Bug 972643 - QPID doesn't recognize qpid_user defined in conf file
QPID doesn't recognize qpid_user defined in conf file
Status: CLOSED ERRATA
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-packstack (Show other bugs)
3.0
Unspecified Unspecified
unspecified Severity unspecified
: rc
: 4.0
Assigned To: Ivan Chavero
Martin Magr
: OtherQA, Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-10 06:18 EDT by yfried
Modified: 2013-12-19 19:05 EST (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-12-19 19:05:22 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
OpenStack gerrit 58898 None None None Never

  None (edit)
Description yfried 2013-06-10 06:18:11 EDT
Description of problem:
when working with qpid broker in authentication mode, user/pass defined in nova.conf (or quantum.conf) aren't recognized and QPID stops working.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. in qpidd.conf set auth=yes
2. restart nova and qpidd services

Actual results:
nova commands don't work - no connection to QPI

from nova/api.log - 
Unable to connect to AMQP server: connection-forced: Authentication failed

Expected results:
Commands should work fine

Additional info:
1. listing all users in QPID security DB:
# sasldblistusers2 -f /var/lib/qpidd/qpidd.sasldb
returns empty list

2. to work around this issue I had to manually insert the user/pass defined in the conf files to the QPID security DB using:
# saslpasswd2 -f /var/lib/qpidd/qpidd.sasldb -u QPID <user>

3. now sasldblistusers2 returns:
<user>@QPID: userPassword


Should this be handled by openstack installation (packstack??) or by a nova command?
Comment 2 Xavier Queralt 2013-06-24 10:46:21 EDT
This is something that the deployment tool should handle and not nova because this should be configured for all the components using AMQP.

The same way that packstack configures the host where QPID is going to listen, it could configure the user/password parameters if requested.
Comment 3 Ivan Chavero 2013-11-28 19:55:55 EST
Added Auth option for qpid and proper configuration to clients


I get this error in neutron log file, seems to be related to
SELinux but i'm not sure:
2013-11-28 01:10:59.524 3454 ERROR neutron.openstack.common.rpc.impl_qpid [-] Unable to connect to AMQP server: Error in sasl_client_start (-1) SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Credentials cache file '/tmp/krb5cc_164' not found). Sleeping 60 seconds
Comment 4 Dmitri Pal 2013-12-01 22:41:50 EST
It seems like it is trying to use Kerberos via SASL. Is this what you configured?
Comment 5 Alvaro Lopez Ortega 2013-12-04 17:09:26 EST
Merged
Comment 9 Martin Magr 2013-12-12 09:47:44 EST
[para@virtual-rhel ~]$ sudo cat /etc/nova/nova.conf | grep qpid | grep -v '^#'
rpc_backend=nova.openstack.common.rpc.impl_qpid
qpid_hostname=192.168.122.15
qpid_port=5672
qpid_username=qpid_user
qpid_password=8f421842dc8348a6
qpid_heartbeat=60
qpid_protocol=tcp
qpid_tcp_nodelay=True
qpid_reconnect_interval=0
qpid_reconnect_interval_min=0
qpid_reconnect=True
qpid_reconnect_timeout=0
qpid_reconnect_interval_max=0
qpid_reconnect_limit=0
[para@virtual-rhel ~]$ cat /etc/qpidd.conf | grep auth
auth=yes
[para@virtual-rhel ~]$ sudo sasldblistusers2 -f /var/lib/qpidd/qpidd.sasldb
qpid_user@QPID: userPassword
[para@virtual-rhel ~]$ cat packstack-answers-20131212-112631.txt | grep CONFIG_QPID
CONFIG_QPID_HOST=192.168.122.15
CONFIG_QPID_ENABLE_AUTH=y
CONFIG_QPID_AUTH_USER=qpid_user
CONFIG_QPID_AUTH_PASSWORD=8f421842dc8348a6
Comment 11 errata-xmlrpc 2013-12-19 19:05:22 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2013-1859.html

Note You need to log in before you can comment on or make changes to this bug.