Browse code
Take an optional rabbit user name as input
Newer versions of rabbitmq (3.3 and later) do not allow the 'guest'
user to access on non-local interfaces.
- Added a new config RABBIT_USERID which defaults to stackrabbit
- Invoked config scripts using that variable
Adopted from:
https://review.openstack.org/#/c/107779/
Change-Id: I43a231c9611b4cc2e390b603aa3bfb49c915bdc5
Closes-Bug: #1343354
Co-Authored-By: Scott Moser <smoser@ubuntu.com>
Abhishek Chanda authored on 2014/12/12 05:45:55Showing 5 changed files
| ... | ... |
@@ -214,6 +214,7 @@ function configure_keystone {
|
| 214 | 214 |
|
| 215 | 215 |
# Configure rabbitmq credentials |
| 216 | 216 |
if is_service_enabled rabbit; then |
| 217 |
+ iniset $KEYSTONE_CONF DEFAULT rabbit_userid $RABBIT_USERID |
|
| 217 | 218 |
iniset $KEYSTONE_CONF DEFAULT rabbit_password $RABBIT_PASSWORD |
| 218 | 219 |
iniset $KEYSTONE_CONF DEFAULT rabbit_host $RABBIT_HOST |
| 219 | 220 |
fi |
| ... | ... |
@@ -587,8 +587,8 @@ function init_nova_cells {
|
| 587 | 587 |
fi |
| 588 | 588 |
|
| 589 | 589 |
$NOVA_BIN_DIR/nova-manage --config-file $NOVA_CELLS_CONF db sync |
| 590 |
- $NOVA_BIN_DIR/nova-manage --config-file $NOVA_CELLS_CONF cell create --name=region --cell_type=parent --username=guest --hostname=$RABBIT_HOST --port=5672 --password=$RABBIT_PASSWORD --virtual_host=/ --woffset=0 --wscale=1 |
|
| 591 |
- $NOVA_BIN_DIR/nova-manage cell create --name=child --cell_type=child --username=guest --hostname=$RABBIT_HOST --port=5672 --password=$RABBIT_PASSWORD --virtual_host=child_cell --woffset=0 --wscale=1 |
|
| 590 |
+ $NOVA_BIN_DIR/nova-manage --config-file $NOVA_CELLS_CONF cell create --name=region --cell_type=parent --username=$RABBIT_USERID --hostname=$RABBIT_HOST --port=5672 --password=$RABBIT_PASSWORD --virtual_host=/ --woffset=0 --wscale=1 |
|
| 591 |
+ $NOVA_BIN_DIR/nova-manage cell create --name=child --cell_type=child --username=$RABBIT_USERID --hostname=$RABBIT_HOST --port=5672 --password=$RABBIT_PASSWORD --virtual_host=child_cell --woffset=0 --wscale=1 |
|
| 592 | 592 |
fi |
| 593 | 593 |
} |
| 594 | 594 |
|
| ... | ... |
@@ -7,7 +7,7 @@ |
| 7 | 7 |
# Dependencies: |
| 8 | 8 |
# |
| 9 | 9 |
# - ``functions`` file |
| 10 |
-# - ``RABBIT_{HOST|PASSWORD}`` must be defined when RabbitMQ is used
|
|
| 10 |
+# - ``RABBIT_{HOST|PASSWORD|USERID}`` must be defined when RabbitMQ is used
|
|
| 11 | 11 |
# - ``RPC_MESSAGING_PROTOCOL`` option for configuring the messaging protocol |
| 12 | 12 |
|
| 13 | 13 |
# ``stack.sh`` calls the entry points in this order: |
| ... | ... |
@@ -68,6 +68,9 @@ function check_rpc_backend {
|
| 68 | 68 |
function cleanup_rpc_backend {
|
| 69 | 69 |
if is_service_enabled rabbit; then |
| 70 | 70 |
# Obliterate rabbitmq-server |
| 71 |
