Project

Profile

Help

Issue #3335

closed

pulp fails to use SASL methods other than PLAIN

Added by balonik over 4 years ago. Updated about 3 years ago.

Status:
CLOSED - NOTABUG
Priority:
Normal
Assignee:
-
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
OS:
RHEL 7
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:

Description

Hi,
I am using DIGEST-MD5 method to authenticate to our QPID.
I have noticed that Pulp Celery workers are able to connect using Anonymous or PLAIN mechanism if I don't set "login_method" in server.conf.
After setting the "login_method" to DIGEST-MD5 lots of auth failed messages appeared in logs.

I found the reason for this is code in "/usr/lib/python2.7/site-packages/kombu/transport/qpid.py"
where you either set PLAIN or ANONYMOUS mechanism if "login_method" is not defined and only set username for any other method if "login_method" is specified in conf file.

This way the authentication also breaks if I set "login_method" to PLAIN.

The quick solution for this is to update the code to process username/password even if "login_method" is specified in server.conf
The simplest fix is to add "credentials['password'] = conninfo.password" after line 1592, but you might want to have something more smart.

Thanks.

Actions #1

Updated by dalley over 4 years ago

  • Triaged changed from No to Yes
Actions #2

Updated by dalley over 4 years ago

  • Parent task set to #3291
Actions #3

Updated by bmbouter over 4 years ago

  • Parent task deleted (#3291)

Unassociating from amqp 1.0 epic because it's not related to the new software stack.

Actions #4

Updated by bmbouter over 4 years ago

  • Status changed from NEW to CLOSED - NOTABUG

This is a kombu bug against the Qpid transport. You are describing the set of behaviors in that code. I wrote the kombu code, but could you refile this in to the kombu tracker since any change in the behavior will need to be made and released there. That tracker is here: https://github.com/celery/kombu/issues/

I'm bmbouter on github and freenode if you can ping me with the kombu issue, we can talk about it on there. The scary part you should know is that the cyrus-sasl libraries would deadlock randomly if we would submit a username without a password. The qpid transport only supports PLAIN, EXTERNAL, and ANONYMOUS. We would need to look more at the DIGEST-MD5.

Actions #5

Updated by bmbouter about 3 years ago

  • Tags Pulp 2 added

Also available in: Atom PDF