qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robbie Gemmell <robbie.gemm...@gmail.com>
Subject Re: Dispatch: Default value of authenticatePeer
Date Wed, 03 Aug 2016 17:23:43 GMT
On 3 August 2016 at 18:08, Gordon Sim <gsim@redhat.com> wrote:
> On 03/08/16 17:54, Robbie Gemmell wrote:
>> On 3 August 2016 at 17:37, Jakub Scholz <jakub@scholz.cz> wrote:
>>> Hi,
>>> When I have listener configured like this:
>>> listener {
>>>     role: normal
>>>     host:
>>>     port: amqp
>>>     saslMechanisms: PLAIN DIGEST-MD5 CRAM-MD5
>>>     linkCapacity: 1000
>>> }
>>> Is it really expected that it allows anonymous access? It seems that
>>> unless
>>> I add to the listener configuration also "authenticatePeer: yes", it will
>>> always allow anonymous access to clients which don't trigger the SASL
>>> layer.
>>> This seems to me as something quite counter-intuitive and dangerous,
>>> because on a first look someone (like me for example :-o) might expect
>>> that
>>> this configuration allows only username/password authenticated access.
>>> Wouldn't it make more sense to have anonymous access disabled by default?
>>> At least when SASL layer is configured for given listener? Or is it just
>>> me
>>> who finds this confusing?
>>> Regards
>>> Jakub
>> From previous discussion (mainly around Proton where some of the
>> underlying behaviour originates) I believe it is actually expected
>> behaviour, but like you I don't think it is very intuitive, and would
>> again suggest we change it.
> I think this is different from proton's behaviour (and from qpidd's) where
> the similar flags are false by default. (This is a distinct concern from the
> default sasl mechanisms enabled).

Without looking at any code to actually know for sure, my thinking
from previous discussion was that it stems from the proton-c transport
'requireAuthentication' style config, which defaults false as you say
thus allowing either SASL or non-SASL connections by default, and so
by not setting the authenticatePeer setting in Dispatch config
proton's related transport config also remains false and continues to
allow the non-SASL connections, with the saslMechanisms config only
controlling which mechs any SASL connections can use.

To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org

View raw message