Issue #3335
closedpulp fails to use SASL methods other than PLAIN
Description
Hi,
I am using DIGEST-MD5 method to authenticate to our QPID.
I have noticed that Pulp Celery workers are able to connect using Anonymous or PLAIN mechanism if I don't set "login_method" in server.conf.
After setting the "login_method" to DIGEST-MD5 lots of auth failed messages appeared in logs.
I found the reason for this is code in "/usr/lib/python2.7/site-packages/kombu/transport/qpid.py"
where you either set PLAIN or ANONYMOUS mechanism if "login_method" is not defined and only set username for any other method if "login_method" is specified in conf file.
This way the authentication also breaks if I set "login_method" to PLAIN.
The quick solution for this is to update the code to process username/password even if "login_method" is specified in server.conf
The simplest fix is to add "credentials['password'] = conninfo.password" after line 1592, but you might want to have something more smart.
Thanks.
Updated by bmbouter about 6 years ago
- Parent issue deleted (
#3291)
Unassociating from amqp 1.0 epic because it's not related to the new software stack.
Updated by bmbouter about 6 years ago
- Status changed from NEW to CLOSED - NOTABUG
This is a kombu bug against the Qpid transport. You are describing the set of behaviors in that code. I wrote the kombu code, but could you refile this in to the kombu tracker since any change in the behavior will need to be made and released there. That tracker is here: https://github.com/celery/kombu/issues/
I'm bmbouter on github and freenode if you can ping me with the kombu issue, we can talk about it on there. The scary part you should know is that the cyrus-sasl libraries would deadlock randomly if we would submit a username without a password. The qpid transport only supports PLAIN, EXTERNAL, and ANONYMOUS. We would need to look more at the DIGEST-MD5.