Review Board 1.7.22


QPID-3652: Fix cluster authentication.

Review Request #2988 - Created Dec. 1, 2011 and submitted

Alan Conway
QPID-3652
Reviewers
qpid
gordon, tross
qpid
QPID-3652: Fix cluster authentication.

Only allow brokers that authenticate as the cluster-username to join a cluster.

New broker first connects to  a cluster broker authenticates as the cluster-username
and sends its CPG member ID to the qpid.cluster-credentials exchange.
The cluster broker that subsequently acts as updater verifies that the credentials are
valid before connecting to give the update.

NOTE: If you are using an ACL, the cluster-username must be allowed to
publish to the qpid.cluster-credentials exchange. E.g. in your ACL file:

acl allow foo@QPID publish exchange name=qpid.cluster-credentials
3 new tests in cluster_tests.py, tested by hand with ANONYMOUS, PLAIN and DIGEST-MD5 mechanisms.
Ship it!
Posted (Dec. 5, 2011, 6:44 p.m.)
Seems ok to me...
The last sentence in this comment isn't entirely true... it will only compare the id against the username if the userid of the connection was in the default domain. Not a big issue, I just got confused when first reading this.
  1. Updated to:     * If id has the default realm will also compare plain username.                      
    
Does isDefaultRealm get initialised anywhere?
  1. It should be initialized in the ctor, will do that.