Newer versions of rabbitmq (3.3 and later) do not allow the 'guest'
user to access on non-local interfaces.
- Added a new config RABBIT_USERID which defaults to stackrabbit
- Invoked config scripts using that variable
Adopted from:
https://review.openstack.org/#/c/107779/
Backported to stable/icehouse from:
d5b74c688f Take an optional rabbit user name as input
https://review.openstack.org/141156
Conflicts:
lib/keystone
lib/rpc_backend
lib/trove
Change-Id: I034f3eda09827451b5437c430049aa2ebfd67b2e
Closes-Bug: #1343354
Co-Authored-By: Scott Moser <smoser@ubuntu.com>
... | ... |
@@ -178,6 +178,13 @@ function configure_keystone { |
178 | 178 |
iniset $KEYSTONE_CONF assignment driver "keystone.assignment.backends.$KEYSTONE_ASSIGNMENT_BACKEND.Assignment" |
179 | 179 |
fi |
180 | 180 |
|
181 |
+ # Configure rabbitmq credentials |
|
182 |
+ if is_service_enabled rabbit; then |
|
183 |
+ iniset $KEYSTONE_CONF DEFAULT rabbit_userid $RABBIT_USERID |
|
184 |
+ iniset $KEYSTONE_CONF DEFAULT rabbit_password $RABBIT_PASSWORD |
|
185 |
+ iniset $KEYSTONE_CONF DEFAULT rabbit_host $RABBIT_HOST |
|
186 |
+ fi |
|
187 |
+ |
|
181 | 188 |
# Set the URL advertised in the ``versions`` structure returned by the '/' route |
182 | 189 |
iniset $KEYSTONE_CONF DEFAULT public_endpoint "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:%(public_port)s/" |
183 | 190 |
iniset $KEYSTONE_CONF DEFAULT admin_endpoint "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:%(admin_port)s/" |
... | ... |
@@ -591,8 +591,8 @@ function init_nova_cells { |
591 | 591 |
fi |
592 | 592 |
|
593 | 593 |
$NOVA_BIN_DIR/nova-manage --config-file $NOVA_CELLS_CONF db sync |
594 |
- $NOVA_BIN_DIR/nova-manage --config-file $NOVA_CELLS_CONF cell create --name=region --cell_type=parent --username=guest --hostname=$RABBIT_HOST --port=5672 --password=$RABBIT_PASSWORD --virtual_host=/ --woffset=0 --wscale=1 |
|
595 |
- $NOVA_BIN_DIR/nova-manage cell create --name=child --cell_type=child --username=guest --hostname=$RABBIT_HOST --port=5672 --password=$RABBIT_PASSWORD --virtual_host=child_cell --woffset=0 --wscale=1 |
|
594 |
+ $NOVA_BIN_DIR/nova-manage --config-file $NOVA_CELLS_CONF cell create --name=region --cell_type=parent --username=$RABBIT_USERID --hostname=$RABBIT_HOST --port=5672 --password=$RABBIT_PASSWORD --virtual_host=/ --woffset=0 --wscale=1 |
|
595 |
+ $NOVA_BIN_DIR/nova-manage cell create --name=child --cell_type=child --username=$RABBIT_USERID --hostname=$RABBIT_HOST --port=5672 --password=$RABBIT_PASSWORD --virtual_host=child_cell --woffset=0 --wscale=1 |
|
596 | 596 |
fi |
597 | 597 |
} |
598 | 598 |
|
... | ... |
@@ -5,7 +5,7 @@ |
5 | 5 |
# Dependencies: |
6 | 6 |
# |
7 | 7 |
# - ``functions`` file |
8 |
-# - ``RABBIT_{HOST|PASSWORD}`` must be defined when RabbitMQ is used |
|
8 |
+# - ``RABBIT_{HOST|PASSWORD|USERID}`` must be defined when RabbitMQ is used |
|
9 | 9 |
