working with mqsecurity and sec_type:'file'

[morbid_noob]

Im trying to setup some authorization so that only a certain user has
write privileges to the channels but any other user has full read
privileges. (I want django to have write access, and all users have
read)

I have been looking at the wiki docs for mqsecurity and started
playing with auth using the orbit/morbid/twisted setup. I was able to
make it work with the sec_type:'Any' (example in sample_auth/
mqanyconf.py). I played with it so I could see that 'w' and 'r'
permissions worked. Did separate passes with different configs and
everything seemed to work.

Then I decided to try the sec_type:'file'. I linked to the file (even
tried explicit path from /) but I cant log in with any users that are
in the file. I made sure the delims, user/pass where in the default
settings. (even explicitly sent it in the checker_config()).

I did alot of toying with it put debug statements in the parms
functions. Using the example in sample_auth/mqfileconf.py It never
seemed to hit read_id_file, or group_rights. I never get any useful
messages when I run the orbited server except that the user is
instantly disconnected from port 9000. When running firebug and
hitting the page it returns an OK on the connection but firebug reads
it as an error and I get nothing in the response view.

Any ideas or example working site would be greatly helpful.

[Whitesell, Ken]

It would really help if you could provide as much of your configuration as possible - all configuration files, especially:

The command line being used to start morbidq - Unless something has changed in orbited since the last time I looked at it, orbited does not provide a facility to pass all the necessary parameters through to morbidq when starting it. So you need to start morbidq independently of orbited.

The morbidq security module file

And the userID file

Unfortunately, I don't have a file module functional at the moment that I can give to you, but I'll be happy to try and work with you on your particular configuration.

Ken

> --
> You received this message because you are subscribed to the
> Google Groups "MorbidQ" group.
> To post to this group, send email to mor...@googlegroups.com.
> To unsubscribe from this group, send email to
> morbidq+u...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/morbidq?hl=en.
>
>
>

[morbid_noob]

Actually I ran into the issue where I couldnt pass the --auth flag on
the start of the app. I did some quick looking over the code and
checked how the file was pulled in during the loading of morbidq.

I did a temporary hack of mqsecurity file on the MQPortal class to
have the filename default to my code file with my parms class. (I was
going to try to figure out how to make orbited talk to an already
running morbidq later, I just wanted to get it to work quickly for
testing :))

It worked like a champ when I used mqanyconf.py as the parm file. I
was able to run it with all perms 'w','r','c' and access it all. I
then removed 'r' and was able to write to it but not read from it and
then I removed 'w' and was no longer able to write :). With that test
I was confident that I could pull in the parms correctly.

Then I put the mqfileconf.py and the userIdFile.txt together, making
sure that mqfileconf.py was being loaded correctly by mqsecurity.
(basic print statements on each function). It never seemed to call the
functions to check if the user had permissions like it did with the
mqanyconf.py but it did call all the functions to set up the call
backs.

You alluded to a flag for the userID file maybe I missed that
somewhere. Could that be the missing link?

Thank you for your help.

[KenWhi...@comcast.net]

Well, I can see where the userIdFile is configured, ummm, "suboptimally" in the sample. I'm specifying the file name in two different locations, once in the checker_config function and once in the read_id_file function - in neither case do I check for paths, so there's a potential problem there.

Also, keep in mind that the userIdFile is only used to check credentials -it has nothing to do with the assignments of rights. That is strictly handled by the 'get_group_access_rights' method, and so needs to be coded to assign rights properly based upon queue name.

Making sure that the format of the id file is correct is critical, which is why I asked you to post a copy of what you're using. Also, I know I can help a lot more by seeing the version of the mqfileconf.py file you've got.

Also, running morbidq separately from orbited is easy. In your orbited config file, comment out the "stomp://" line, but leave the "access" line for that port uncommented. That'll let orbited connect to an existing morbidq server rather than starting its own. It would be helpful to start that separately so that you can see any messages that might be generated.

Also, it's not morbidq that handles the userId file at all - I'm taking advantage of twisted cred. Morbidq is creating a "checker" that uses the specified userID file to test passwords. However, the supplied security module does need to read the file to get group membership - at least that's what the sample does. (It's possible to set it up so that there's a different file for ids & passwords and for ids and groups.)

