Browse code
Take an optional rabbit user name as input
Newer versions of rabbitmq (3.3 and later) do not allow the 'guest'
user to access on non-local interfaces.
- Added a new config RABBIT_USERID which defaults to stackrabbit
- Invoked config scripts using that variable
Adopted from:
https://review.openstack.org/#/c/107779/
Backported to stable/icehouse from:
d5b74c688f Take an optional rabbit user name as input
https://review.openstack.org/141156
Conflicts:
lib/keystone
lib/rpc_backend
lib/trove
Change-Id: I034f3eda09827451b5437c430049aa2ebfd67b2e
Closes-Bug: #1343354
Co-Authored-By: Scott Moser <smoser@ubuntu.com>
Abhishek Chanda authored on 2014/12/12 05:45:55Showing 5 changed files
| ... | ... |
@@ -178,6 +178,13 @@ function configure_keystone {
|
| 178 | 178 |
iniset $KEYSTONE_CONF assignment driver "keystone.assignment.backends.$KEYSTONE_ASSIGNMENT_BACKEND.Assignment" |
| 179 | 179 |
fi |
| 180 | 180 |
|
| 181 |
+ # Configure rabbitmq credentials |
|
| 182 |
+ if is_service_enabled rabbit; then |
|
| 183 |
+ iniset $KEYSTONE_CONF DEFAULT rabbit_userid $RABBIT_USERID |
|
| 184 |
+ iniset $KEYSTONE_CONF DEFAULT rabbit_password $RABBIT_PASSWORD |
|
| 185 |
+ iniset $KEYSTONE_CONF DEFAULT rabbit_host $RABBIT_HOST |
|
| 186 |
+ fi |
|
| 187 |
+ |
|
| 181 | 188 |
# Set the URL advertised in the ``versions`` structure returned by the '/' route |
| 182 | 189 |
iniset $KEYSTONE_CONF DEFAULT public_endpoint "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:%(public_port)s/" |
| 183 | 190 |
iniset $KEYSTONE_CONF DEFAULT admin_endpoint "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:%(admin_port)s/" |
| ... | ... |
@@ -591,8 +591,8 @@ function init_nova_cells {
|
| 591 | 591 |
fi |
| 592 | 592 |
|
| 593 | 593 |
$NOVA_BIN_DIR/nova-manage --config-file $NOVA_CELLS_CONF db sync |
| 594 |
- $NOVA_BIN_DIR/nova-manage --config-file $NOVA_CELLS_CONF cell create --name=region --cell_type=parent --username=guest --hostname=$RABBIT_HOST --port=5672 --password=$RABBIT_PASSWORD --virtual_host=/ --woffset=0 --wscale=1 |
|
| 595 |
- $NOVA_BIN_DIR/nova-manage cell create --name=child --cell_type=child --username=guest --hostname=$RABBIT_HOST --port=5672 --password=$RABBIT_PASSWORD --virtual_host=child_cell --woffset=0 --wscale=1 |
|
| 594 |
+ $NOVA_BIN_DIR/nova-manage --config-file $NOVA_CELLS_CONF cell create --name=region --cell_type=parent --username=$RABBIT_USERID --hostname=$RABBIT_HOST --port=5672 --password=$RABBIT_PASSWORD --virtual_host=/ --woffset=0 --wscale=1 |
|
| 595 |
+ $NOVA_BIN_DIR/nova-manage cell create --name=child --cell_type=child --username=$RABBIT_USERID --hostname=$RABBIT_HOST --port=5672 --password=$RABBIT_PASSWORD --virtual_host=child_cell --woffset=0 --wscale=1 |
|
| 596 | 596 |
fi |
| 597 | 597 |
} |
| 598 | 598 |
|
| ... | ... |
@@ -5,7 +5,7 @@ |
| 5 | 5 |
# Dependencies: |
| 6 | 6 |
# |
| 7 | 7 |
# - ``functions`` file |
| 8 |
-# - ``RABBIT_{HOST|PASSWORD}`` must be defined when RabbitMQ is used
|
|
| 8 |
