From 40a45b9751c9a89603a94e0b1ba7d70d061d3222 Mon Sep 17 00:00:00 2001
From: Pete Birley <pete@port.direct>
Date: Tue, 17 Apr 2018 09:35:14 -0500
Subject: [PATCH] RabbitMQ: Add vHost management and improve security

This PS adds vhost management to rabbitmq jobs. It also prevents
sensitive information being displayed in the management job, and
removes the 'administrator' tag from service users.

Change-Id: Id337f763c5e4776bce7269676a8a2dc54dc2e5f8
---
 barbican/values.yaml                          |  2 +-
 ceilometer/values.yaml                        |  2 +-
 cinder/values.yaml                            |  2 +-
 congress/values.yaml                          |  2 +-
 glance/values.yaml                            |  2 +-
 heat/values.yaml                              |  2 +-
 .../templates/scripts/_rabbit-init.sh.tpl     | 87 +++++++++++--------
 ironic/values.yaml                            |  2 +-
 keystone/values.yaml                          |  2 +-
 magnum/values.yaml                            |  2 +-
 mistral/values.yaml                           |  2 +-
 neutron/values.yaml                           |  2 +-
 nova/values.yaml                              |  2 +-
 senlin/values.yaml                            |  2 +-
 14 files changed, 62 insertions(+), 51 deletions(-)

diff --git a/barbican/values.yaml b/barbican/values.yaml
index ca8b0c43bc..556fbe1f2e 100644
--- a/barbican/values.yaml
+++ b/barbican/values.yaml
@@ -489,7 +489,7 @@ endpoints:
       default: rabbitmq
     host_fqdn_override:
       default: null
-    path: /
+    path: /barbican
     scheme: rabbit
     port:
       amqp:
diff --git a/ceilometer/values.yaml b/ceilometer/values.yaml
index 945c4cf10d..8179b853c0 100644
--- a/ceilometer/values.yaml
+++ b/ceilometer/values.yaml
@@ -1780,7 +1780,7 @@ endpoints:
       default: rabbitmq
     host_fqdn_override:
       default: null
-    path: /
+    path: /ceilometer
     scheme: rabbit
     port:
       amqp:
diff --git a/cinder/values.yaml b/cinder/values.yaml
index 6207e9f41e..51d58848db 100644
--- a/cinder/values.yaml
+++ b/cinder/values.yaml
@@ -1053,7 +1053,7 @@ endpoints:
       default: rabbitmq
     host_fqdn_override:
       default: null
-    path: /
+    path: /cinder
     scheme: rabbit
     port:
       amqp:
diff --git a/congress/values.yaml b/congress/values.yaml
index 20c635a181..615dac6e35 100644
--- a/congress/values.yaml
+++ b/congress/values.yaml
@@ -269,7 +269,7 @@ endpoints:
       default: rabbitmq
     host_fqdn_override:
       default: null
-    path: /
+    path: /congress
     scheme: rabbit
     port:
       amqp:
diff --git a/glance/values.yaml b/glance/values.yaml
index e842a13bdb..f766a8bfa5 100644
--- a/glance/values.yaml
+++ b/glance/values.yaml
@@ -543,7 +543,7 @@ endpoints:
       default: rabbitmq
     host_fqdn_override:
       default: null
-    path: /
+    path: /glance
     scheme: rabbit
     port:
       amqp:
diff --git a/heat/values.yaml b/heat/values.yaml
index 123110a649..1883e93efc 100644
--- a/heat/values.yaml
+++ b/heat/values.yaml
@@ -556,7 +556,7 @@ endpoints:
       default: rabbitmq
     host_fqdn_override:
       default: null
-    path: /
+    path: /heat
     scheme: rabbit
     port:
       amqp:
diff --git a/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl b/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
index 6c45dba444..e54442df71 100644
--- a/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
+++ b/helm-toolkit/templates/scripts/_rabbit-init.sh.tpl
@@ -16,52 +16,63 @@ limitations under the License.
 
