RabbitMQ: Add vHost management and improve security

This PS adds vhost management to rabbitmq jobs. It also prevents sensitive information being displayed in the management job, and removes the 'administrator' tag from service users. Change-Id: Id337f763c5e4776bce7269676a8a2dc54dc2e5f8
2018-04-17 09:35:14 -05:00 · 2018-04-17 09:35:14 -05:00 · 40a45b9751
commit 40a45b9751
parent abb4a9410b
14 changed files with 62 additions and 51 deletions
--- a/barbican/values.yaml
+++ b/barbican/values.yaml
@ -489,7 +489,7 @@ endpoints:
      default: rabbitmq
    host_fqdn_override:
      default: null
-    path: /
+    path: /barbican
    scheme: rabbit
    port:
      amqp:
--- a/ceilometer/values.yaml
+++ b/ceilometer/values.yaml
@ -1780,7 +1780,7 @@ endpoints:
      default: rabbitmq
    host_fqdn_override:
      default: null
-    path: /
+    path: /ceilometer
    scheme: rabbit
    port:
      amqp:
--- a/cinder/values.yaml
+++ b/cinder/values.yaml
@ -1053,7 +1053,7 @@ endpoints:
      default: rabbitmq
    host_fqdn_override:
      default: null
-    path: /
+    path: /cinder
    scheme: rabbit
    port:
      amqp:
--- a/congress/values.yaml
+++ b/congress/values.yaml
@ -269,7 +269,7 @@ endpoints:
      default: rabbitmq
    host_fqdn_override:
      default: null
-    path: /
+    path: /congress
    scheme: rabbit
    port:
      amqp:
--- a/glance/values.yaml
+++ b/glance/values.yaml
@ -543,7 +543,7 @@ endpoints:
      default: rabbitmq
    host_fqdn_override:
      default: null
-    path: /
+    path: /glance
    scheme: rabbit
    port:
      amqp:
--- a/heat/values.yaml
+++ b/heat/values.yaml
@ -556,7 +556,7 @@ endpoints:
      default: rabbitmq
    host_fqdn_override:
      default: null
-    path: /
+    path: /heat
    scheme: rabbit
    port:
      amqp:
--- a/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
+++ b/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
@ -16,52 +16,63 @@ limitations under the License.

 {{- define "helm-toolkit.scripts.rabbit_init" }}
 #!/bin/bash
-set -ex
-
+set -e
 # Extract connection details
-RABBIT_HOSTNAME=`echo $RABBITMQ_ADMIN_CONNECTION | awk -F'[@]' '{print $2}' \
-  | awk -F'[:/]' '{print $1}'`
-RABBIT_PORT=`echo $RABBITMQ_ADMIN_CONNECTION | awk -F'[@]' '{print $2}' \
-  | awk -F'[:/]' '{print $2}'`
+RABBIT_HOSTNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $1}')
+RABBIT_PORT=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $2}')

 # Extract Admin User creadential
-RABBITMQ_ADMIN_USERNAME=`echo $RABBITMQ_ADMIN_CONNECTION | awk -F'[@]' '{print $1}' \
-  | awk -F'[//:]' '{print $4}'`
-RABBITMQ_ADMIN_PASSWORD=`echo $RABBITMQ_ADMIN_CONNECTION | awk -F'[@]' '{print $1}' \
-  | awk -F'[//:]' '{print $5}'`
+RABBITMQ_ADMIN_USERNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $4}')
+RABBITMQ_ADMIN_PASSWORD=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $5}')

 # Extract User creadential
-RABBITMQ_USERNAME=`echo $RABBITMQ_USER_CONNECTION | awk -F'[@]' '{print $1}' \
-  | awk -F'[//:]' '{print $4}'`
-RABBITMQ_PASSWORD=`echo $RABBITMQ_USER_CONNECTION | awk -F'[@]' '{print $1}' \
-  | awk -F'[//:]' '{print $5}'`
+RABBITMQ_USERNAME=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $4}')
+RABBITMQ_PASSWORD=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $5}')

-# Using admin creadential, list current rabbitmq users
-rabbitmqadmin --host=$RABBIT_HOSTNAME --port=$RABBIT_PORT \
-  --username=$RABBITMQ_ADMIN_USERNAME --password=$RABBITMQ_ADMIN_PASSWORD \
-  list users
+# Extract User vHost
+RABBITMQ_VHOST=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $3}')

