Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 82ED1200B5A for ; Thu, 4 Aug 2016 17:11:38 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 816C7160AAB; Thu, 4 Aug 2016 15:11:38 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id A17D6160A6A for ; Thu, 4 Aug 2016 17:11:37 +0200 (CEST) Received: (qmail 75574 invoked by uid 500); 4 Aug 2016 15:11:36 -0000 Mailing-List: contact users-help@qpid.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@qpid.apache.org Delivered-To: mailing list users@qpid.apache.org Received: (qmail 75562 invoked by uid 99); 4 Aug 2016 15:11:36 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 04 Aug 2016 15:11:36 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 03663C05B9 for ; Thu, 4 Aug 2016 15:11:36 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.021 X-Spam-Level: X-Spam-Status: No, score=-0.021 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, KAM_ASCII_DIVIDERS=0.8, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd1-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx2-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id xxc2KaiAqBhM for ; Thu, 4 Aug 2016 15:11:33 +0000 (UTC) Received: from mail-it0-f45.google.com (mail-it0-f45.google.com [209.85.214.45]) by mx2-lw-eu.apache.org (ASF Mail Server at mx2-lw-eu.apache.org) with ESMTPS id C6FC9611ED for ; Thu, 4 Aug 2016 15:11:28 +0000 (UTC) Received: by mail-it0-f45.google.com with SMTP id f6so262384373ith.0 for ; Thu, 04 Aug 2016 08:11:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=W2FnTd+/sv/TTyu9qSyX5hYr7tf7GyZB84ofmjxD2HA=; b=Nhn88K35HXuyeLfj4YwF2Ec331eDnunZXbN3sgkWzwhmto9shvHYFJOuWT/Mgb1PV9 C8D6Ffi2Z6j77bkj89ud9C+YR8/JJRhsablbMDZtdmXZ8Il56habrV6s382aRvc8Bg4T 34TMZHVKYxyhrTvdxpKaZzv6qdOg7Obf3tWSX/GIJXInMf+B0dhNdKRmPrzr7neAxntt TndFhGBC61QY9uKpTFrTva+xt44PZoH2lYXxABwB2nHrrdADhRod595Ai00pEKI975vB DgqIuuBIqSFBUnyLnIfAjOj7LO9/3JXOXBGGgwCYA2rP5/YjHA1jVYpWhFYucRbG0Zlh ETfw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=W2FnTd+/sv/TTyu9qSyX5hYr7tf7GyZB84ofmjxD2HA=; b=MJKTE+S+B9rEfzzcf5fL0bSE9pXPwU8gwTx7WihBHWYdcpNaQc46HkirZbhFf5l+V9 k+XtK7fzxEOw9Uyh7cTeRi2pDz78NIDlx1ewTuN/Y6NYM14Tb/iNrAatdSxu3PoGOe2P VbaOQrSq2fmxGoER1Kki7nzPUMrbCB/jTTS+WeWMmJm3EWyiu2fG1Wf/PACK3FqCbNUp XgNhkTPvlVGKnuT/hgFML2pp0xnxtm2Feia/n7Bj+rSh7Yg+TKG2ClN2RnVyomEdWKzS rE78HqRw8I8Sdkfx1d+eGDGUF22t9+h0+JVg2x5suME+eDAnm7U+0oQiatWHEKNhKrIg 3Pbw== X-Gm-Message-State: AEkooutxJH9Co1NQ+DMFeHcNZ5NoVFjyvIuJ6aOxPdjShHC7Owag+PIZevWW1mKGIr4+3fKBqH0cS2xsdHXThA== X-Received: by 10.36.91.134 with SMTP id g128mr77569825itb.42.1470323482297; Thu, 04 Aug 2016 08:11:22 -0700 (PDT) MIME-Version: 1.0 Received: by 10.36.230.5 with HTTP; Thu, 4 Aug 2016 08:11:20 -0700 (PDT) In-Reply-To: <1720001197.23696583.1470320470812.JavaMail.zimbra@redhat.com> References: <1720001197.23696583.1470320470812.JavaMail.zimbra@redhat.com> From: Robbie Gemmell Date: Thu, 4 Aug 2016 16:11:20 +0100 Message-ID: Subject: Re: Dispatch: Default value of authenticatePeer To: "users@qpid.apache.org" Content-Type: text/plain; charset=UTF-8 archived-at: Thu, 04 Aug 2016 15:11:38 -0000 There are some cases where it is a useful combination so I'm not sure a warning is the way to go. Making authenticatePeer default to yes if a value isnt specified seems like a nice idea to me. Its specified as no in the default config file thats shipped so behaviour there wouldnt change, and having to specify it as no seems less likely to surprise folks than the behaviour Jakub's example config gives. Robbie On 4 August 2016 at 15:21, Chuck Rolke wrote: > With the current behavior the router could issue a warning when SASL > mechanisms are defined but authenticatePeer is absent or false. > > ----- Original Message ----- >> From: "Robbie Gemmell" >> To: users@qpid.apache.org >> Sent: Thursday, August 4, 2016 6:06:34 AM >> Subject: Re: Dispatch: Default value