64-2.7/tmp/clock_getttimeuwm6XO.o
>>>>>>>        cc build/temp.linux-x86_64-2.7/tmp/clock_getttimeuwm6XO.o
-o
>>>>>>> build/temp.linux-x86_64-2.7/a.out
>>>>>>>        build/temp.linux-x86_64-2.7/tmp/clock_getttimeuwm6XO.o:
In
>>>>>>> function
>>>>>>> `main':
>>>>>>>        clock_getttimeuwm6XO.c:(.text+0x15): undefined reference
to
>>>>>>> `clock_getttime'
>>>>>>
>>>>>>
>>>>>> That looks like it might just be a test for determining what is
>>>>>> available.
>>>>>> If the install proceeded without error after that, I would not worry
>>>>>> about
>>>>>> it.
>>>>>>
>>>>>>>        collect2: error: ld returned 1 exit status
>>>>>>>        building 'libqpid-proton' extension
>>>>>>>        x86_64-pc-linux-gnu-gcc -pthread -fPIC -Ibuild/include
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> -I/tmp/pip_build_root/python-qpid-proton/build/bundled/qpid-proton/proton-c/src
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> -I/tmp/pip_build_root/python-qpid-proton/build/bundled/qpid-proton/proton-c/include
>>>>>>> -I/usr/include/python2.7 -c /tmp/pip_build
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _root/python-qpid-proton/build/bundled/qpid-proton/proton-c/src/object/record.c
>>>>>>> -o
>>>>>>>
>>>>>>>
>>>>>>> build/temp.linux-x86_64-2.7/tmp/pip_build_root/python-qpid-proton/build/bundled/qpid-proton/proton-c/src/object/record.o
>>>>>>> -std=gnu99 -Dqpid_proton_EXPORTS -DUSE_ATOLL -DUSE_CLOCK_GETT
>>>>>>> IME -DUSE_STRERROR_R -DUSE_UUID_GENERATE
>>>>>>>        x86_64-pc-linux-gnu-gcc -pthread -fPIC -Ibuild/include
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> -I/tmp/pip_build_root/python-qpid-proton/build/bundled/qpid-proton/proton-c/src
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> -I/tmp/pip_build_root/python-qpid-proton/build/bundled/qpid-proton/proton-c/include
>>>>>>> -I/usr/include/python2.7 -c /tmp/pip_build
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _root/python-qpid-proton/build/bundled/qpid-proton/proton-c/src/object/string.c
>>>>>>> -o
>>>>>>>
>>>>>>>
>>>>>>> build/temp.linux-x86_64-2.7/tmp/pip_build_root/python-qpid-proton/build/bundled/qpid-proton/proton-c/src/object/string.o
>>>>>>> -std=gnu99 -Dqpid_proton_EXPORTS -DUSE_ATOLL -DUSE_CLOCK_GETT
>>>>>>> IME -DUSE_STRERROR_R -DUSE_UUID_GENERATE
>>>>>>> ......
>>>>>>>
>>>>>>> ---------------------------------------------------------------------
>>>>>>> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
>>>>>>> For additional commands, e-mail: users-help@qpid.apache.org
>>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
>>>>>> For additional commands, e-mail: users-help@qpid.apache.org
>>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
>>>>> For additional commands, e-mail: users-help@qpid.apache.org
>>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
>>>> For additional commands, e-mail: users-help@qpid.apache.org
>>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
>>> For additional commands, e-mail: users-help@qpid.apache.org
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
>> For additional commands, e-mail: users-help@qpid.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> For additional commands, e-mail: users-help@qpid.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org


Mime
View raw message