Re: Connecting to the router

Wed, 14 Sep 2016 13:02:10 -0700 

On Tue, 2016-09-13 at 16:33 -0700, Justin Ross wrote:
> Some potentially interesting things.
> 
> ## Components
> 
> python-qpid-proton-0.13.1-1.fc24.x86_64
> python-qpid-messaging-0.34-9.fc24.x86_64 (qpid*_*messaging)
> qpid-dispatch-router-0.6.1-2.fc24.x86_64
> 
> ## Listener config
> 
> listener {
>     host: 0.0.0.0
>     port: amqp
>     authenticatePeer: on
>     saslMechanisms: ANONYMOUS
> }
> 
> ## host: 0.0.0.0 allows connection via localhost from qpid_messaging
> but
> not from proton
> 
> My qpid_messaging client can connect, using localhost in its
> connection
> info, but my proton client cannot (connection refused). Using '::'
> instead
> of '0.0.0.0' allows either to connect.  Perhaps the way proton
> resolves
> localhost is different.

0.0.0.0 is an IPv4 address :: is the IPv6 equivalent.

Usually localhost will map to both of these addresses, and the usual
system defaults will try the IPv6 address first.

So if the client code doesn't correctly try all the resolved IP
addresses in order then you'll get this behaviour.

I know that qpid.messaging does this correctly.

> ## "authenticatePeer: on" strips ANONYMOUS

What do you mean "strips" ANONYMOUS? Do you mean the mechanism isn't
offered? The mechanism isn't in the allowable client list?

At the proton API level authenticatePeer means that we require
connections to be authenticated before using them. This can either by
via SASL or via SSL.

So I wouldn't expect that setting to take ANONYMOUS out of the offered
mechanisms, but I'm not 100% about the behaviour of Cyrus under all
circumstances.

> 
> This was a surprise to me.  I had explicitly enabled ANONYMOUS.  And
> I
> confess I was mentally reading 'authenticatePeer' to mean enable
> SASL.
> Which component is stripping it, proton or dispatch or cyrus?  Should
> it be
> stripped when I positively express a desire for it?

I'm not sure that forcing the ANONYMOUS mechanism together with
authentication isn't contradictory - ANONYMOUS is explicitly
unauthenticated (it's anonymous after all!).

> If we keep this
> behavior, we should add a note about it to the qdrouterd.conf man
> page.

Undoubtedly!

Andrew


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org
For additional commands, e-mail: users-h...@qpid.apache.org

Reply via email to