-# if user already exist, credentials will be overwritten
-# Using admin creadential, adding new admin rabbitmq user"
-rabbitmqadmin --host=$RABBIT_HOSTNAME --port=$RABBIT_PORT \
-  --username=$RABBITMQ_ADMIN_USERNAME --password=$RABBITMQ_ADMIN_PASSWORD \
-  declare user name=$RABBITMQ_USERNAME password=$RABBITMQ_PASSWORD \
-  tags="administrator"
+function rabbitmqadmin_cli () {
+  rabbitmqadmin \
+    --host="${RABBIT_HOSTNAME}" \
+    --port="${RABBIT_PORT}" \
+    --username="${RABBITMQ_ADMIN_USERNAME}" \
+    --password="${RABBITMQ_ADMIN_PASSWORD}" \
+    ${@}
+}

-# Declare permissions for new user
-rabbitmqadmin --host=$RABBIT_HOSTNAME --port=$RABBIT_PORT \
-  --username=$RABBITMQ_ADMIN_USERNAME --password=$RABBITMQ_ADMIN_PASSWORD \
-  declare permission vhost="/" user=$RABBITMQ_USERNAME \
-  configure=".*" write=".*" read=".*"
+echo "Managing: User: ${RABBITMQ_USERNAME}"
+rabbitmqadmin_cli \
+  declare user \
+  name="${RABBITMQ_USERNAME}" \
+  password="${RABBITMQ_PASSWORD}" \
+  tags="user"

-# Using new user creadential, list current rabbitmq users
-rabbitmqadmin --host=$RABBIT_HOSTNAME --port=$RABBIT_PORT \
-  --username=$RABBITMQ_USERNAME --password=$RABBITMQ_PASSWORD \
-  list users
-
-# Using new user creadential, list permissions
-rabbitmqadmin --host=$RABBIT_HOSTNAME --port=$RABBIT_PORT \
-  --username=$RABBITMQ_USERNAME --password=$RABBITMQ_PASSWORD \
-  list permissions
+echo "Managing: vHost: ${RABBITMQ_VHOST}"
+rabbitmqadmin_cli \
+  declare vhost \
+  name="${RABBITMQ_VHOST}"

+echo "Managing: Permissions: ${RABBITMQ_USERNAME} on ${RABBITMQ_VHOST}"
+rabbitmqadmin_cli \
+  declare permission \
+  vhost="${RABBITMQ_VHOST}" \
+  user="${RABBITMQ_USERNAME}" \
+  configure=".*" \
+  write=".*" \
+  read=".*"
 {{- end }}
--- a/ironic/values.yaml
+++ b/ironic/values.yaml
@ -394,7 +394,7 @@ endpoints:
      default: rabbitmq
    host_fqdn_override:
      default: null
-    path: /
+    path: /ironic
    scheme: rabbit
    port:
      amqp:
--- a/keystone/values.yaml
+++ b/keystone/values.yaml
@ -831,7 +831,7 @@ endpoints:
      default: rabbitmq
    host_fqdn_override:
      default: null
-    path: /openstack
+    path: /keystone
    scheme: rabbit
    port:
      amqp:
--- a/magnum/values.yaml
+++ b/magnum/values.yaml
@ -303,7 +303,7 @@ endpoints:
      default: rabbitmq
    host_fqdn_override:
      default: null
-    path: /
+    path: /magnum
    scheme: rabbit
    port:
      amqp:
--- a/mistral/values.yaml
+++ b/mistral/values.yaml
@ -240,7 +240,7 @@ endpoints:
      default: rabbitmq
    host_fqdn_override:
      default: null
-    path: /
+    path: /mistral
    scheme: rabbit
    port:
      amqp:
--- a/neutron/values.yaml
+++ b/neutron/values.yaml
@ -1500,7 +1500,7 @@ endpoints:
      default: rabbitmq
    host_fqdn_override:
      default: null
-    path: /
+    path: /neutron
    scheme: rabbit
    port:
      amqp:
--- a/nova/values.yaml
+++ b/nova/values.yaml
@ -1156,7 +1156,7 @@ endpoints:
      default: rabbitmq
    host_fqdn_override:
      default: null
-    path: /
+    path: /nova
    scheme: rabbit
    port:
      amqp:
--- a/senlin/values.yaml
+++ b/senlin/values.yaml
@ -316,7 +316,7 @@ endpoints:
      default: rabbitmq
    host_fqdn_override:
      default: null
-    path: /
+    path: /senlin
    scheme: rabbit
    port:
      amqp: