1252083 – Secure rabbitmq installation for overcloud

Bug 1252083 - Secure rabbitmq installation for overcloud

Summary: Secure rabbitmq installation for overcloud

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-tripleo-heat-templates
Sub Component:
Version:	7.0 (Kilo)
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	unspecified
Target Milestone:	y2
Target Release:	7.0 (Kilo)
Assignee:	Giulio Fidente
QA Contact:	Udi Shkalim
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1265808 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-08-10 16:40 UTC by Giulio Fidente
Modified:	2023-02-22 23:02 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Previously, the provided input for the default RabbitMQ username and password was not used when configuring RabbitMQ. The default credentials for RabbitMQ did not honor the user input. With this update, the user input is now consumed to configure the default RabbitMQ credentials. As a result, the RabbitMQ credentials can now be configured using the user input and are distributed appropriately to all OpenStack clients.
Clone Of:	1252081
Clones:	1252087 (view as bug list)
Environment:
Last Closed:	2015-12-21 16:48:22 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
OpenStack gerrit	243754	0	None	None	None	Never
Red Hat Product Errata	RHSA-2015:2650	0	normal	SHIPPED_LIVE	Moderate: Red Hat Enterprise Linux OpenStack Platform 7 director update	2015-12-21 21:44:54 UTC

Description Giulio Fidente 2015-08-10 16:40:10 UTC

Description of problem:
RabbitMQ instances running at overcloud can be accessed by anyone who knows their ips with the default RabbitMQ credentials

Version-Release number of selected component (if applicable):
openstack-tripleo-heat-templates-0.8.6-46.el7ost.noarch

Comment 6 chris alfonso 2015-09-30 17:00:34 UTC

*** Bug 1265808 has been marked as a duplicate of this bug. ***

Comment 8 Udi Shkalim 2015-12-07 15:42:21 UTC

Hi Giulio,

How can we verify this one? any steps to reproduce?

Thanks

Comment 9 Giulio Fidente 2015-12-07 16:26:29 UTC

hi Udi,

you should be able to customize both the default RabbitMQ username and password by providing the following two params (merged into a custom environment file passed with -e at deployment time):

parameter_defaults:
  RabbitUserName: myuser
  RabbitPassword: mypassword

those values should get reflected into the rabbitmq.config file (on the controller nodes) and into the various openstack services config file

Comment 10 Udi Shkalim 2015-12-07 17:14:18 UTC

Thanks Giulio

Verified on ospd 7.2 
openstack-tripleo-heat-templates-0.8.6-87.el7ost.noarch

Deploy command:
openstack overcloud deploy --templates --control-scale 3 --compute-scale 1 --ntp-server 10.11.160.238 --timeout 90 -e /home/stack/rabbit.yaml

[stack@instack ~]$ cat rabbit.yaml 
parameter_defaults:
   RabbitUserName: "foo"
   RabbitPassword: "bar"

Deployment Passed successfully

[root@overcloud-controller-0 ~]# rabbitmqctl list_permissions
Listing permissions in vhost "/" ...
foo	.*	.*	.*
...done.

Comment 13 errata-xmlrpc 2015-12-21 16:48:22 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2015:2650

Note You need to log in before you can comment on or make changes to this bug.