qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Pavel Moravec (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (QPID-6491) qpid-route map does not use any authentication when querying other brokers
Date Sat, 06 Jun 2015 13:42:00 GMT

    [ https://issues.apache.org/jira/browse/QPID-6491?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14575720#comment-14575720
] 

Pavel Moravec edited comment on QPID-6491 at 6/6/15 1:41 PM:
-------------------------------------------------------------

I realized the patch is wrong:

self.broker.saslUser is not the username and self.broker.authUser is not its password.

I.e. the there should be commit:
{code}
<                 url = BrokerURL(host=link.host, port=link.port, user=self.broker.saslUser,
password=self.broker.authUser)
---
>                 url = BrokerURL(host=link.host, port=link.port, user=self.broker.authUser,
password=self.broker.authPass)
{code}

(to my defense, it can be spotted only when using credentials with username!=password).


Further, is printing credentials desired or rather disturbing? I.e. should be the output be:

{code}
Finding Linked Brokers:
    company_B/password_B@localhost:6001... Ok
    company_B/password_B@localhost:6002... Ok
    company_B/password_B@localhost:6003... Ok
{code}

(that's current), or rather just:

{code}
Finding Linked Brokers:
    localhost:6001... Ok
    localhost:6002... Ok
    localhost:6003... Ok
{code}

? I would vote for the second (without credentials), as 1) it's shorter and the user knows
the credentials, 2) it can be shared with others without potential credentials leak.

Any objections if I would remove the credentials in the commit fixing the user/pass ?



was (Author: pmoravec):
I realized the patch is wrong:

self.broker.saslUser is not the username and self.broker.authUser is not its password.

I.e. the there should be commit:

{quote}
<                 url = BrokerURL(host=link.host, port=link.port, user=self.broker.saslUser,
password=self.broker.authUser)
---
>                 url = BrokerURL(host=link.host, port=link.port, user=self.broker.authUser,
password=self.broker.authPass)
{quote}

(to my defense, it can be spotted only when using credentials with username!=password).


Further, is printing credentials desired or rather disturbing? I.e. should be the output be:

{quote}
Finding Linked Brokers:
    company_B/password_B@localhost:6001... Ok
    company_B/password_B@localhost:6002... Ok
    company_B/password_B@localhost:6003... Ok
{quote}

(that's current), or rather just:

{quote}
Finding Linked Brokers:
    localhost:6001... Ok
    localhost:6002... Ok
    localhost:6003... Ok
{quote}

? I would vote for the second (without credentials), as 1) it's shorter and the user knows
the credentials, 2) it can be shared with others without potential credentials leak.

Any objections if I would remove the credentials in the commit fixing the user/pass ?


> qpid-route map does not use any authentication when querying other brokers
> --------------------------------------------------------------------------
>
>                 Key: QPID-6491
>                 URL: https://issues.apache.org/jira/browse/QPID-6491
>             Project: Qpid
>          Issue Type: Bug
>          Components: Python Tools
>    Affects Versions: 0.30
>            Reporter: Pavel Moravec
>            Assignee: Pavel Moravec
>            Priority: Minor
>             Fix For: 0.33
>
>         Attachments: QPID-6491.patch
>
>
> "qpid-route route map" during generating the federation topology connects to each and
every broker in the federation to query it's federation peers. All such connections (except
for the very first broker) are made as anonymous user only.
> It is requested the tool passes username, password and optionally also --client-sasl-mechanism
parameter to all other brokers as well.
> (another option to this would be the tool gets the credentials info from the broker,
but currently QMF response to links does not contain such info. This option would need much
more code change also on broker side)



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org


Mime
View raw message