of authenticatePeer >> >> One could definitely argue that. I originally wanted to change, or >> rather not introduce, the current underlying behaviour in Proton but I >> agree that it could be handled nicer for Dispatch regardless. >> >> On 4 August 2016 at 10:25, Jakub Scholz wrote: >> > One could argue that even if it works the same way in Proton, there might >> > be different audience. From developer writing a Proton based server, I >> > would expect more detailed knowledge about the Proton internals as well as >> > AMQP internals. I would expect less knowledge from someone who is only >> > configuring and running Dispatch. >> > >> > Even if we don't change the default value, we should at least improve the >> > documentation. Right now there is not much about configuring the listeners >> > in a "secure way". I will raise a JIRA and try to prepare something for the >> > docu. >> > >> > On Wed, Aug 3, 2016 at 7:23 PM, Robbie Gemmell >> > wrote: >> > >> >> On 3 August 2016 at 18:08, Gordon Sim wrote: >> >> > On 03/08/16 17:54, Robbie Gemmell wrote: >> >> >> >> >> >> On 3 August 2016 at 17:37, Jakub Scholz wrote: >> >> >>> >> >> >>> Hi, >> >> >>> >> >> >>> When I have listener configured like this: >> >> >>> >> >> >>> listener { >> >> >>> role: normal >> >> >>> host: 0.0.0.0 >> >> >>> port: amqp >> >> >>> saslMechanisms: PLAIN DIGEST-MD5 CRAM-MD5 >> >> >>> linkCapacity: 1000 >> >> >>> } >> >> >>> >> >> >>> Is it really expected that it allows anonymous access? It seems that >> >> >>> unless >> >> >>> I add to the listener configuration also "authenticatePeer: yes", it >> >> will >> >> >>> always allow anonymous access to clients which don't trigger the SASL >> >> >>> layer. >> >> >>> >> >> >>> This seems to me as something quite counter-intuitive and dangerous, >> >> >>> because on a first look someone (like me for example :-o) might expect >> >> >>> that >> >> >>> this configuration allows only username/password authenticated access. >> >> >>> >> >> >>> Wouldn't it make more sense to have anonymous access disabled by >> >> default? >> >> >>> At least when SASL layer is configured for given listener? Or is it >> >> just >> >> >>> me >> >> >>> who finds this confusing? >> >> >>> >> >> >>> Regards >> >> >>> Jakub >> >> >> >> >> >> >> >> >> From previous discussion (mainly around Proton where some of the >> >> >> underlying behaviour originates) I believe it is actually expected >> >> >> behaviour, but like you I don't think it is very intuitive, and would >> >> >> again suggest we change it. >> >> > >> >> > >> >> > I think this is different from proton's behaviour (and from qpidd's) >> >> where >> >> > the similar flags are false by default. (This is a distinct concern from >> >> the >> >> > default sasl mechanisms enabled). >> >> > >> >> > >> >> >> >> Without looking at any code to actually know for sure, my thinking >> >> from previous discussion was that it stems from the proton-c transport >> >> 'requireAuthentication' style config, which defaults false as you say >> >> thus allowing either SASL or non-SASL connections by default, and so >> >> by not setting the authenticatePeer setting in Dispatch config >> >> proton's related transport config also remains false and continues to >> >> allow the non-SASL connections, with the saslMechanisms config only >> >> controlling which mechs any SASL connections can use. >> >> >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org >> >> For additional commands, e-mail: users-help@qpid.apache.org >> >> >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org >> For additional commands, e-mail: users-help@qpid.apache.org >> >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org > For additional commands, e-mail: users-help@qpid.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org For additional commands, e-mail: users-help@qpid.apache.org