delta/python-packages/qpid-python.git/qpid/cpp/src/tests/cluster_authentication_soak.cpp, branch deleteme git.apache.org: qpid.git QPID-3652: Fix cluster authentication. 2011-12-06T15:56:40+00:00 Alan Conway aconway@apache.org 2011-12-06T15:56:40+00:00 ae0f67263950f41ce6078a9fde79be78d47f4a11 Only allow brokers that authenticate as the cluster-username to join a cluster. New broker first connects to a cluster broker authenticates as the cluster-username and sends its CPG member ID to the qpid.cluster-credentials exchange. The cluster broker that subsequently acts as updater verifies that the credentials are valid before connecting to give the update. NOTE 1: If you are using an ACL, the cluster-username must be allowed to publish to the qpid.cluster-credentials exchange. E.g. in your ACL file: acl allow foo@QPID publish exchange name=qpid.cluster-credentials NOTE 2: This changes the cluster initialization protocol, you will need to restart the cluster with all new version brokers. git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@1210989 13f79535-47bb-0310-9956-ffa450edef68 
Only allow brokers that authenticate as the cluster-username to join a cluster.

New broker first connects to  a cluster broker authenticates as the cluster-username
and sends its CPG member ID to the qpid.cluster-credentials exchange.
The cluster broker that subsequently acts as updater verifies that the credentials are
valid before connecting to give the update.

NOTE 1: If you are using an ACL, the cluster-username must be allowed to
publish to the qpid.cluster-credentials exchange. E.g. in your ACL file:

acl allow foo@QPID publish exchange name=qpid.cluster-credentials

NOTE 2: This changes the cluster initialization protocol, you will
need to restart the cluster with all new version brokers.

git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@1210989 13f79535-47bb-0310-9956-ffa450edef68
Fix bug in test code: invalid use of c_str() 2010-07-27T18:52:50+00:00 Alan Conway aconway@apache.org 2010-07-27T18:52:50+00:00 7acde516afeb93e592197fbd6fe2ad78684fd0f1 git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@979803 13f79535-47bb-0310-9956-ffa450edef68 
git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@979803 13f79535-47bb-0310-9956-ffa450edef68
Fix problems with cluster_authentication_soak test in VPATH build. 2010-05-27T20:02:30+00:00 Alan Conway aconway@apache.org 2010-05-27T20:02:30+00:00 9557857f8f36d2f942ee761d37234cd09e6c186a - Fix SASL version testing logic in cluster_authentication_soak and SaslAuthenticator - Generate all SASL config in the build directory in sasl_test_setup.sh - Compile cluster_authentication_soak only if SASL is available. git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@948968 13f79535-47bb-0310-9956-ffa450edef68 
- Fix SASL version testing logic in cluster_authentication_soak and SaslAuthenticator
- Generate all SASL config in the build directory in sasl_test_setup.sh
- Compile cluster_authentication_soak only if SASL is available.


git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@948968 13f79535-47bb-0310-9956-ffa450edef68
Disable new sasl testing if SASL version is less than 2.1.22. 2010-05-24T22:56:40+00:00 Michael Goulish mgoulish@apache.org 2010-05-24T22:56:40+00:00 aa1ddcebf5a63c4908b08035b223b1ec1fa54037 Earlier version do not have SASL_PATH_TYPE_CONFIG, which this testing requires. git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@947850 13f79535-47bb-0310-9956-ffa450edef68 
Earlier version do not have SASL_PATH_TYPE_CONFIG, which this testing requires.


git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@947850 13f79535-47bb-0310-9956-ffa450edef68
Jira QPID-2617 -- make sasl-based tests config files relocatable 2010-05-24T18:25:46+00:00 Michael Goulish mgoulish@apache.org 2010-05-24T18:25:46+00:00 ba91599c45eeb8f3578cd34092302b2394b9ea69 Before this change, sasl-based testing cannot be fully automated because the sasl db must be located in the standard installation location of /etc/sasl2. * Created a new directory "sasl_config" under cpp/src/tests * added a new makefile fragment "sasl.mk" to cpp/src/Makefile.am conditionally included basedon HAVE_SASL, which is defined by configure. ( NOTE: should be in cpp/src/tests/Makefile.am, but getting an "saslpasswd2: generic failure" when I try that. ) * The sasl.mk fragment uses saslpasswd2 to create a sasl db in cpp/src/tests/sasl_config that defines two users with eponymous passwords. * In test cluster_authentication_soak.cpp, make the cluster name random. * make SaslAuthenticator code accept and use a config path * give cluster_authentication_soak self-test capability. the test is meant to detect two problems: - broker failure - perftest hang so give it flags that will force either of those conditions. This allows me to (anually) ensure that the test really does detect those conditions when they occur. git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@947748 13f79535-47bb-0310-9956-ffa450edef68 
  Before this change, sasl-based testing cannot be fully automated
  because the sasl db must be located in the standard installation
  location of /etc/sasl2.

