Bug 1252083 - Secure rabbitmq installation for overcloud
Secure rabbitmq installation for overcloud
Status: CLOSED ERRATA
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-heat-templates (Show other bugs)
7.0 (Kilo)
Unspecified Unspecified
high Severity unspecified
: y2
: 7.0 (Kilo)
Assigned To: Giulio Fidente
Udi Shkalim
: Security, Triaged, ZStream
: 1265808 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-10 12:40 EDT by Giulio Fidente
Modified: 2016-04-26 16:08 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Previously, the provided input for the default RabbitMQ username and password was not used when configuring RabbitMQ. The default credentials for RabbitMQ did not honor the user input. With this update, the user input is now consumed to configure the default RabbitMQ credentials. As a result, the RabbitMQ credentials can now be configured using the user input and are distributed appropriately to all OpenStack clients.
Story Points: ---
Clone Of: 1252081
: 1252087 (view as bug list)
Environment:
Last Closed: 2015-12-21 11:48:22 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
OpenStack gerrit 243754 None None None Never

  None (edit)
Description Giulio Fidente 2015-08-10 12:40:10 EDT
Description of problem:
RabbitMQ instances running at overcloud can be accessed by anyone who knows their ips with the default RabbitMQ credentials

Version-Release number of selected component (if applicable):
openstack-tripleo-heat-templates-0.8.6-46.el7ost.noarch
Comment 6 chris alfonso 2015-09-30 13:00:34 EDT
*** Bug 1265808 has been marked as a duplicate of this bug. ***
Comment 8 Udi Shkalim 2015-12-07 10:42:21 EST
Hi Giulio,

How can we verify this one? any steps to reproduce?

Thanks
Comment 9 Giulio Fidente 2015-12-07 11:26:29 EST
hi Udi,

you should be able to customize both the default RabbitMQ username and password by providing the following two params (merged into a custom environment file passed with -e at deployment time):

parameter_defaults:
  RabbitUserName: myuser
  RabbitPassword: mypassword

those values should get reflected into the rabbitmq.config file (on the controller nodes) and into the various openstack services config file
Comment 10 Udi Shkalim 2015-12-07 12:14:18 EST
Thanks Giulio

Verified on ospd 7.2 
openstack-tripleo-heat-templates-0.8.6-87.el7ost.noarch

Deploy command:
openstack overcloud deploy --templates --control-scale 3 --compute-scale 1 --ntp-server 10.11.160.238 --timeout 90 -e /home/stack/rabbit.yaml

[stack@instack ~]$ cat rabbit.yaml 
parameter_defaults:
   RabbitUserName: "foo"
   RabbitPassword: "bar"

Deployment Passed successfully

[root@overcloud-controller-0 ~]# rabbitmqctl list_permissions
Listing permissions in vhost "/" ...
foo	.*	.*	.*
...done.
Comment 13 errata-xmlrpc 2015-12-21 11:48:22 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2015:2650

Note You need to log in before you can comment on or make changes to this bug.