 {{- define "helm-toolkit.scripts.rabbit_init" }}
 #!/bin/bash
-set -ex
-
+set -e
 # Extract connection details
-RABBIT_HOSTNAME=`echo $RABBITMQ_ADMIN_CONNECTION | awk -F'[@]' '{print $2}' \
-  | awk -F'[:/]' '{print $1}'`
-RABBIT_PORT=`echo $RABBITMQ_ADMIN_CONNECTION | awk -F'[@]' '{print $2}' \
-  | awk -F'[:/]' '{print $2}'`
+RABBIT_HOSTNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $1}')
+RABBIT_PORT=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $2}')
 
 # Extract Admin User creadential
-RABBITMQ_ADMIN_USERNAME=`echo $RABBITMQ_ADMIN_CONNECTION | awk -F'[@]' '{print $1}' \
-  | awk -F'[//:]' '{print $4}'`
-RABBITMQ_ADMIN_PASSWORD=`echo $RABBITMQ_ADMIN_CONNECTION | awk -F'[@]' '{print $1}' \
-  | awk -F'[//:]' '{print $5}'`
+RABBITMQ_ADMIN_USERNAME=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $4}')
+RABBITMQ_ADMIN_PASSWORD=$(echo "${RABBITMQ_ADMIN_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $5}')
 
 # Extract User creadential
-RABBITMQ_USERNAME=`echo $RABBITMQ_USER_CONNECTION | awk -F'[@]' '{print $1}' \
-  | awk -F'[//:]' '{print $4}'`
-RABBITMQ_PASSWORD=`echo $RABBITMQ_USER_CONNECTION | awk -F'[@]' '{print $1}' \
-  | awk -F'[//:]' '{print $5}'`
+RABBITMQ_USERNAME=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $4}')
+RABBITMQ_PASSWORD=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $1}' | \
+  awk -F'[//:]' '{print $5}')
 
-# Using admin creadential, list current rabbitmq users
-rabbitmqadmin --host=$RABBIT_HOSTNAME --port=$RABBIT_PORT \
-  --username=$RABBITMQ_ADMIN_USERNAME --password=$RABBITMQ_ADMIN_PASSWORD \
-  list users
+# Extract User vHost
+RABBITMQ_VHOST=$(echo "${RABBITMQ_USER_CONNECTION}" | \
+  awk -F'[@]' '{print $2}' | \
+  awk -F'[:/]' '{print $3}')
 
-# if user already exist, credentials will be overwritten
-# Using admin creadential, adding new admin rabbitmq user"
-rabbitmqadmin --host=$RABBIT_HOSTNAME --port=$RABBIT_PORT \
-  --username=$RABBITMQ_ADMIN_USERNAME --password=$RABBITMQ_ADMIN_PASSWORD \
-  declare user name=$RABBITMQ_USERNAME password=$RABBITMQ_PASSWORD \
-  tags="administrator"
+function rabbitmqadmin_cli () {
+  rabbitmqadmin \
+    --host="${RABBIT_HOSTNAME}" \
+    --port="${RABBIT_PORT}" \
+    --username="${RABBITMQ_ADMIN_USERNAME}" \
+    --password="${RABBITMQ_ADMIN_PASSWORD}" \
+    ${@}
+}
 
-# Declare permissions for new user
-rabbitmqadmin --host=$RABBIT_HOSTNAME --port=$RABBIT_PORT \
-  --username=$RABBITMQ_ADMIN_USERNAME --password=$RABBITMQ_ADMIN_PASSWORD \
-  declare permission vhost="/" user=$RABBITMQ_USERNAME \
-  configure=".*" write=".*" read=".*"
+echo "Managing: User: ${RABBITMQ_USERNAME}"
+rabbitmqadmin_cli \
+  declare user \
+  name="${RABBITMQ_USERNAME}" \
+  password="${RABBITMQ_PASSWORD}" \
+  tags="user"
 
