qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robbie Gemmell <robbie.gemm...@gmail.com>
Subject Re: Dispatch: Default value of authenticatePeer
Date Wed, 03 Aug 2016 17:23:43 GMT
On 3 August 2016 at 18:08, Gordon Sim <gsim@redhat.com> wrote:
> On 03/08/16 17:54, Robbie Gemmell wrote:
>>
>> On 3 August 2016 at 17:37, Jakub Scholz <jakub@scholz.cz> wrote:
>>>
>>> Hi,
>>>
>>> When I have listener configured like this:
>>>
>>> listener {
>>>     role: normal
>>>     host: 0.0.0.0
>>>     port: amqp
>>>     saslMechanisms: PLAIN DIGEST-MD5 CRAM-MD5
>>>     linkCapacity: 1000
>>> }
>>>
>>> Is it really expected that it allows anonymous access? It seems that
>>> unless
>>> I add to the listener configuration also "authenticatePeer: yes", it will
>>> always allow anonymous access to clients which don't trigger the SASL
>>> layer.
>>>
>>> This seems to me as something quite counter-intuitive and dangerous,
>>> because on a first look someone (like me for example :-o) might expect
>>> that
>>> this configuration allows only username/password authenticated access.
>>>
>>> Wouldn't it make more sense to have anonymous access disabled by default?
>>> At least when SASL layer is configured for given listener? Or is it just
>>> me
>>> who finds this confusing?
>>>
>>> Regards
>>> Jakub
>>
>>
>> From previous discussion (mainly around Proton where some of the
>> underlying behaviour originates) I believe it is actually expected
>> behaviour, but like you I don't think it is very intuitive, and would
>> again suggest we change it.
>
>
> I think this is different from proton's behaviour (and from qpidd's) where
> the similar flags are false by default. (This is a distinct concern from the
> default sasl mechanisms enabled).
>
>

Without looking at any code to actually know for sure, my thinking
from previous discussion was that it stems from the proton-c transport
'requireAuthentication' style config, which defaults false as you say
thus allowing either SASL or non-SASL connections by default, and so
by not setting the authenticatePeer setting in Dispatch config
proton's related transport config also remains false and continues to
allow the non-SASL connections, with the saslMechanisms config only
controlling which mechs any SASL connections can use.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org


Mime
View raw message