Allow insecure SSL communications with RabbitMQ

Add insecure option to [rabbitmq] section of murano.conf

This is a partial fix because it improves Engine <-> RMQ
 communications but the same problem exist on
 Agent <-> RMQ side

 Partial-Bug: #1578421

Change-Id: I55207c3016da12be45918a7dc33795abf69627b4
This commit is contained in:
Stan Lagun 2016-05-06 07:51:24 -07:00
parent d4cbcf2b4f
commit 091b4d1d18
8 changed files with 21 additions and 5 deletions

View File

@ -96,6 +96,7 @@ Just set *ssl* parameter to True to enable ssl.
password = guest password = guest
virtual_host = / virtual_host = /
ssl = True ssl = True
insecure = False
If you want to configure Murano Agent in a different way change If you want to configure Murano Agent in a different way change
the default template. It can be found in Murano Core Library, located at *http://git.openstack.org/cgit/openstack/murano/tree/meta/io.murano/Resources/Agent-v1.template*. Take the default template. It can be found in Murano Core Library, located at *http://git.openstack.org/cgit/openstack/murano/tree/meta/io.murano/Resources/Agent-v1.template*. Take

View File

@ -61,6 +61,7 @@ Properties:
virtual_host: $.string() or '/' virtual_host: $.string() or '/'
ssl: $.bool() or false ssl: $.bool() or false
ca_certs: $.string() or '' ca_certs: $.string() or ''
insecure: $.bool() or false
Usage: Config Usage: Config
region: region:

View File

@ -74,6 +74,7 @@ Methods:
"%RABBITMQ_PASSWORD%": $rabbitMqParams.password "%RABBITMQ_PASSWORD%": $rabbitMqParams.password
"%RABBITMQ_VHOST%": $rabbitMqParams.virtual_host "%RABBITMQ_VHOST%": $rabbitMqParams.virtual_host
"%RABBITMQ_SSL%": str($rabbitMqParams.ssl).toLower() "%RABBITMQ_SSL%": str($rabbitMqParams.ssl).toLower()
"%RABBITMQ_INSECURE%": str($rabbitMqParams.insecure).toLower()
"%RABBITMQ_INPUT_QUEUE%": $.agent.queueName() "%RABBITMQ_INPUT_QUEUE%": $.agent.queueName()
"%RESULT_QUEUE%": $environment.agentListener.queueName() "%RESULT_QUEUE%": $environment.agentListener.queueName()
- $scriptReplacements: - $scriptReplacements:

View File

@ -24,6 +24,9 @@ port = %RABBITMQ_PORT%
# Use SSL for RabbitMQ connections (True or False) # Use SSL for RabbitMQ connections (True or False)
ssl = %RABBITMQ_SSL% ssl = %RABBITMQ_SSL%
# Do not verify SSL certificates
insecure = %RABBITMQ_INSECURE%
# Path to SSL CA certificate or empty to allow self signed server certificate # Path to SSL CA certificate or empty to allow self signed server certificate
ca_certs = '/etc/murano/certs/ca_certs' ca_certs = '/etc/murano/certs/ca_certs'

View File

@ -17,7 +17,6 @@
This file is about to be deprecated, please use python-muranoclient. This file is about to be deprecated, please use python-muranoclient.
*** Deprecation warning *** *** Deprecation warning ***
""" """
import sys import sys
import traceback import traceback

View File

@ -57,6 +57,10 @@ rabbit_opts = [
cfg.StrOpt('ca_certs', default='', cfg.StrOpt('ca_certs', default='',
help='SSL cert file (valid only if SSL enabled).'), help='SSL cert file (valid only if SSL enabled).'),
cfg.BoolOpt('insecure', default=False,
help='This option explicitly allows Murano to perform '
'"insecure" SSL connections to RabbitMQ'),
] ]
heat_opts = [ heat_opts = [

View File

@ -25,13 +25,19 @@ kombu = patcher.import_patched('kombu')
class MqClient(object): class MqClient(object):
def __init__(self, login, password, host, port, virtual_host, def __init__(self, login, password, host, port, virtual_host,
ssl=False, ca_certs=None): ssl=False, ca_certs=None, insecure=False):
ssl_params = None ssl_params = None
if ssl is True: if ssl:
cert_reqs = ssl_module.CERT_REQUIRED
if insecure:
if ca_certs:
cert_reqs = ssl_module.CERT_OPTIONAL
else:
cert_reqs = ssl_module.CERT_NONE
ssl_params = { ssl_params = {
'ca_certs': ca_certs, 'ca_certs': ca_certs,
'cert_reqs': ssl_module.CERT_REQUIRED 'cert_reqs': cert_reqs
} }
self._connection = kombu.Connection( self._connection = kombu.Connection(

View File

@ -29,6 +29,7 @@ def create_rmq_client():
'port': rabbitmq.port, 'port': rabbitmq.port,
'virtual_host': rabbitmq.virtual_host, 'virtual_host': rabbitmq.virtual_host,
'ssl': rabbitmq.ssl, 'ssl': rabbitmq.ssl,
'ca_certs': rabbitmq.ca_certs.strip() or None 'ca_certs': rabbitmq.ca_certs.strip() or None,
'insecure': rabbitmq.insecure
} }
return mqclient.MqClient(**connection_params) return mqclient.MqClient(**connection_params)