  * Created a new directory "sasl_config" under cpp/src/tests

  * added a new makefile fragment "sasl.mk" to cpp/src/Makefile.am
    conditionally included basedon HAVE_SASL, which is defined by
    configure.
    ( NOTE: should be in cpp/src/tests/Makefile.am, but getting an
            "saslpasswd2: generic failure" when I try that. )

  * The sasl.mk fragment uses saslpasswd2 to create a sasl db in
    cpp/src/tests/sasl_config that defines two users with eponymous
    passwords.

  * In test cluster_authentication_soak.cpp, make the cluster name
    random.

  * make SaslAuthenticator code accept and use a config path

  * give cluster_authentication_soak self-test capability.
    the test is meant to detect two problems:
       - broker failure
       - perftest hang
    so give it flags that will force either of those conditions.
    This allows me to (anually) ensure that the test really does
    detect those conditions when they occur.




git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@947748 13f79535-47bb-0310-9956-ffa450edef68
Changed the names of tests which are installed in /usr/bin/ to be prefixed with "qpid-". This will make these generic names easier to associate with qpid. (BZ577353) 2010-05-24T15:48:18+00:00 Kim van der Riet kpvdr@apache.org 2010-05-24T15:48:18+00:00 a496df01eec8f7c9989c6ec9fe89ea864a6b9cf9 git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@947678 13f79535-47bb-0310-9956-ffa450edef68 
git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@947678 13f79535-47bb-0310-9956-ffa450edef68
Cluster + Security 2010-05-14T08:56:45+00:00 Michael Goulish mgoulish@apache.org 2010-05-14T08:56:45+00:00 2d470f3f46eae7a36bcf6c81a3a0223c0edbd64c ----------------------------------- * initial observation of a problem was a 2% failure rate in perftests of 20,000 messages against a cluster with security enabled. Problem was occasional receit of encrypted frames before the security codec had been enabled. This is fixed with locking in cluster code (no new locks in broker code) and a callback that is fired by broker::ConnectionHandler::Handler to tell the cluster code when the opening handshake has finished. This was never a problem in the non-clustered broker before because everything happened in a single thread. * the brokers that "shadow" the connection must not have null authenticators rather than real ones, so that they go through all the motions but don't do anythig. Only the directly-connected broker can perform the security handshake. * once the directly-connected broker receives the real user ID from its callback, it mcasts that ID to all other brokers. Otherwise the shadowing brokers will al think that the user ID is "anonymous". Check this by doing a substantial perftest, and using qpid-stat -c localhost:PORT to confirm that the brokers all have the same userID for the same connection. * the user ID, negotiated during the Sasl security startup, is communicated from the directly connected broker to all other cluster brokers. * If security is *not* being used, then this code should *not* tell the brokers anything about the userID -- or it will step on the value that is being set by other code pathways. * test program at cpp/src/tests/cluster_authentication_soak is not yet fully automated -- run it with something like "sudo ./cluster_authentication_soak 500" git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@944158 13f79535-47bb-0310-9956-ffa450edef68 
-----------------------------------

* initial observation of a problem was a 2% failure rate in perftests
  of 20,000 messages against a cluster with security enabled.
  Problem was occasional receit of encrypted frames before the
  security codec had been enabled.  This is fixed with locking in
  cluster code (no new locks in broker code) and a callback that is
  fired by broker::ConnectionHandler::Handler to tell the cluster
  code when the opening handshake has finished.
  This was never a problem in the non-clustered broker before because
  everything happened in a single thread.

* the brokers that "shadow" the connection must not have null
  authenticators rather than real ones, so that they go through all
  the motions but don't do anythig.  Only the directly-connected
  broker can perform the security handshake.

* once the directly-connected broker receives the real user ID
  from its callback, it mcasts that ID to all other brokers.
  Otherwise the shadowing brokers will al think that the user ID
  is "anonymous".
  Check this by doing a substantial perftest, and using
      qpid-stat -c localhost:PORT
  to confirm that the brokers all have the same userID for the
  same connection.

* the user ID, negotiated during the Sasl security startup, is
   communicated from the directly connected broker to all other
   cluster brokers.

* If security is *not* being used, then this code should *not* tell
  the brokers anything about the userID -- or it will step on the value
  that is being set by other code pathways.

* test program at cpp/src/tests/cluster_authentication_soak is not yet
  fully automated -- run it with something like
  "sudo ./cluster_authentication_soak 500"



git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@944158 13f79535-47bb-0310-9956-ffa450edef68