-# Using new user creadential, list current rabbitmq users
-rabbitmqadmin --host=$RABBIT_HOSTNAME --port=$RABBIT_PORT \
-  --username=$RABBITMQ_USERNAME --password=$RABBITMQ_PASSWORD \
-  list users
-
-# Using new user creadential, list permissions
-rabbitmqadmin --host=$RABBIT_HOSTNAME --port=$RABBIT_PORT \
-  --username=$RABBITMQ_USERNAME --password=$RABBITMQ_PASSWORD \
-  list permissions
+echo "Managing: vHost: ${RABBITMQ_VHOST}"
+rabbitmqadmin_cli \
+  declare vhost \
+  name="${RABBITMQ_VHOST}"
 
+echo "Managing: Permissions: ${RABBITMQ_USERNAME} on ${RABBITMQ_VHOST}"
+rabbitmqadmin_cli \
+  declare permission \
+  vhost="${RABBITMQ_VHOST}" \
+  user="${RABBITMQ_USERNAME}" \
+  configure=".*" \
+  write=".*" \
+  read=".*"
 {{- end }}
diff --git a/ironic/values.yaml b/ironic/values.yaml
index 9c9a966758..bafdfe4e6a 100644
--- a/ironic/values.yaml
+++ b/ironic/values.yaml
@@ -394,7 +394,7 @@ endpoints:
       default: rabbitmq
     host_fqdn_override:
       default: null
-    path: /
+    path: /ironic
     scheme: rabbit
     port:
       amqp:
diff --git a/keystone/values.yaml b/keystone/values.yaml
index cbc94976c4..deeec7013e 100644
--- a/keystone/values.yaml
+++ b/keystone/values.yaml
@@ -831,7 +831,7 @@ endpoints:
       default: rabbitmq
     host_fqdn_override:
       default: null
-    path: /openstack
+    path: /keystone
     scheme: rabbit
     port:
       amqp:
diff --git a/magnum/values.yaml b/magnum/values.yaml
index ce3d847319..cd88b102ca 100644
--- a/magnum/values.yaml
+++ b/magnum/values.yaml
@@ -303,7 +303,7 @@ endpoints:
       default: rabbitmq
     host_fqdn_override:
       default: null
-    path: /
+    path: /magnum
     scheme: rabbit
     port:
       amqp:
diff --git a/mistral/values.yaml b/mistral/values.yaml
index 405f38c6b7..ed26eb1bab 100644
--- a/mistral/values.yaml
+++ b/mistral/values.yaml
@@ -240,7 +240,7 @@ endpoints:
       default: rabbitmq
     host_fqdn_override:
       default: null
-    path: /
+    path: /mistral
     scheme: rabbit
     port:
       amqp:
diff --git a/neutron/values.yaml b/neutron/values.yaml
index 8c726bd44d..7569e2e0d1 100644
--- a/neutron/values.yaml
+++ b/neutron/values.yaml
@@ -1500,7 +1500,7 @@ endpoints:
       default: rabbitmq
     host_fqdn_override:
       default: null
-    path: /
+    path: /neutron
     scheme: rabbit
     port:
       amqp:
diff --git a/nova/values.yaml b/nova/values.yaml
index a18d1482d9..c02e16b8ab 100644
--- a/nova/values.yaml
+++ b/nova/values.yaml
@@ -1156,7 +1156,7 @@ endpoints:
       default: rabbitmq
     host_fqdn_override:
       default: null
-    path: /
+    path: /nova
     scheme: rabbit
     port:
       amqp:
diff --git a/senlin/values.yaml b/senlin/values.yaml
index 66414971c9..f638ecbc96 100644
--- a/senlin/values.yaml
+++ b/senlin/values.yaml
@@ -316,7 +316,7 @@ endpoints:
       default: rabbitmq
     host_fqdn_override:
       default: null
-    path: /
+    path: /senlin
     scheme: rabbit
     port:
       amqp: