Fixes bug 1137667
Previously the auth/sasl config for qpidd was broken, and the
openstack services using RPC were not properly configured.
Now we ensure that:
- the admin qpid_username/password are configured for all services
(as the qpidd ACL config denies all access to non-admin users)
- the PLAIN sasl mechanism is configured for qpidd (otherwise the
qpid_password is not propogated)
- the qpidd process has read permission on the sasl DB (otherwise
thw admin user/apss cannot be verified even if set)
Change-Id: Id6bd675841884451b78f257afe786f494a03c0f7
... | ... |
@@ -64,13 +64,7 @@ function configure_ceilometer() { |
64 | 64 |
[ ! -d $CEILOMETER_API_LOG_DIR ] && sudo mkdir -m 755 -p $CEILOMETER_API_LOG_DIR |
65 | 65 |
sudo chown $USER $CEILOMETER_API_LOG_DIR |
66 | 66 |
|
67 |
- if is_service_enabled rabbit ; then |
|
68 |
- iniset $CEILOMETER_CONF DEFAULT rpc_backend 'ceilometer.openstack.common.rpc.impl_kombu' |
|
69 |
- iniset $CEILOMETER_CONF DEFAULT rabbit_host $RABBIT_HOST |
|
70 |
- iniset $CEILOMETER_CONF DEFAULT rabbit_password $RABBIT_PASSWORD |
|
71 |
- elif is_service_enabled qpid ; then |
|
72 |
- iniset $CEILOMETER_CONF DEFAULT rpc_backend 'ceilometer.openstack.common.rpc.impl_qpid' |
|
73 |
- fi |
|
67 |
+ iniset_rpc_backend ceilometer $CEILOMETER_CONF DEFAULT |
|
74 | 68 |
|
75 | 69 |
iniset $CEILOMETER_CONF DEFAULT notification_topics 'notifications,glance_notifications' |
76 | 70 |
iniset $CEILOMETER_CONF DEFAULT verbose True |
... | ... |
@@ -114,9 +114,8 @@ function configure_glance() { |
114 | 114 |
iniset $GLANCE_API_CONF DEFAULT notifier_strategy qpid |
115 | 115 |
elif [ -n "$RABBIT_HOST" ] && [ -n "$RABBIT_PASSWORD" ]; then |
116 | 116 |
iniset $GLANCE_API_CONF DEFAULT notifier_strategy rabbit |
117 |
- iniset $GLANCE_API_CONF DEFAULT rabbit_host $RABBIT_HOST |
|
118 |
- iniset $GLANCE_API_CONF DEFAULT rabbit_password $RABBIT_PASSWORD |
|
119 | 117 |
fi |
118 |
+ iniset_rpc_backend glance $GLANCE_API_CONF DEFAULT |
|
120 | 119 |
iniset $GLANCE_API_CONF keystone_authtoken signing_dir $GLANCE_AUTH_CACHE_DIR/api |
121 | 120 |
|
122 | 121 |
cp -p $GLANCE_DIR/etc/glance-registry-paste.ini $GLANCE_REGISTRY_PASTE_INI |
... | ... |
@@ -58,6 +58,8 @@ function install_rpc_backend() { |
58 | 58 |
install_package qpid-cpp-server-daemon |
59 | 59 |
elif is_ubuntu; then |
60 | 60 |
install_package qpidd |
61 |
+ sudo sed -i '/PLAIN/!s/mech_list: /mech_list: PLAIN /' /etc/sasl2/qpidd.conf |
|
62 |
+ sudo chmod o+r /etc/qpid/qpidd.sasldb |
|
61 | 63 |
else |
62 | 64 |
exit_distro_not_supported "qpid installation" |
63 | 65 |
fi |
... | ... |
@@ -100,6 +102,11 @@ function iniset_rpc_backend() { |
100 | 100 |
iniset $file $section rpc_backend ${package}.openstack.common.rpc.impl_zmq |
101 | 101 |
elif is_service_enabled qpid; then |
102 | 102 |
iniset $file $section rpc_backend ${package}.openstack.common.rpc.impl_qpid |
103 |
+ if is_ubuntu; then |
|
104 |
+ QPID_PASSWORD=`sudo strings /etc/qpid/qpidd.sasldb | grep -B1 admin | head -1` |
|
105 |
+ iniset $file $section qpid_password $QPID_PASSWORD |
|
106 |
+ iniset $file $section qpid_username admin |
|
107 |
+ fi |
|
103 | 108 |
elif is_service_enabled rabbit || { [ -n "$RABBIT_HOST" ] && [ -n "$RABBIT_PASSWORD" ]; }; then |
104 | 109 |
iniset $file $section rpc_backend ${package}.openstack.common.rpc.impl_kombu |
105 | 110 |
iniset $file $section rabbit_host $RABBIT_HOST |