Configure an authorized user for the QPID broker
If QPID_USERNAME is set, add the user to the QPID broker's authentication database. Use the value of QPID_PASSWORD as the password for the user, prompting for a password if QPID_PASSWORD is not set. This requires that all clients provide this username and password when connecting to the QPID broker, or the connection will be rejected. If QPID_USERNAME is not set (the default), disable QPID broker authentication. This allows any client to connect to the QPID broker without needing authentication. Change-Id: Ibd79873379740930ce5f598018c1ca1fffda7c31 Closes-Bug: 1272399
This commit is contained in:
parent
8e087fa83b
commit
062a3c3e70
1
files/apts/qpid
Normal file
1
files/apts/qpid
Normal file
@ -0,0 +1 @@
|
|||||||
|
sasl2-bin # NOPRIME
|
@ -1,3 +1,4 @@
|
|||||||
qpid-proton-c-devel # NOPRIME
|
qpid-proton-c-devel # NOPRIME
|
||||||
python-qpid-proton # NOPRIME
|
python-qpid-proton # NOPRIME
|
||||||
|
cyrus-sasl-lib # NOPRIME
|
||||||
|
|
||||||
|
109
lib/rpc_backend
109
lib/rpc_backend
@ -132,39 +132,14 @@ function install_rpc_backend {
|
|||||||
# Install rabbitmq-server
|
# Install rabbitmq-server
|
||||||
install_package rabbitmq-server
|
install_package rabbitmq-server
|
||||||
elif is_service_enabled qpid; then
|
elif is_service_enabled qpid; then
|
||||||
local qpid_conf_file=/etc/qpid/qpidd.conf
|
|
||||||
if is_fedora; then
|
if is_fedora; then
|
||||||
install_package qpid-cpp-server
|
install_package qpid-cpp-server
|
||||||
if [[ $DISTRO =~ (rhel6) ]]; then
|
|
||||||
qpid_conf_file=/etc/qpidd.conf
|
|
||||||
# RHEL6 leaves "auth=yes" in /etc/qpidd.conf, it needs to
|
|
||||||
# be no or you get GSS authentication errors as it
|
|
||||||
# attempts to default to this.
|
|
||||||
sudo sed -i.bak 's/^auth=yes$/auth=no/' $qpid_conf_file
|
|
||||||
fi
|
|
||||||
elif is_ubuntu; then
|
elif is_ubuntu; then
|
||||||
install_package qpidd
|
install_package qpidd
|
||||||
sudo sed -i '/PLAIN/!s/mech_list: /mech_list: PLAIN /' /etc/sasl2/qpidd.conf
|
|
||||||
sudo chmod o+r /etc/qpid/qpidd.sasldb
|
|
||||||
else
|
else
|
||||||
exit_distro_not_supported "qpid installation"
|
exit_distro_not_supported "qpid installation"
|
||||||
fi
|
fi
|
||||||
# If AMQP 1.0 is specified, ensure that the version of the
|
_configure_qpid
|
||||||
# broker can support AMQP 1.0 and configure the queue and
|
|
||||||
# topic address patterns used by oslo.messaging.
|
|
||||||
if [ "$RPC_MESSAGING_PROTOCOL" == "AMQP1" ]; then
|
|
||||||
QPIDD=$(type -p qpidd)
|
|
||||||
if ! $QPIDD --help | grep -q "queue-patterns"; then
|
|
||||||
exit_distro_not_supported "qpidd with AMQP 1.0 support"
|
|
||||||
fi
|
|
||||||
if ! grep -q "queue-patterns=exclusive" $qpid_conf_file; then
|
|
||||||
cat <<EOF | sudo tee --append $qpid_conf_file
|
|
||||||
queue-patterns=exclusive
|
|
||||||
queue-patterns=unicast
|
|
||||||
topic-patterns=broadcast
|
|
||||||
EOF
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
elif is_service_enabled zeromq; then
|
elif is_service_enabled zeromq; then
|
||||||
# NOTE(ewindisch): Redis is not strictly necessary
|
# NOTE(ewindisch): Redis is not strictly necessary
|
||||||
# but there is a matchmaker driver that works
|
# but there is a matchmaker driver that works
|
||||||
@ -240,10 +215,9 @@ function iniset_rpc_backend {
|
|||||||
iniset $file $section rpc_backend ${package}.openstack.common.rpc.impl_qpid
|
iniset $file $section rpc_backend ${package}.openstack.common.rpc.impl_qpid
|
||||||
fi
|
fi
|
||||||
iniset $file $section qpid_hostname ${QPID_HOST:-$SERVICE_HOST}
|
iniset $file $section qpid_hostname ${QPID_HOST:-$SERVICE_HOST}
|
||||||
if is_ubuntu; then
|
if [ -n "$QPID_USERNAME" ]; then
|
||||||
QPID_PASSWORD=`sudo strings /etc/qpid/qpidd.sasldb | grep -B1 admin | head -1`
|
iniset $file $section qpid_username $QPID_USERNAME
|
||||||
iniset $file $section qpid_password $QPID_PASSWORD
|
iniset $file $section qpid_password $QPID_PASSWORD
|
||||||
