Description of problem:
when working with qpid broker in authentication mode, user/pass defined in nova.conf (or quantum.conf) aren't recognized and QPID stops working.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. in qpidd.conf set auth=yes
2. restart nova and qpidd services
nova commands don't work - no connection to QPI
from nova/api.log -
Unable to connect to AMQP server: connection-forced: Authentication failed
Commands should work fine
1. listing all users in QPID security DB:
# sasldblistusers2 -f /var/lib/qpidd/qpidd.sasldb
returns empty list
2. to work around this issue I had to manually insert the user/pass defined in the conf files to the QPID security DB using:
# saslpasswd2 -f /var/lib/qpidd/qpidd.sasldb -u QPID <user>
3. now sasldblistusers2 returns:
Should this be handled by openstack installation (packstack??) or by a nova command?
This is something that the deployment tool should handle and not nova because this should be configured for all the components using AMQP.
The same way that packstack configures the host where QPID is going to listen, it could configure the user/password parameters if requested.
Added Auth option for qpid and proper configuration to clients
I get this error in neutron log file, seems to be related to
SELinux but i'm not sure:
2013-11-28 01:10:59.524 3454 ERROR neutron.openstack.common.rpc.impl_qpid [-] Unable to connect to AMQP server: Error in sasl_client_start (-1) SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_164' not found). Sleeping 60 seconds
It seems like it is trying to use Kerberos via SASL. Is this what you configured?
[para@virtual-rhel ~]$ sudo cat /etc/nova/nova.conf | grep qpid | grep -v '^#'
[para@virtual-rhel ~]$ cat /etc/qpidd.conf | grep auth
[para@virtual-rhel ~]$ sudo sasldblistusers2 -f /var/lib/qpidd/qpidd.sasldb
[para@virtual-rhel ~]$ cat packstack-answers-20131212-112631.txt | grep CONFIG_QPID
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.