qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ken Giusti (JIRA)" <qpid-...@incubator.apache.org>
Subject [jira] Created: (QPID-2187) Allow clients to make secure/authenticated connections to a cluster.
Date Wed, 04 Nov 2009 16:27:32 GMT
Allow clients to make secure/authenticated connections to a cluster.

                 Key: QPID-2187
                 URL: https://issues.apache.org/jira/browse/QPID-2187
             Project: Qpid
          Issue Type: Improvement
         Environment: all
            Reporter: Ken Giusti

The current implementation of clustering does not correctly handle authentication correctly.
   From the trunk build:

[kgiusti@localhost src]$ ./qpidd --auth yes --realm KGIUSTI.COM --log-enable info+  --load-module
./.libs/cluster.so  --cluster-name ken
2009-11-02 10:30:58 info Loaded Module: ./.libs/cluster.so
2009-11-02 10:30:58 info Management enabled
2009-11-02 10:30:58 notice Initializing CPG
2009-11-02 10:30:58 notice cluster( INIT) membership change:
(joined: )
2009-11-02 10:30:58 info No message store configured, persistence is disabled.
2009-11-02 10:30:58 info SASL enabled
2009-11-02 10:30:58 notice Listening on TCP port 5672
2009-11-02 10:30:58 notice cluster( INIT) joining cluster ken with url=amqp:tcp:,tcp:,tcp:
2009-11-02 10:30:58 notice Broker running
2009-11-02 10:30:58 info cluster( READY) member update:
2009-11-02 10:30:58 notice cluster( READY) first in cluster

2009-11-02 10:31:05 info SASL: Mechanism list: ANONYMOUS PLAIN DIGEST-MD5 LOGIN GSSAPI CRAM-MD5
2009-11-02 10:31:05 info cluster( READY) new local connection
2009-11-02 10:31:05 info SASL: Starting authentication with mechanism: GSSAPI
2009-11-02 10:31:05 info SASL: Authentication succeeded for: testuser@KGIUSTI.COM
2009-11-02 10:31:05 error cluster( READY) aborting connection
framing-error: Reserved bits not zero (qpid/framing/AMQFrame.cpp:132)
2009-11-02 10:31:05 info cluster( READY) connection closed

The above error occurs when running perftest against the cluster in the following manner:
[kgiusti@localhost tests]$ /usr/kerberos/bin/kinit testuser@KGIUSTI.COM
[kgiusti@localhost tests]$ ./perftest -b localhost.localdomain --mechanism GSSAPI --username
testuser --tx 1 --count 1 --summary --log-enable info+
2009-11-02 10:31:05 info Connecting to tcp:localhost.localdomain:5672
2009-11-02 10:31:05 info Installing security layer,  SSF: 56
2009-11-02 10:31:05 warning Connection closed

Running the same test, but turning off clustering, authentication succeeds.

Alan has determined that the problem is due to the way the clustered broker constructs the
codec chain.  The chain is built without the codec for a secure connection.

The correct solution would implement a mechanism that allows more generic chaining of the
codecs.  It should be possible to allow codecs to be built that support both clustering and

In this case, the fix would secure the client/broker connection, and mirror the unencrypted
data across the cluster.   

Does this make sense?  Opinions welcome.


This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:dev-subscribe@qpid.apache.org

View raw message