iniset $file $section qpid_username admin
|
|
||||||
fi
|
fi
|
||||||
elif is_service_enabled rabbit || { [ -n "$RABBIT_HOST" ] && [ -n "$RABBIT_PASSWORD" ]; }; then
|
elif is_service_enabled rabbit || { [ -n "$RABBIT_HOST" ] && [ -n "$RABBIT_PASSWORD" ]; }; then
|
||||||
iniset $file $section rpc_backend ${package}.openstack.common.rpc.impl_kombu
|
iniset $file $section rpc_backend ${package}.openstack.common.rpc.impl_kombu
|
||||||
@ -263,6 +237,83 @@ function qpid_is_supported {
|
|||||||
( ! is_suse )
|
( ! is_suse )
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Set up the various configuration files used by the qpidd broker
|
||||||
|
function _configure_qpid {
|
||||||
|
|
||||||
|
# the location of the configuration files have changed since qpidd 0.14
|
||||||
|
local qpid_conf_file
|
||||||
|
if [ -e /etc/qpid/qpidd.conf ]; then
|
||||||
|
qpid_conf_file=/etc/qpid/qpidd.conf
|
||||||
|
elif [ -e /etc/qpidd.conf ]; then
|
||||||
|
qpid_conf_file=/etc/qpidd.conf
|
||||||
|
else
|
||||||
|
exit_distro_not_supported "qpidd.conf file not found!"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# force the ACL file to a known location
|
||||||
|
local qpid_acl_file=/etc/qpid/qpidd.acl
|
||||||
|
if [ ! -e $qpid_acl_file ]; then
|
||||||
|
sudo mkdir -p -m 755 `dirname $qpid_acl_file`
|
||||||
|
sudo touch $qpid_acl_file
|
||||||
|
sudo chmod o+r $qpid_acl_file
|
||||||
|
fi
|
||||||
|
sudo sed -i.bak '/^acl-file=/d' $qpid_conf_file
|
||||||
|
echo "acl-file=$qpid_acl_file" | sudo tee --append $qpid_conf_file
|
||||||
|
|
||||||
|
sudo sed -i '/^auth=/d' $qpid_conf_file
|
||||||
|
if [ -z "$QPID_USERNAME" ]; then
|
||||||
|
# no QPID user configured, so disable authentication
|
||||||
|
# and access control
|
||||||
|
echo "auth=no" | sudo tee --append $qpid_conf_file
|
||||||
|
cat <<EOF | sudo tee $qpid_acl_file
|
||||||
|
acl allow all all
|
||||||
|
EOF
|
||||||
|
else
|
||||||
|
# Configure qpidd to use PLAIN authentication, and add
|
||||||
|
# QPID_USERNAME to the ACL:
|
||||||
|
echo "auth=yes" | sudo tee --append $qpid_conf_file
|
||||||
|
if [ -z "$QPID_PASSWORD" ]; then
|
||||||
|
read_password QPID_PASSWORD "ENTER A PASSWORD FOR QPID USER $QPID_USERNAME"
|
||||||
|
fi
|
||||||
|
# Create ACL to allow $QPID_USERNAME full access
|
||||||
|
cat <<EOF | sudo tee $qpid_acl_file
|
||||||
|
group admin ${QPID_USERNAME}@QPID
|
||||||
|
acl allow admin all
|
||||||
|
acl deny all all
|
||||||
|
EOF
|
||||||
|
# Add user to SASL database
|
||||||
|
if is_ubuntu; then
|
||||||
|
install_package sasl2-bin
|
||||||
|
elif is_fedora; then
|
||||||
|
install_package cyrus-sasl-lib
|
||||||
|
fi
|
||||||
|
local sasl_conf_file=/etc/sasl2/qpidd.conf
|
||||||
|
sudo sed -i.bak '/PLAIN/!s/mech_list: /mech_list: PLAIN /' $sasl_conf_file
|
||||||
|
local sasl_db=`sudo grep sasldb_path $sasl_conf_file | cut -f 2 -d ":" | tr -d [:blank:]`
|
||||||
|
if [ ! -e $sasl_db ]; then
|
||||||
|
sudo mkdir -p -m 755 `dirname $sasl_db`
|
||||||
|
fi
|
||||||
|
echo $QPID_PASSWORD | sudo saslpasswd2 -c -p -f $sasl_db -u QPID $QPID_USERNAME
|
||||||
|
sudo chmod o+r $sasl_db
|
||||||
|
fi
|
||||||
|
|
||||||
|
# If AMQP 1.0 is specified, ensure that the version of the
|
||||||
|
# broker can support AMQP 1.0 and configure the queue and
|
||||||
|
# topic address patterns used by oslo.messaging.
|
||||||
|
if [ "$RPC_MESSAGING_PROTOCOL" == "AMQP1" ]; then
|
||||||
|
QPIDD=$(type -p qpidd)
|
||||||
|
if ! $QPIDD --help | grep -q "queue-patterns"; then
|
||||||
|
exit_distro_not_supported "qpidd with AMQP 1.0 support"
|
||||||
|
fi
|
||||||
|
if ! grep -q "queue-patterns=exclusive" $qpid_conf_file; then
|
||||||
|
cat <<EOF | sudo tee --append $qpid_conf_file
|
||||||
|
queue-patterns=exclusive
|
||||||
|
queue-patterns=unicast
|
||||||
|
topic-patterns=broadcast
|
||||||
|
EOF
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
# Restore xtrace
|
# Restore xtrace
|
||||||
$XTRACE
|
$XTRACE
|
||||||
|
Loading…
Reference in New Issue
Block a user