Newer versions of rabbitmq (3.3 and later) do not allow the 'guest'
user to access on non-local interfaces.
- Added a new config RABBIT_USERID which defaults to stackrabbit
- Invoked config scripts using that variable
Adopted from:
https://review.openstack.org/#/c/107779/
Change-Id: I43a231c9611b4cc2e390b603aa3bfb49c915bdc5
Closes-Bug: #1343354
Co-Authored-By: Scott Moser <smoser@ubuntu.com>
... | ... |
@@ -214,6 +214,7 @@ function configure_keystone { |
214 | 214 |
|
215 | 215 |
# Configure rabbitmq credentials |
216 | 216 |
if is_service_enabled rabbit; then |
217 |
+ iniset $KEYSTONE_CONF DEFAULT rabbit_userid $RABBIT_USERID |
|
217 | 218 |
iniset $KEYSTONE_CONF DEFAULT rabbit_password $RABBIT_PASSWORD |
218 | 219 |
iniset $KEYSTONE_CONF DEFAULT rabbit_host $RABBIT_HOST |
219 | 220 |
fi |
... | ... |
@@ -587,8 +587,8 @@ function init_nova_cells { |
587 | 587 |
fi |
588 | 588 |
|
589 | 589 |
$NOVA_BIN_DIR/nova-manage --config-file $NOVA_CELLS_CONF db sync |
590 |
- $NOVA_BIN_DIR/nova-manage --config-file $NOVA_CELLS_CONF cell create --name=region --cell_type=parent --username=guest --hostname=$RABBIT_HOST --port=5672 --password=$RABBIT_PASSWORD --virtual_host=/ --woffset=0 --wscale=1 |
|
591 |
- $NOVA_BIN_DIR/nova-manage cell create --name=child --cell_type=child --username=guest --hostname=$RABBIT_HOST --port=5672 --password=$RABBIT_PASSWORD --virtual_host=child_cell --woffset=0 --wscale=1 |
|
590 |
+ $NOVA_BIN_DIR/nova-manage --config-file $NOVA_CELLS_CONF cell create --name=region --cell_type=parent --username=$RABBIT_USERID --hostname=$RABBIT_HOST --port=5672 --password=$RABBIT_PASSWORD --virtual_host=/ --woffset=0 --wscale=1 |
|
591 |
+ $NOVA_BIN_DIR/nova-manage cell create --name=child --cell_type=child --username=$RABBIT_USERID --hostname=$RABBIT_HOST --port=5672 --password=$RABBIT_PASSWORD --virtual_host=child_cell --woffset=0 --wscale=1 |
|
592 | 592 |
fi |
593 | 593 |
} |
594 | 594 |
|
... | ... |
@@ -7,7 +7,7 @@ |
7 | 7 |
# Dependencies: |
8 | 8 |
# |
9 | 9 |
# - ``functions`` file |
10 |
-# - ``RABBIT_{HOST|PASSWORD}`` must be defined when RabbitMQ is used |
|
10 |
+# - ``RABBIT_{HOST|PASSWORD|USERID}`` must be defined when RabbitMQ is used |
|
11 | 11 |
# - ``RPC_MESSAGING_PROTOCOL`` option for configuring the messaging protocol |
12 | 12 |
|
13 | 13 |
# ``stack.sh`` calls the entry points in this order: |
... | ... |
@@ -68,6 +68,9 @@ function check_rpc_backend { |
68 | 68 |
function cleanup_rpc_backend { |
69 | 69 |
if is_service_enabled rabbit; then |
70 | 70 |
# Obliterate rabbitmq-server |
71 |
+ if [ -n "$RABBIT_USERID" ]; then |
|
72 |
+ sudo rabbitmqctl delete_user "$RABBIT_USERID" |
|
73 |
+ fi |
|
71 | 74 |
uninstall_package rabbitmq-server |
72 | 75 |
sudo killall epmd || sudo killall -9 epmd |
73 | 76 |
if is_ubuntu; then |
... | ... |
@@ -180,15 +183,16 @@ function restart_rpc_backend { |
180 | 180 |
# service is not started by default |
181 | 181 |
restart_service rabbitmq-server |
182 | 182 |
fi |
183 |
+ rabbit_setuser "$RABBIT_USERID" "$RABBIT_PASSWORD" |
|
183 | 184 |
# change the rabbit password since the default is "guest" |
184 |
- sudo rabbitmqctl change_password guest $RABBIT_PASSWORD && break |
|
185 |
+ sudo rabbitmqctl change_password $RABBIT_USERID $RABBIT_PASSWORD && break |
|
185 | 186 |
[[ $i -eq "10" ]] && die $LINENO "Failed to set rabbitmq password" |
186 | 187 |
done |
187 | 188 |
if is_service_enabled n-cell; then |
188 | 189 |
# Add partitioned access for the child cell |
189 | 190 |
if [ -z `sudo rabbitmqctl list_vhosts | grep child_cell` ]; then |
190 | 191 |
sudo rabbitmqctl add_vhost child_cell |
191 |
- sudo rabbitmqctl set_permissions -p child_cell guest ".*" ".*" ".*" |
|
192 |
+ sudo rabbitmqctl set_permissions -p child_cell $RABBIT_USERID ".*" ".*" ".*" |
|
192 | 193 |
fi |
193 | 194 |
fi |
194 | 195 |
elif is_service_enabled qpid; then |
... | ... |
@@ -225,6 +229,7 @@ function iniset_rpc_backend { |
225 | 225 |