+ if [ -n "$RABBIT_USERID" ]; then |
|
| 72 |
+ sudo rabbitmqctl delete_user "$RABBIT_USERID" |
|
| 73 |
+ fi |
|
| 71 | 74 |
uninstall_package rabbitmq-server |
| 72 | 75 |
sudo killall epmd || sudo killall -9 epmd |
| 73 | 76 |
if is_ubuntu; then |
| ... | ... |
@@ -180,15 +183,16 @@ function restart_rpc_backend {
|
| 180 | 180 |
# service is not started by default |
| 181 | 181 |
restart_service rabbitmq-server |
| 182 | 182 |
fi |
| 183 |
+ rabbit_setuser "$RABBIT_USERID" "$RABBIT_PASSWORD" |
|
| 183 | 184 |
# change the rabbit password since the default is "guest" |
| 184 |
- sudo rabbitmqctl change_password guest $RABBIT_PASSWORD && break |
|
| 185 |
+ sudo rabbitmqctl change_password $RABBIT_USERID $RABBIT_PASSWORD && break |
|
| 185 | 186 |
[[ $i -eq "10" ]] && die $LINENO "Failed to set rabbitmq password" |
| 186 | 187 |
done |
| 187 | 188 |
if is_service_enabled n-cell; then |
| 188 | 189 |
# Add partitioned access for the child cell |
| 189 | 190 |
if [ -z `sudo rabbitmqctl list_vhosts | grep child_cell` ]; then |
| 190 | 191 |
sudo rabbitmqctl add_vhost child_cell |
| 191 |
- sudo rabbitmqctl set_permissions -p child_cell guest ".*" ".*" ".*" |
|
| 192 |
+ sudo rabbitmqctl set_permissions -p child_cell $RABBIT_USERID ".*" ".*" ".*" |
|
| 192 | 193 |
fi |
| 193 | 194 |
fi |
| 194 | 195 |
elif is_service_enabled qpid; then |
| ... | ... |
@@ -225,6 +229,7 @@ function iniset_rpc_backend {
|
| 225 | 225 |
iniset $file $section rpc_backend ${package}.openstack.common.rpc.impl_kombu
|
| 226 | 226 |
iniset $file $section rabbit_hosts $RABBIT_HOST |
| 227 | 227 |
iniset $file $section rabbit_password $RABBIT_PASSWORD |
| 228 |
+ iniset $file $section rabbit_userid $RABBIT_USERID |
|
| 228 | 229 |
fi |
| 229 | 230 |
} |
| 230 | 231 |
|
| ... | ... |
@@ -239,6 +244,21 @@ function qpid_is_supported {
|
| 239 | 239 |
( ! is_suse ) |
| 240 | 240 |
} |
| 241 | 241 |
|
| 242 |
+function rabbit_setuser {
|
|
| 243 |
+ local user="$1" pass="$2" found="" out="" |
|
| 244 |
+ out=$(sudo rabbitmqctl list_users) || |
|
| 245 |
+ { echo "failed to list users" 1>&2; return 1; }
|
|
| 246 |
+ found=$(echo "$out" | awk '$1 == user { print $1 }' "user=$user")
|
|
| 247 |
+ if [ "$found" = "$user" ]; then |
|
| 248 |
+ sudo rabbitmqctl change_password "$user" "$pass" || |
|
| 249 |
+ { echo "failed changing pass for '$user'" 1>&2; return 1; }
|
|
| 250 |
+ else |
|
| 251 |
+ sudo rabbitmqctl add_user "$user" "$pass" || |
|
| 252 |
+ { echo "failed changing pass for $user"; return 1; }
|
|
| 253 |
+ fi |
|
| 254 |
+ sudo rabbitmqctl set_permissions "$user" ".*" ".*" ".*" |
|
| 255 |
+} |
|
| 256 |
+ |
|
| 242 | 257 |
# Set up the various configuration files used by the qpidd broker |
| 243 | 258 |
function _configure_qpid {
|
| 244 | 259 |
|
| ... | ... |
