Bug 1252083

Summary:	Secure rabbitmq installation for overcloud
Product:	Red Hat OpenStack	Reporter:	Giulio Fidente <gfidente>
Component:	openstack-tripleo-heat-templates	Assignee:	Giulio Fidente <gfidente>
Status:	CLOSED ERRATA	QA Contact:	Udi Shkalim <ushkalim>
Severity:	unspecified	Docs Contact:
Priority:	high
Version:	7.0 (Kilo)	CC:	calfonso, dnavale, gfidente, mburns, mcornea, rhel-osp-director-maint, security-response-team, yeylon, yprokule
Target Milestone:	y2	Keywords:	Security, Triaged, ZStream
Target Release:	7.0 (Kilo)
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:	Previously, the provided input for the default RabbitMQ username and password was not used when configuring RabbitMQ. The default credentials for RabbitMQ did not honor the user input. With this update, the user input is now consumed to configure the default RabbitMQ credentials. As a result, the RabbitMQ credentials can now be configured using the user input and are distributed appropriately to all OpenStack clients.	Story Points:	---
Clone Of:	1252081
Clones:	1252087 (view as bug list)		Environment:
Last Closed:	2015-12-21 16:48:22 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Giulio Fidente 2015-08-10 16:40:10 UTC

Description of problem:
RabbitMQ instances running at overcloud can be accessed by anyone who knows their ips with the default RabbitMQ credentials

Version-Release number of selected component (if applicable):
openstack-tripleo-heat-templates-0.8.6-46.el7ost.noarch

Comment 6 chris alfonso 2015-09-30 17:00:34 UTC

*** Bug 1265808 has been marked as a duplicate of this bug. ***

Comment 8 Udi Shkalim 2015-12-07 15:42:21 UTC

Hi Giulio,

How can we verify this one? any steps to reproduce?

Thanks

Comment 9 Giulio Fidente 2015-12-07 16:26:29 UTC

hi Udi,

you should be able to customize both the default RabbitMQ username and password by providing the following two params (merged into a custom environment file passed with -e at deployment time):

parameter_defaults:
  RabbitUserName: myuser
  RabbitPassword: mypassword

those values should get reflected into the rabbitmq.config file (on the controller nodes) and into the various openstack services config file

Comment 10 Udi Shkalim 2015-12-07 17:14:18 UTC

Thanks Giulio

Verified on ospd 7.2 
openstack-tripleo-heat-templates-0.8.6-87.el7ost.noarch

Deploy command:
openstack overcloud deploy --templates --control-scale 3 --compute-scale 1 --ntp-server 10.11.160.238 --timeout 90 -e /home/stack/rabbit.yaml

[stack@instack ~]$ cat rabbit.yaml 
parameter_defaults:
   RabbitUserName: "foo"
   RabbitPassword: "bar"

Deployment Passed successfully

[root@overcloud-controller-0 ~]# rabbitmqctl list_permissions
Listing permissions in vhost "/" ...
foo	.*	.*	.*
...done.

Comment 13 errata-xmlrpc 2015-12-21 16:48:22 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2015:2650