+# - ``RABBIT_{HOST|PASSWORD|USERID}`` must be defined when RabbitMQ is used
|
|
| 9 | 9 |
|
| 10 | 10 |
# ``stack.sh`` calls the entry points in this order: |
| 11 | 11 |
# |
| ... | ... |
@@ -63,6 +63,9 @@ function check_rpc_backend {
|
| 63 | 63 |
function cleanup_rpc_backend {
|
| 64 | 64 |
if is_service_enabled rabbit; then |
| 65 | 65 |
# Obliterate rabbitmq-server |
| 66 |
+ if [ -n "$RABBIT_USERID" ]; then |
|
| 67 |
+ sudo rabbitmqctl delete_user "$RABBIT_USERID" |
|
| 68 |
+ fi |
|
| 66 | 69 |
uninstall_package rabbitmq-server |
| 67 | 70 |
sudo killall epmd || sudo killall -9 epmd |
| 68 | 71 |
if is_ubuntu; then |
| ... | ... |
@@ -147,15 +150,16 @@ function restart_rpc_backend {
|
| 147 | 147 |
# service is not started by default |
| 148 | 148 |
restart_service rabbitmq-server |
| 149 | 149 |
fi |
| 150 |
+ rabbit_setuser "$RABBIT_USERID" "$RABBIT_PASSWORD" |
|
| 150 | 151 |
# change the rabbit password since the default is "guest" |
| 151 |
- sudo rabbitmqctl change_password guest $RABBIT_PASSWORD && break |
|
| 152 |
+ sudo rabbitmqctl change_password $RABBIT_USERID $RABBIT_PASSWORD && break |
|
| 152 | 153 |
[[ $i -eq "10" ]] && die $LINENO "Failed to set rabbitmq password" |
| 153 | 154 |
done |
| 154 | 155 |
if is_service_enabled n-cell; then |
| 155 | 156 |
# Add partitioned access for the child cell |
| 156 | 157 |
if [ -z `sudo rabbitmqctl list_vhosts | grep child_cell` ]; then |
| 157 | 158 |
sudo rabbitmqctl add_vhost child_cell |
| 158 |
- sudo rabbitmqctl set_permissions -p child_cell guest ".*" ".*" ".*" |
|
| 159 |
+ sudo rabbitmqctl set_permissions -p child_cell $RABBIT_USERID ".*" ".*" ".*" |
|
| 159 | 160 |
fi |
| 160 | 161 |
fi |
| 161 | 162 |
elif is_service_enabled qpid; then |
| ... | ... |
@@ -188,6 +192,7 @@ function iniset_rpc_backend {
|
| 188 | 188 |
iniset $file $section rpc_backend ${package}.openstack.common.rpc.impl_kombu
|
| 189 | 189 |
iniset $file $section rabbit_hosts $RABBIT_HOST |
| 190 | 190 |
iniset $file $section rabbit_password $RABBIT_PASSWORD |
| 191 |
+ iniset $file $section rabbit_userid $RABBIT_USERID |
|
| 191 | 192 |
fi |
| 192 | 193 |
} |
| 193 | 194 |
|
| ... | ... |
@@ -202,6 +207,21 @@ function qpid_is_supported {
|
| 202 | 202 |
( ! is_suse ) |
| 203 | 203 |
} |
| 204 | 204 |
|
| 205 |
+function rabbit_setuser {
|
|
| 206 |
+ local user="$1" pass="$2" found="" out="" |
|
| 207 |
+ out=$(sudo rabbitmqctl list_users) || |
|
| 208 |
+ { echo "failed to list users" 1>&2; return 1; }
|
|
| 209 |
+ found=$(echo "$out" | awk '$1 == user { print $1 }' "user=$user")
|
|
| 210 |
+ if [ "$found" = "$user" ]; then |
|
| 211 |
+ sudo rabbitmqctl change_password "$user" "$pass" || |
|
| 212 |
+ { echo "failed changing pass for '$user'" 1>&2; return 1; }
|
|
| 213 |
+ else |
|
| 214 |
+ sudo rabbitmqctl add_user "$user" "$pass" || |
|
| 215 |
+ { echo "failed changing pass for $user"; return 1; }
|
|
| 216 |
+ fi |
|
| 217 |
+ sudo rabbitmqctl set_permissions "$user" ".*" ".*" ".*" |
|
| 218 |
+} |
|
| 219 |
+ |
|
| 205 | 220 |
|
| 206 | 221 |
# Restore xtrace |
| 207 | 222 |
$XTRACE |
| ... | ... |
@@ -141,6 +141,7 @@ function configure_trove {
|
| 141 | 141 |
rm -f $TROVE_CONF_DIR/trove-taskmanager.conf |
| 142 | 142 |
rm -f $TROVE_CONF_DIR/trove-conductor.conf |
| 143 | 143 |
|
| 144 |
+ iniset $TROVE_CONF_DIR/trove.conf DEFAULT rabbit_userid $RABBIT_USERID |
|
| 144 | 145 |
iniset $TROVE_CONF_DIR/trove.conf DEFAULT rabbit_password $RABBIT_PASSWORD |
| 145 | 146 |
iniset $TROVE_CONF_DIR/trove.conf DEFAULT sql_connection `database_connection_url trove` |
| 146 | 147 |
iniset $TROVE_CONF_DIR/trove.conf DEFAULT add_addresses True |
| ... | ... |
@@ -148,6 +149,7 @@ function configure_trove {
|
| 148 | 148 |
iniset $TROVE_CONF_DIR/trove.conf DEFAULT cinder_url $CINDER_SERVICE_PROTOCOL://$CINDER_SERVICE_HOST:$CINDER_SERVICE_PORT/v1 |
| 149 | 149 |
iniset $TROVE_CONF_DIR/trove.conf DEFAULT swift_url http://$SERVICE_HOST:8080/v1/AUTH_ |
| 150 | 150 |
|
| 151 |
+ iniset $TROVE_LOCAL_CONF_DIR/trove-guestagent.conf.sample DEFAULT rabbit_userid $RABBIT_USERID |
|
| 151 | 152 |
iniset $TROVE_LOCAL_CONF_DIR/trove-guestagent.conf.sample DEFAULT rabbit_password $RABBIT_PASSWORD |
| 152 | 153 |
sed -i "s/localhost/$NETWORK_GATEWAY/g" $TROVE_LOCAL_CONF_DIR/trove-guestagent.conf.sample |
| 153 | 154 |
|
| ... | ... |
@@ -158,6 +160,7 @@ function configure_trove {
|
| 158 | 158 |
if is_service_enabled tr-tmgr; then |
| 159 | 159 |
TROVE_AUTH_ENDPOINT=$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT//v$IDENTITY_API_VERSION |
| 160 | 160 |
|
| 161 |
+ iniset $TROVE_CONF_DIR/trove-taskmanager.conf DEFAULT rabbit_userid $RABBIT_USERID |
|
| 161 | 162 |
iniset $TROVE_CONF_DIR/trove-taskmanager.conf DEFAULT rabbit_password $RABBIT_PASSWORD |
| 162 | 163 |
iniset $TROVE_CONF_DIR/trove-taskmanager.conf DEFAULT sql_connection `database_connection_url trove` |
| 163 | 164 |
iniset $TROVE_CONF_DIR/trove-taskmanager.conf DEFAULT taskmanager_manager trove.taskmanager.manager.Manager |
| ... | ... |
@@ -173,6 +176,7 @@ function configure_trove {
|
| 173 | 173 |
|
| 174 | 174 |
# (Re)create trove conductor conf file if needed |
| 175 | 175 |
if is_service_enabled tr-cond; then |
| 176 |
+ iniset $TROVE_CONF_DIR/trove-conductor.conf DEFAULT rabbit_userid $RABBIT_USERID |
|
| 176 | 177 |
iniset $TROVE_CONF_DIR/trove-conductor.conf DEFAULT rabbit_password $RABBIT_PASSWORD |
| 177 | 178 |
iniset $TROVE_CONF_DIR/trove-conductor.conf DEFAULT sql_connection `database_connection_url trove` |
| 178 | 179 |
iniset $TROVE_CONF_DIR/trove-conductor.conf DEFAULT nova_proxy_admin_user radmin |
| ... | ... |
@@ -429,6 +429,7 @@ initialize_database_backends && echo "Using $DATABASE_TYPE database backend" || |
| 429 | 429 |
|
| 430 | 430 |
# Rabbit connection info |
| 431 | 431 |
if is_service_enabled rabbit; then |
| 432 |
+ RABBIT_USERID=${RABBIT_USERID:-stackrabbit}
|
|
| 432 | 433 |
RABBIT_HOST=${RABBIT_HOST:-$SERVICE_HOST}
|
| 433 | 434 |
read_password RABBIT_PASSWORD "ENTER A PASSWORD TO USE FOR RABBIT." |
| 434 | 435 |
fi |