@@ -134,6 +134,7 @@ function configure_trove {
|
| 134 | 134 |
rm -f $TROVE_CONF_DIR/trove-taskmanager.conf |
| 135 | 135 |
rm -f $TROVE_CONF_DIR/trove-conductor.conf |
| 136 | 136 |
|
| 137 |
+ iniset $TROVE_CONF_DIR/trove.conf DEFAULT rabbit_userid $RABBIT_USERID |
|
| 137 | 138 |
iniset $TROVE_CONF_DIR/trove.conf DEFAULT rabbit_password $RABBIT_PASSWORD |
| 138 | 139 |
iniset $TROVE_CONF_DIR/trove.conf DEFAULT sql_connection `database_connection_url trove` |
| 139 | 140 |
iniset $TROVE_CONF_DIR/trove.conf DEFAULT default_datastore $TROVE_DATASTORE_TYPE |
| ... | ... |
@@ -145,6 +146,7 @@ function configure_trove {
|
| 145 | 145 |
if is_service_enabled tr-tmgr; then |
| 146 | 146 |
TROVE_AUTH_ENDPOINT=$KEYSTONE_AUTH_URI/v$IDENTITY_API_VERSION |
| 147 | 147 |
|
| 148 |
+ iniset $TROVE_CONF_DIR/trove.conf DEFAULT rabbit_userid $RABBIT_USERID |
|
| 148 | 149 |
iniset $TROVE_CONF_DIR/trove-taskmanager.conf DEFAULT rabbit_password $RABBIT_PASSWORD |
| 149 | 150 |
iniset $TROVE_CONF_DIR/trove-taskmanager.conf DEFAULT sql_connection `database_connection_url trove` |
| 150 | 151 |
iniset $TROVE_CONF_DIR/trove-taskmanager.conf DEFAULT taskmanager_manager trove.taskmanager.manager.Manager |
| ... | ... |
@@ -157,6 +159,7 @@ function configure_trove {
|
| 157 | 157 |
|
| 158 | 158 |
# (Re)create trove conductor conf file if needed |
| 159 | 159 |
if is_service_enabled tr-cond; then |
| 160 |
+ iniset $TROVE_CONF_DIR/trove.conf DEFAULT rabbit_userid $RABBIT_USERID |
|
| 160 | 161 |
iniset $TROVE_CONF_DIR/trove-conductor.conf DEFAULT rabbit_password $RABBIT_PASSWORD |
| 161 | 162 |
iniset $TROVE_CONF_DIR/trove-conductor.conf DEFAULT sql_connection `database_connection_url trove` |
| 162 | 163 |
iniset $TROVE_CONF_DIR/trove-conductor.conf DEFAULT nova_proxy_admin_user radmin |
| ... | ... |
@@ -168,6 +171,7 @@ function configure_trove {
|
| 168 | 168 |
fi |
| 169 | 169 |
|
| 170 | 170 |
# Set up Guest Agent conf |
| 171 |
+ iniset $TROVE_CONF_DIR/trove.conf DEFAULT rabbit_userid $RABBIT_USERID |
|
| 171 | 172 |
iniset $TROVE_CONF_DIR/trove-guestagent.conf DEFAULT rabbit_host $TROVE_HOST_GATEWAY |
| 172 | 173 |
iniset $TROVE_CONF_DIR/trove-guestagent.conf DEFAULT rabbit_password $RABBIT_PASSWORD |
| 173 | 174 |
iniset $TROVE_CONF_DIR/trove-guestagent.conf DEFAULT nova_proxy_admin_user radmin |
| ... | ... |
@@ -643,6 +643,7 @@ initialize_database_backends && echo "Using $DATABASE_TYPE database backend" || |
| 643 | 643 |
|
| 644 | 644 |
# Rabbit connection info |
| 645 | 645 |
if is_service_enabled rabbit; then |
| 646 |
+ RABBIT_USERID=${RABBIT_USERID:-stackrabbit}
|
|
| 646 | 647 |
RABBIT_HOST=${RABBIT_HOST:-$SERVICE_HOST}
|
| 647 | 648 |
read_password RABBIT_PASSWORD "ENTER A PASSWORD TO USE FOR RABBIT." |
| 648 | 649 |
fi |