|
10 | 10 |
# ``stack.sh`` calls the entry points in this order: |
11 | 11 |
# |
... | ... |
@@ -63,6 +63,9 @@ function check_rpc_backend { |
63 | 63 |
function cleanup_rpc_backend { |
64 | 64 |
if is_service_enabled rabbit; then |
65 | 65 |
# Obliterate rabbitmq-server |
66 |
+ if [ -n "$RABBIT_USERID" ]; then |
|
67 |
+ sudo rabbitmqctl delete_user "$RABBIT_USERID" |
|
68 |
+ fi |
|
66 | 69 |
uninstall_package rabbitmq-server |
67 | 70 |
sudo killall epmd || sudo killall -9 epmd |
68 | 71 |
if is_ubuntu; then |
... | ... |
@@ -147,15 +150,16 @@ function restart_rpc_backend { |
147 | 147 |
# service is not started by default |
148 | 148 |
restart_service rabbitmq-server |
149 | 149 |
fi |
150 |
+ rabbit_setuser "$RABBIT_USERID" "$RABBIT_PASSWORD" |
|
150 | 151 |
# change the rabbit password since the default is "guest" |
151 |
- sudo rabbitmqctl change_password guest $RABBIT_PASSWORD && break |
|
152 |
+ sudo rabbitmqctl change_password $RABBIT_USERID $RABBIT_PASSWORD && break |
|
152 | 153 |
[[ $i -eq "10" ]] && die $LINENO "Failed to set rabbitmq password" |
153 | 154 |
done |
154 | 155 |
if is_service_enabled n-cell; then |
155 | 156 |
# Add partitioned access for the child cell |
156 | 157 |
if [ -z `sudo rabbitmqctl list_vhosts | grep child_cell` ]; then |
157 | 158 |
sudo rabbitmqctl add_vhost child_cell |
158 |
- sudo rabbitmqctl set_permissions -p child_cell guest ".*" ".*" ".*" |
|
159 |
+ sudo rabbitmqctl set_permissions -p child_cell $RABBIT_USERID ".*" ".*" ".*" |
|
159 | 160 |
fi |
160 | 161 |
fi |
161 | 162 |
elif is_service_enabled qpid; then |
... | ... |
@@ -188,6 +192,7 @@ function iniset_rpc_backend { |
188 | 188 |
iniset $file $section rpc_backend ${package}.openstack.common.rpc.impl_kombu |
189 | 189 |
iniset $file $section rabbit_hosts $RABBIT_HOST |
190 | 190 |
iniset $file $section rabbit_password $RABBIT_PASSWORD |
191 |
+ iniset $file $section rabbit_userid $RABBIT_USERID |
|
191 | 192 |
fi |
192 | 193 |
} |
193 | 194 |
|
... | ... |
@@ -202,6 +207,21 @@ function qpid_is_supported { |
202 | 202 |
( ! is_suse ) |
203 | 203 |
} |
204 | 204 |
|
205 |
+function rabbit_setuser { |
|
206 |
+ local user="$1" pass="$2" found="" out="" |
|
207 |
+ out=$(sudo rabbitmqctl list_users) || |
|
208 |
+ { echo "failed to list users" 1>&2; return 1; } |
|
209 |
+ found=$(echo "$out" | awk '$1 == user { print $1 }' "user=$user") |
|
210 |
+ if [ "$found" = "$user" ]; then |
|
211 |
+ sudo rabbitmqctl change_password "$user" "$pass" || |
|
212 |
+ { echo "failed changing pass for '$user'" 1>&2; return 1; } |
|
213 |
+ else |
|
214 |
+ sudo rabbitmqctl add_user "$user" "$pass" || |
|
215 |
+ { echo "failed changing pass for $user"; return 1; } |
|
216 |
+ fi |
|
217 |
+ sudo rabbitmqctl set_permissions "$user" ".*" ".*" ".*" |
|
218 |
+} |
|
219 |
+ |
|
205 | 220 |
|
206 | 221 |
# Restore xtrace |
207 | 222 |
$XTRACE |
... | ... |