iniset $file $section rpc_backend ${package}.openstack.common.rpc.impl_kombu |
226 | 226 |
iniset $file $section rabbit_hosts $RABBIT_HOST |
227 | 227 |
iniset $file $section rabbit_password $RABBIT_PASSWORD |
228 |
+ iniset $file $section rabbit_userid $RABBIT_USERID |
|
228 | 229 |
fi |
229 | 230 |
} |
230 | 231 |
|
... | ... |
@@ -239,6 +244,21 @@ function qpid_is_supported { |
239 | 239 |
( ! is_suse ) |
240 | 240 |
} |
241 | 241 |
|
242 |
+function rabbit_setuser { |
|
243 |
+ local user="$1" pass="$2" found="" out="" |
|
244 |
+ out=$(sudo rabbitmqctl list_users) || |
|
245 |
+ { echo "failed to list users" 1>&2; return 1; } |
|
246 |
+ found=$(echo "$out" | awk '$1 == user { print $1 }' "user=$user") |
|
247 |
+ if [ "$found" = "$user" ]; then |
|
248 |
+ sudo rabbitmqctl change_password "$user" "$pass" || |
|
249 |
+ { echo "failed changing pass for '$user'" 1>&2; return 1; } |
|
250 |
+ else |
|
251 |
+ sudo rabbitmqctl add_user "$user" "$pass" || |
|
252 |
+ { echo "failed changing pass for $user"; return 1; } |
|
253 |
+ fi |
|
254 |
+ sudo rabbitmqctl set_permissions "$user" ".*" ".*" ".*" |
|
255 |
+} |
|
256 |
+ |
|
242 | 257 |
# Set up the various configuration files used by the qpidd broker |
243 | 258 |
function _configure_qpid { |
244 | 259 |
|
... | ... |
@@ -134,6 +134,7 @@ function configure_trove { |
134 | 134 |
rm -f $TROVE_CONF_DIR/trove-taskmanager.conf |
135 | 135 |
rm -f $TROVE_CONF_DIR/trove-conductor.conf |
136 | 136 |
|
137 |
+ iniset $TROVE_CONF_DIR/trove.conf DEFAULT rabbit_userid $RABBIT_USERID |
|
137 | 138 |
iniset $TROVE_CONF_DIR/trove.conf DEFAULT rabbit_password $RABBIT_PASSWORD |
138 | 139 |
iniset $TROVE_CONF_DIR/trove.conf DEFAULT sql_connection `database_connection_url trove` |
139 | 140 |
iniset $TROVE_CONF_DIR/trove.conf DEFAULT default_datastore $TROVE_DATASTORE_TYPE |
... | ... |
@@ -145,6 +146,7 @@ function configure_trove { |
145 | 145 |
if is_service_enabled tr-tmgr; then |
146 | 146 |
TROVE_AUTH_ENDPOINT=$KEYSTONE_AUTH_URI/v$IDENTITY_API_VERSION |
147 | 147 |
|
148 |
+ iniset $TROVE_CONF_DIR/trove.conf DEFAULT rabbit_userid $RABBIT_USERID |
|
148 | 149 |
iniset $TROVE_CONF_DIR/trove-taskmanager.conf DEFAULT rabbit_password $RABBIT_PASSWORD |
149 | 150 |
iniset $TROVE_CONF_DIR/trove-taskmanager.conf DEFAULT sql_connection `database_connection_url trove` |
150 | 151 |
iniset $TROVE_CONF_DIR/trove-taskmanager.conf DEFAULT taskmanager_manager trove.taskmanager.manager.Manager |
... | ... |
@@ -157,6 +159,7 @@ function configure_trove { |
157 | 157 |
|
158 | 158 |
# (Re)create trove conductor conf file if needed |
159 | 159 |
if is_service_enabled tr-cond; then |
160 |
+ iniset $TROVE_CONF_DIR/trove.conf DEFAULT rabbit_userid $RABBIT_USERID |
|
160 | 161 |
iniset $TROVE_CONF_DIR/trove-conductor.conf DEFAULT rabbit_password $RABBIT_PASSWORD |
161 | 162 |
iniset $TROVE_CONF_DIR/trove-conductor.conf DEFAULT sql_connection `database_connection_url trove` |
162 | 163 |
iniset $TROVE_CONF_DIR/trove-conductor.conf DEFAULT nova_proxy_admin_user radmin |
... | ... |
@@ -168,6 +171,7 @@ function configure_trove { |
168 | 168 |
fi |
169 | 169 |
|
170 | 170 |
# Set up Guest Agent conf |
171 |
+ iniset $TROVE_CONF_DIR/trove.conf DEFAULT rabbit_userid $RABBIT_USERID |
|
171 | 172 |
iniset $TROVE_CONF_DIR/trove-guestagent.conf DEFAULT rabbit_host $TROVE_HOST_GATEWAY |
172 | 173 |
iniset $TROVE_CONF_DIR/trove-guestagent.conf DEFAULT rabbit_password $RABBIT_PASSWORD |
173 | 174 |
iniset $TROVE_CONF_DIR/trove-guestagent.conf DEFAULT nova_proxy_admin_user radmin |
... | ... |
@@ -643,6 +643,7 @@ initialize_database_backends && echo "Using $DATABASE_TYPE database backend" || |
643 | 643 |
|
644 | 644 |
# Rabbit connection info |
645 | 645 |
if is_service_enabled rabbit; then |
646 |
+ RABBIT_USERID=${RABBIT_USERID:-stackrabbit} |
|
646 | 647 |
RABBIT_HOST=${RABBIT_HOST:-$SERVICE_HOST} |
647 | 648 |
read_password RABBIT_PASSWORD "ENTER A PASSWORD TO USE FOR RABBIT." |
648 | 649 |
fi |