diff options
| author | Michael Goulish <mgoulish@apache.org> | 2010-05-14 08:56:45 +0000 |
|---|---|---|
| committer | Michael Goulish <mgoulish@apache.org> | 2010-05-14 08:56:45 +0000 |
| commit | d9af71e691e50d7c9f3f16cd259298d3b8f0cd14 (patch) | |
| tree | 720c505bd510a48bf3555ac4971b8fca66fd746a /cpp/src/tests/Makefile.am | |
| parent | 1318c94eff0722c27c9c45d9844485e30cd954f6 (diff) | |
| download | qpid-python-d9af71e691e50d7c9f3f16cd259298d3b8f0cd14.tar.gz | |
Cluster + Security
-----------------------------------
* initial observation of a problem was a 2% failure rate in perftests
of 20,000 messages against a cluster with security enabled.
Problem was occasional receit of encrypted frames before the
security codec had been enabled. This is fixed with locking in
cluster code (no new locks in broker code) and a callback that is
fired by broker::ConnectionHandler::Handler to tell the cluster
code when the opening handshake has finished.
This was never a problem in the non-clustered broker before because
everything happened in a single thread.
* the brokers that "shadow" the connection must not have null
authenticators rather than real ones, so that they go through all
the motions but don't do anythig. Only the directly-connected
broker can perform the security handshake.
* once the directly-connected broker receives the real user ID
from its callback, it mcasts that ID to all other brokers.
Otherwise the shadowing brokers will al think that the user ID
is "anonymous".
Check this by doing a substantial perftest, and using
qpid-stat -c localhost:PORT
to confirm that the brokers all have the same userID for the
same connection.
* the user ID, negotiated during the Sasl security startup, is
communicated from the directly connected broker to all other
cluster brokers.
* If security is *not* being used, then this code should *not* tell
the brokers anything about the userID -- or it will step on the value
that is being set by other code pathways.
* test program at cpp/src/tests/cluster_authentication_soak is not yet
fully automated -- run it with something like
"sudo ./cluster_authentication_soak 500"
git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk/qpid@944158 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'cpp/src/tests/Makefile.am')
| -rw-r--r-- | cpp/src/tests/Makefile.am | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/cpp/src/tests/Makefile.am b/cpp/src/tests/Makefile.am index 6133fc2e49..02b006665e 100644 --- a/cpp/src/tests/Makefile.am +++ b/cpp/src/tests/Makefile.am @@ -245,6 +245,11 @@ failover_soak_INCLUDES=$(PUBLIC_INCLUDES) failover_soak_SOURCES=failover_soak.cpp ForkedBroker.h ForkedBroker.cpp failover_soak_LDADD=$(lib_client) $(lib_broker) +check_PROGRAMS+=cluster_authentication_soak +cluster_authentication_soak_INCLUDES=$(PUBLIC_INCLUDES) +cluster_authentication_soak_SOURCES=cluster_authentication_soak.cpp ForkedBroker.h ForkedBroker.cpp +cluster_authentication_soak_LDADD=$(lib_client) $(lib_broker) + check_PROGRAMS+=declare_queues declare_queues_INCLUDES=$(PUBLIC_INCLUDES) declare_queues_SOURCES=declare_queues.cpp @@ -355,7 +360,7 @@ CLEANFILES+=valgrind.out *.log *.vglog* dummy_test qpidd.port $(unit_wrappers) # Not run under valgrind, too slow LONG_TESTS+=start_broker fanout_perftest shared_perftest multiq_perftest topic_perftest run_ring_queue_test stop_broker \ - run_failover_soak reliable_replication_test \ + run_failover_soak run_cluster_authentication_soak reliable_replication_test \ federated_cluster_test_with_node_failure EXTRA_DIST+= \ @@ -364,6 +369,7 @@ EXTRA_DIST+= \ multiq_perftest \ topic_perftest \ run_failover_soak \ + run_cluster_authentication_soak \ reliable_replication_test \ federated_cluster_test_with_node_failure |