@@ -141,6 +141,7 @@ function configure_trove { |
141 | 141 |
rm -f $TROVE_CONF_DIR/trove-taskmanager.conf |
142 | 142 |
rm -f $TROVE_CONF_DIR/trove-conductor.conf |
143 | 143 |
|
144 |
+ iniset $TROVE_CONF_DIR/trove.conf DEFAULT rabbit_userid $RABBIT_USERID |
|
144 | 145 |
iniset $TROVE_CONF_DIR/trove.conf DEFAULT rabbit_password $RABBIT_PASSWORD |
145 | 146 |
iniset $TROVE_CONF_DIR/trove.conf DEFAULT sql_connection `database_connection_url trove` |
146 | 147 |
iniset $TROVE_CONF_DIR/trove.conf DEFAULT add_addresses True |
... | ... |
@@ -148,6 +149,7 @@ function configure_trove { |
148 | 148 |
iniset $TROVE_CONF_DIR/trove.conf DEFAULT cinder_url $CINDER_SERVICE_PROTOCOL://$CINDER_SERVICE_HOST:$CINDER_SERVICE_PORT/v1 |
149 | 149 |
iniset $TROVE_CONF_DIR/trove.conf DEFAULT swift_url http://$SERVICE_HOST:8080/v1/AUTH_ |
150 | 150 |
|
151 |
+ iniset $TROVE_LOCAL_CONF_DIR/trove-guestagent.conf.sample DEFAULT rabbit_userid $RABBIT_USERID |
|
151 | 152 |
iniset $TROVE_LOCAL_CONF_DIR/trove-guestagent.conf.sample DEFAULT rabbit_password $RABBIT_PASSWORD |
152 | 153 |
sed -i "s/localhost/$NETWORK_GATEWAY/g" $TROVE_LOCAL_CONF_DIR/trove-guestagent.conf.sample |
153 | 154 |
|
... | ... |
@@ -158,6 +160,7 @@ function configure_trove { |
158 | 158 |
if is_service_enabled tr-tmgr; then |
159 | 159 |
TROVE_AUTH_ENDPOINT=$KEYSTONE_AUTH_PROTOCOL://$KEYSTONE_AUTH_HOST:$KEYSTONE_AUTH_PORT//v$IDENTITY_API_VERSION |
160 | 160 |
|
161 |
+ iniset $TROVE_CONF_DIR/trove-taskmanager.conf DEFAULT rabbit_userid $RABBIT_USERID |
|
161 | 162 |
iniset $TROVE_CONF_DIR/trove-taskmanager.conf DEFAULT rabbit_password $RABBIT_PASSWORD |
162 | 163 |
iniset $TROVE_CONF_DIR/trove-taskmanager.conf DEFAULT sql_connection `database_connection_url trove` |
163 | 164 |
iniset $TROVE_CONF_DIR/trove-taskmanager.conf DEFAULT taskmanager_manager trove.taskmanager.manager.Manager |
... | ... |
@@ -173,6 +176,7 @@ function configure_trove { |
173 | 173 |
|
174 | 174 |
# (Re)create trove conductor conf file if needed |
175 | 175 |
if is_service_enabled tr-cond; then |
176 |
+ iniset $TROVE_CONF_DIR/trove-conductor.conf DEFAULT rabbit_userid $RABBIT_USERID |
|
176 | 177 |
iniset $TROVE_CONF_DIR/trove-conductor.conf DEFAULT rabbit_password $RABBIT_PASSWORD |
177 | 178 |
iniset $TROVE_CONF_DIR/trove-conductor.conf DEFAULT sql_connection `database_connection_url trove` |
178 | 179 |
iniset $TROVE_CONF_DIR/trove-conductor.conf DEFAULT nova_proxy_admin_user radmin |
... | ... |
@@ -429,6 +429,7 @@ initialize_database_backends && echo "Using $DATABASE_TYPE database backend" || |
429 | 429 |
|
430 | 430 |
# Rabbit connection info |
431 | 431 |
if is_service_enabled rabbit; then |
432 |
+ RABBIT_USERID=${RABBIT_USERID:-stackrabbit} |
|
432 | 433 |
RABBIT_HOST=${RABBIT_HOST:-$SERVICE_HOST} |
433 | 434 |
read_password RABBIT_PASSWORD "ENTER A PASSWORD TO USE FOR RABBIT." |
434 | 435 |
fi |