QPID-3652: Fix cluster authentication.
Review Request #2988 - Created Dec. 1, 2011 and submitted
| Information | |
|---|---|
| Alan Conway | |
| qpid | |
| QPID-3652 | |
| Reviewers | |
| qpid | |
| gordon, tross | |
QPID-3652: Fix cluster authentication. Only allow brokers that authenticate as the cluster-username to join a cluster. New broker first connects to a cluster broker authenticates as the cluster-username and sends its CPG member ID to the qpid.cluster-credentials exchange. The cluster broker that subsequently acts as updater verifies that the credentials are valid before connecting to give the update. NOTE: If you are using an ACL, the cluster-username must be allowed to publish to the qpid.cluster-credentials exchange. E.g. in your ACL file: acl allow foo@QPID publish exchange name=qpid.cluster-credentials
3 new tests in cluster_tests.py, tested by hand with ANONYMOUS, PLAIN and DIGEST-MD5 mechanisms.
Seems ok to me...
-
/trunk/qpid/cpp/src/qpid/broker/ConnectionState.h (Diff revision 1) -
The last sentence in this comment isn't entirely true... it will only compare the id against the username if the userid of the connection was in the default domain. Not a big issue, I just got confused when first reading this.
-
/trunk/qpid/cpp/src/qpid/broker/ConnectionState.h (Diff revision 1) -
Does isDefaultRealm get initialised anywhere?
