qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ken Giusti (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (QPID-3668) Python console has inconsistent interface to the authenticated user state, depending on whether saslwrapper is used or not.
Date Thu, 02 May 2013 12:54:16 GMT

    [ https://issues.apache.org/jira/browse/QPID-3668?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13647481#comment-13647481
] 

Ken Giusti commented on QPID-3668:
----------------------------------

Additional observations:

The Connection object has "username" and "auth_username" properties.   "username" appears
to be set by extracting the user name supplied in the URL (or via connection options [?]).
  "auth_username" is set by the SASL library.

In most tests that I've run, these two properties are set to the same value (username from
URL).  However, when ANONYMOUS auth is used, there is a difference when the internal SASL
client is used vs. the SASL wrapper:


SASL wrapper:

PYTHONPATH="$PYTHONPATH:/home/kgiusti/work/qpid/qpid/qpid/extras/sasl/python:/home/kgiusti/work/qpid/qpid/qpid/extras/sasl/python/.libs"
qpid-config -b amqps://guest/guest@t530.localdomain:47895 --ssl-certificate ./client_cert_key.pem
 --sasl-mechanism ANONYMOUS
USING SASL
Enter PEM pass phrase:password

USERNAME=guest
AUTH_USERNAME=anonymous


Internal SASL impl:

qpid-config -b amqps://guest/guest@t530.localdomain:47895 --ssl-certificate ./client_cert_key.pem
 --sasl-mechanism ANONYMOUS
USING PLAINCLIENT
Enter PEM pass phrase:password

USERNAME=guest
AUTH_USERNAME=guest



Note the value for auth_username.



Also, when using PLAIN auth, and the password is not supplied in the URL, the internal SASL
impl fails, while the SASL wrapper will prompt for the missing password:

SASL wrapper:

PYTHONPATH="$PYTHONPATH:/home/kgiusti/work/qpid/qpid/qpid/extras/sasl/python:/home/kgiusti/work/qpid/qpid/qpid/extras/sasl/python/.libs"
qpid-config -b amqps://guest@t530.localdomain:47895 --ssl-certificate ./client_cert_key.pem
 --sasl-mechanism PLAIN
USING SASL
Enter PEM pass phrase:password

Please enter your password: guest

USERNAME=guest
AUTH_USERNAME=guest


Internal SASL impl:

qpid-config -b amqps://guest@t530.localdomain:47895 --ssl-certificate ./client_cert_key.pem
 --sasl-mechanism PLAIN
USING PLAINCLIENT
Enter PEM pass phrase:password

Failed: AuthenticationFailure: sasl negotiation failed: no mechanism agreed

                
> Python console has inconsistent interface to the authenticated user state, depending
on whether saslwrapper is used or not.
> ---------------------------------------------------------------------------------------------------------------------------
>
>                 Key: QPID-3668
>                 URL: https://issues.apache.org/jira/browse/QPID-3668
>             Project: Qpid
>          Issue Type: Improvement
>          Components: Python Client
>    Affects Versions: 0.13
>            Reporter: Ken Giusti
>
> If the python client uses the sasl service to provide authentication, then the authenticated
user-id is provided via the connection object.  However, if sasl is not available, the python
client will use its integrated PLAIN or ANONYMOUS mechanism.  In this case, no information
appears to be available to determine the actual user-id used (or anonymous).  For example:
>       self.conn = Connection(connSock, username=self.authUser, password=self.authPass,
>                              mechanism = self.mechanisms, host=self.host, service="qpidd")
>       uid = self.conn.user_id
> 'uid' above is None if internal PLAIN or ANONYMOUS was used. It is set if sasl was used
(and -could- be 'anonymous' etc).
> It would be consistent if the uid was set in either case (sasl or non-sasl).

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org


Mime
View raw message