Bug 733481 - need base db new feature or feature update for Aviary SSL config
Summary: need base db new feature or feature update for Aviary SSL config
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: condor-wallaby-base-db
Version: Development
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: 2.1
: ---
Assignee: Robert Rati
QA Contact: Daniel Horák
URL:
Whiteboard:
Depends On:
Blocks: 743350
TreeView+ depends on / blocked
 
Reported: 2011-08-25 19:14 UTC by Pete MacKinnon
Modified: 2012-03-01 11:28 UTC (History)
4 users (show)

Fixed In Version: condor-wallaby-base-db-1.15-1
Doc Type: Bug Fix
Doc Text:
Previously, configuration scheme of secure communications for the Aviary web service and the query server using remote configuration required users to add new parameters and features to the database manually. With this update, the SSLEnabledAviaryScheduler and SSLEnabledQueryServer features have been added to the base-db and configuration for secure communication in Aviary and query server through remote configuration is now easily accomplished.
Clone Of:
Environment:
Last Closed: 2012-01-23 17:28:42 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2012:0045 normal SHIPPED_LIVE Red Hat Enterprise MRG Grid 2.1 bug fix and enhancement update 2012-01-23 22:22:58 UTC

Description Pete MacKinnon 2011-08-25 19:14:21 UTC
Need 5 new config parameters added to the base db for Aviary SSL support.

The paths shown are the standard directories for openssl on Fedora and RHEL.

AVIARY_SSL = False
AVIARY_SSL_SERVER_CERT = /etc/pki/tls/certs/server.crt
AVIARY_SSL_SERVER_KEY = /etc/pki/tls/certs/server.key
AVIARY_SSL_CA_DIR = /etc/pki/tls/certs
AVIARY_SSL_CA_FILE = /etc/pki/tls/certs/ca-bundle.crt

Comment 1 Pete MacKinnon 2011-08-26 18:37:02 UTC
AVIARY_SSL
conflicts = none
default_val = False
depends = none
description = "Enable HTTPS mutual authentication in Aviary"
kind = boolean
level = ?
must_change = no
needs_restart = yes

Comment 2 Robert Rati 2011-08-29 18:15:44 UTC
Changes to the db:

Parameter "AVIARY_SSL":
Name: AVIARY_SSL
Type: Boolean
Default: False
Description: Enable HTTPS mutual authentication in Aviary
MustChange: False
VisibilityLevel: 0
RequiresRestart: True
Dependencies:
Conflicts:

Parameter "AVIARY_SSL_SERVER_CERT":
Name: AVIARY_SSL_SERVER_CERT
Type: String
Default: 
Description: Path to Aviary SSL server certificate
MustChange: True
VisibilityLevel: 0
RequiresRestart: True
Dependencies:
Conflicts:

Parameter "AVIARY_SSL_SERVER_KEY":
Name: AVIARY_SSL_SERVER_KEY
Type: String
Default: 
Description: Path to Aviary SSL server private key
MustChange: True
VisibilityLevel: 0
RequiresRestart: True
Dependencies:
Conflicts:

Parameter "AVIARY_SSL_CA_DIR":
Name: AVIARY_SSL_CA_DIR
Type: String
Default: 
Description: Path to Aviary SSL CA directory
MustChange: True
VisibilityLevel: 0
RequiresRestart: True
Dependencies:
Conflicts:

Parameter "AVIARY_SSL_CA_FILE":
Name: AVIARY_SSL_CA_FILE
Type: String
Default: 
Description:Parameter "AVIARY_SSL":
Name: AVIARY_SSL
Type: Boolean
Default: False
Description: Enable HTTPS mutual authentication in Aviary
MustChange: False
VisibilityLevel: 0
RequiresRestart: True
Dependencies:
Conflicts:

Parameter "AVIARY_SSL_SERVER_CERT":
Name: AVIARY_SSL_SERVER_CERT
Type: String
Default: 
Description: Path to Aviary SSL server certificate
MustChange: True
VisibilityLevel: 0
RequiresRestart: True
Dependencies:
Conflicts:

Parameter "AVIARY_SSL_SERVER_KEY":
Name: AVIARY_SSL_SERVER_KEY
Type: String
Default: 
Description: Path to Aviary SSL server private key
MustChange: True
VisibilityLevel: 0
RequiresRestart: True
Dependencies:
Conflicts:

Parameter "AVIARY_SSL_CA_DIR":
Name: AVIARY_SSL_CA_DIR
Type: String
Default: 
Description: Path to Aviary SSL CA directory
MustChange: True
VisibilityLevel: 0
RequiresRestart: True
Dependencies:
Conflicts:

Parameter "AVIARY_SSL_CA_FILE":
Name: AVIARY_SSL_CA_FILE
Type: String
Default: 
Description: Path to Aviary SSL CA file
MustChange: True
VisibilityLevel: 0
RequiresRestart: True
Dependencies:
Conflicts:

Feature "SecureAviaryScheduler":
Feature ID: 47
Name: SecureAviaryScheduler
Included Parameters:
  AVIARY_SSL_CA_FILE = 
  AVIARY_SSL_SERVER_CERT = 
  AVIARY_SSL_CA_DIR = /etc/pki/tls/certs
  AVIARY_SSL = True
  AVIARY_SSL_SERVER_KEY = 
Included Features:
  0: AviaryScheduler
Conflicts:
Dependencies:
 Path to Aviary SSL CA file
MustChange: True
VisibilityLevel: 0
RequiresRestart: True
Dependencies:
Conflicts:

Feature "SecureAviaryScheduler":
Feature ID: 47
Name: SecureAviaryScheduler
Included Parameters:
  AVIARY_SSL_CA_FILE = (uses default)
  AVIARY_SSL_SERVER_CERT =  (uses default)
  AVIARY_SSL_CA_DIR = /etc/pki/tls/certs
  AVIARY_SSL = True
  AVIARY_SSL_SERVER_KEY = (uses default)
Included Features:
  0: AviaryScheduler
Conflicts:
Dependencies:

Comment 3 Robert Rati 2011-08-29 18:55:05 UTC
Updated:
Feature "SecureAviaryScheduler":
Feature ID: 47
Name: SecureAviaryScheduler
Included Parameters:
  AVIARY_SSL_CA_FILE = (uses default)
  AVIARY_SSL_SERVER_CERT =  (uses default)
  AVIARY_SSL_CA_DIR = (uses default)
  AVIARY_SSL = True
  AVIARY_SSL_SERVER_KEY = (uses default)
Included Features:
  0: AviaryScheduler
Conflicts:
Dependencies:

Comment 4 Robert Rati 2011-08-29 19:20:37 UTC
Pushed upstream on branch:
BZ733481-Aviary-SSL

Comment 5 Robert Rati 2011-09-06 20:09:56 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
C: Configuration of secure communications for aviary and query server using remote configuration
C: Parameters and features would need to be added to be database by the user.
F: Created SSLEnabledAviaryScheduler and SSLEnabledQueryServer in the base-db
R: Configuration of secure communications for aviary and query server through remote configuration is easily accomplished.

Comment 6 Robert Rati 2011-09-06 20:12:12 UTC
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1,4 +1,4 @@
 C: Configuration of secure communications for aviary and query server using remote configuration
 C: Parameters and features would need to be added to be database by the user.
-F: Created SSLEnabledAviaryScheduler and SSLEnabledQueryServer in the base-db
+C: Created SSLEnabledAviaryScheduler and SSLEnabledQueryServer in the base-db
 R: Configuration of secure communications for aviary and query server through remote configuration is easily accomplished.

Comment 8 Daniel Horák 2011-10-17 11:37:02 UTC
Verified on RHEL 5.7 i386 on condor-wallaby-base-db-1.16-2:
SSLEnabledAviaryScheduler and SSLEnabledQueryServer with config parameters AVIARY_SSL, AVIARY_SSL_SERVER_CERT, AVIARY_SSL_SERVER_KEY, AVIARY_SSL_CA_DIR and AVIARY_SSL_CA_FILE was added to base-db.

# condor_configure_store -l -f SSLEnabledAviaryScheduler,SSLEnabledQueryServer
  Feature "SSLEnabledAviaryScheduler":
  Feature ID: 34
  Name: SSLEnabledAviaryScheduler
  Included Parameters:
    SCHEDD.AVIARY_SSL = True
    SCHEDD.AVIARY_SSL_SERVER_CERT = 
    SCHEDD.AVIARY_SSL_CA_DIR = 
    SCHEDD.AVIARY_SSL_CA_FILE = 
    SCHEDD.AVIARY_SSL_SERVER_KEY = 
  Included Features:
    0: AviaryScheduler
  Conflicts:
  Dependencies:

  Feature "SSLEnabledQueryServer":
  Feature ID: 2
  Name: SSLEnabledQueryServer
  Included Parameters:
    QUERY_SERVER.AVIARY_SSL = True
    QUERY_SERVER.AVIARY_SSL_CA_FILE = 
    QUERY_SERVER.AVIARY_SSL_CA_DIR = 
    QUERY_SERVER.AVIARY_SSL_SERVER_KEY = 
    QUERY_SERVER.AVIARY_SSL_SERVER_CERT = 
  Included Features:
    0: QueryServer
  Conflicts:
  Dependencies:


# condor_configure_pool -n $(hostname) -a -f SSLEnabledAviaryScheduler
  Apply these changes [Y/n] ? y
  The following parameters need to be set for this configuration to be valid.
  SCHEDD.AVIARY_SSL_CA_DIR
  SCHEDD.AVIARY_SSL_CA_FILE
  SCHEDD.AVIARY_SSL_SERVER_CERT
  SCHEDD.AVIARY_SSL_SERVER_KEY
  Set these parameters now ? [y/N] y
  SCHEDD.AVIARY_SSL_CA_DIR: /etc/pki/tls/certs
  SCHEDD.AVIARY_SSL_CA_FILE: /etc/pki/tls/certs/ca-bundle.crt
  SCHEDD.AVIARY_SSL_SERVER_CERT: /etc/pki/tls/certs/server.crt
  SCHEDD.AVIARY_SSL_SERVER_KEY: /etc/pki/tls/certs/server.key
  Configuration applied
  Create a named snapshot of this configuration [y/N] ?  
  Activate the changes [y/N] ? y
  Activating configuration.  This may take a while, please be patient
  The configuration is not valid
  Node: dhcp-37-137.lab.eng.brq.redhat.com
  Unsatisfied feature dependencies:
    BaseJobExecuter
    BaseScheduler
    Master
    NodeAccess
  Configuration not activated

# condor_configure_pool -n $(hostname) -a -f BaseJobExecuter,BaseScheduler,Master,NodeAccess
  Apply these changes [Y/n] ? y
  The following parameters need to be set for this configuration to be valid.
  ALLOW_READ
  ALLOW_WRITE
  CONDOR_HOST
  Set these parameters now ? [y/N] y
  ALLOW_READ: *
  ALLOW_WRITE: *
  CONDOR_HOST: dhcp-37-137.lab.eng.brq.redhat.com
  Configuration applied
  Create a named snapshot of this configuration [y/N] ? 
  Activate the changes [y/N] ? y
  Activating configuration.  This may take a while, please be patient
  Configuration activated
  Configuration saved

# condor_config_val SCHEDD.AVIARY_SSL
  True
# condor_config_val SCHEDD.AVIARY_SSL_SERVER_CERT
  /etc/pki/tls/certs/server.crt
# condor_config_val SCHEDD.AVIARY_SSL_CA_DIR
  /etc/pki/tls/certs
# condor_config_val SCHEDD.AVIARY_SSL_CA_FILE
  /etc/pki/tls/certs/ca-bundle.crt
# condor_config_val SCHEDD.AVIARY_SSL_SERVER_KEY
  /etc/pki/tls/certs/server.key


Output on RHEL 5.7 x86_64, RHEL 6.1 i386 and RHEL 6.1 x86_64 and with feature SSLEnabledQueryServer is similar.


>>> VERIFIED

Comment 9 Tomas Capek 2011-11-16 15:25:02 UTC
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1,4 +1 @@
-C: Configuration of secure communications for aviary and query server using remote configuration
+Previously, configuration scheme of secure communications for the Aviary web service and the query server using remote configuration required users to add new parameters and features to the database manually. With this update, the SSLEnabledAviaryScheduler and SSLEnabledQueryServer components have been added in the base-db and configuration for secure communication in Aviary and query server through remote configuration is now easily accomplished.-C: Parameters and features would need to be added to be database by the user.
-C: Created SSLEnabledAviaryScheduler and SSLEnabledQueryServer in the base-db
-R: Configuration of secure communications for aviary and query server through remote configuration is easily accomplished.

Comment 10 Tomas Capek 2011-11-16 15:55:06 UTC
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1 +1 @@
-Previously, configuration scheme of secure communications for the Aviary web service and the query server using remote configuration required users to add new parameters and features to the database manually. With this update, the SSLEnabledAviaryScheduler and SSLEnabledQueryServer components have been added in the base-db and configuration for secure communication in Aviary and query server through remote configuration is now easily accomplished.+Previously, configuration scheme of secure communications for the Aviary web service and the query server using remote configuration required users to add new parameters and features to the database manually. With this update, the SSLEnabledAviaryScheduler and SSLEnabledQueryServer features have been added to the base-db and configuration for secure communication in Aviary and query server through remote configuration is now easily accomplished.

Comment 11 errata-xmlrpc 2012-01-23 17:28:42 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2012-0045.html


Note You need to log in before you can comment on or make changes to this bug.