There's no flag for the userID file, I may have worded something poorly in a prior email.

Ken

--

[morbid_noob]

Thank you for taking the time to assist me. Ill try out the separate
service for morbid running tonight.

My test userIdFile.text looks like this:

admin_root:testing:admin:
guest:guest:user:

Below is the file i'm using for parms. It is slightly modified version
with my info. The channel I have set up for everyone to talk to is
called /user/.

class Parms(object):
def checker_config(self):
print "Checker_config"
return {
'sec_type':'file',
'usernameField':'0',
'passwordField':'1',
'filename':'/home/mark/orbited_project/userIdFile.txt',
'cache':True,
'delim':':',
}

def read_id_file(self, name):
print "Read_ID_FILE"
userFile = open('/home/mark/orbited_project/
userIdFile.txt','r')
# A user is always a member of a group matching their name
group = [name]
for line in userFile:
fields = line.split(":")
if (name == fields[0]):
group.append(fields[2])
userFile.close()
return group

def group_config(self):
print "Group_config"
return self.read_id_file

def group_rights(self, groups, queue):
print "Group_rights"
# The most permissive set of group permissions are assigned.
# (Rights are additive across levels and groups)
# Therefore, it is not possible to restrict rights based
# on lower levels of the queue named hierarchy
rights = set()
for qname in self.queues:
if queue.startswith(qname):
for gname in groups:
if gname in self.queues[qname]:
for rname in self.queues[qname][gname]:
rights.add(rname)
return rights

def get_group_access_rights(self):
print "Get_group_access_rights"
self.queues = {
'/user/': {'user': ('r'),
'admin': ('c', 'r', 'w')},
}
return self.group_rights

[Whitesell, Ken]

Just wanted to send a quick follow-up that I've gotten your material and I'm going to try it out here to see what is happening. It may take me a day or so, but I will get back to you when I get this figured out.

Ken

> -----Original Message-----
> From: mor...@googlegroups.com
> [mailto:mor...@googlegroups.com] On Behalf Of morbid_noob

> Sent: Wednesday, March 17, 2010 7:49 PM
> To: MorbidQ
> Subject: Re: working with mqsecurity and sec_type:'file'
>

[morbid_noob]

Thank you for the update, and taking the time to work on this.

[morbid_noob]

Just want to ping to see how things are going. Any luck with this?

Thank you

[Whitesell, Ken]

<embarrased mode="on">
I'm really sorry, it had completely slipped my mind. I started looking at it, realized it probably wasn't trivial, then made the mistake of setting it aside for later - then forgot.
Thanks for the ping, it's now back in my priority queue.
</embarrased>

Briefly, I'm not "doing" anything with the FileDatabaseDB checker itself, I just pass along the parms to the method in Twisted.

My first guess however, from what I can see is that you're passing usernameField and passwordField as character values, where it looks like the code is expecting integers. Try removing the quotes from around those fields and give it another shot. Ordinarily I'd say it shouldn't matter, but I just hand-checked some code, and it appears it may make a difference in this case.

class Parms(object):
    def checker_config(self):
        print "Checker_config"
        return {
            'sec_type':'file',

            'usernameField':0,
            'passwordField':1,

            'filename':'/home/mark/orbited_project/userIdFile.txt',
            'cache':True,
            'delim':':',
            }

Again, I apologize for the delay in getting back to you.

[Whitesell, Ken]

Now it's my turn to follow-up - have you tried it with the change to the checker_config? (Making sure that the parameters to usernameField and passwordField are integers.)

I've tried it and have gotten it to work using mostly the provided code.

1) Modified the mqfileconfig.py file to add the three additional parameters
'usernameField':0, 'passwordField':1, 'delim':':'

2) Made a copy of sender.py from the stomper package (in stomper examples), and modified it to send a valid id and password. (It ends up getting a queue-creation error which is fine, because that happens _after_ the id and password have been validated.) I then tried it with an invalid password, and got the invalid ID or password message.

[morbid_noob]

Thank you for the follow up! Going to be out of town for a while but
when I get back I will give it a shot and post if it works.

Thanks again.