Issue #1168
closed
Pulp Celery components cannot use RabbitMQ with strict SSL client certificates
Description
Originally reported by hgschmie via PR 1767
When using RabbitMQ with SSL client certificates, it is necessary to use the rabbitmq_auth_mechanism_ssl which uses the common_name (CN) of the client certificate as user name and then use SASL EXTERNAL to have RabbitMQ pick up the configuration.
Unfortunately, by default, pulp only supports the default (AMQPLAIN) authentication and it can not be configured.
This change adds a new configuration parameter to the tasks section which allows setting the requested authentication mechanism through the celery BROKER_LOGIN_METHOD configuration setting.
This allows using RabbitMQ with strict SSL client certificates:
[
{rabbit, [
{ssl_listeners, [5671]},
{auth_mechanisms, ['EXTERNAL']},
{ssl_options, [
{cacertfile, '.../cacertfile'},
{certfile, '.../cert.crt'},
{keyfile, '.../cert.key'},
{verify, verify_peer},
{fail_if_no_peer_cert, true}
]},
{ssl_cert_login_from, common_name}]
}
].
and adding the CN values from the client certificates as users to RabbitMQ.
Updated by bmbouter over 9 years ago
- Subject changed from Pulp cannot use RabbitMQ with strict SSL client certificates to Pulp Celery components cannot use RabbitMQ with strict SSL client certificates
I put this against 2.7.0 because it introduces a new setting in server.conf.
Updated by bmbouter over 9 years ago
- Status changed from NEW to ASSIGNED
- Assignee set to bmbouter
Updated by bmbouter over 9 years ago
- Status changed from ASSIGNED to POST
PR available at: https://github.com/pulp/pulp/pull/2001
Updated by bmbouter over 9 years ago
QE, to verify this you can use Qpid.
1) Setup the 2.7.0 beta that contains this fix and sanity check that it works
2) Use the `sudo ./pulp-qpid-ssl-cfg` tool and have it generate some certs to the default locations. You'll need to enter the FQDN of the hostname that you are on at that step. See these docs for more info on how to do this.
3) Put these settings (perhaps updated for your cert locations) into /etc/qpid/qpidd.conf and restart qpidd. NOTE: this has auth=yes
auth=yes
# SSL
require-encryption=yes
ssl-require-client-authentication=yes
ssl-cert-db=/etc/pki/pulp/qpid/nss
ssl-cert-password-file=/etc/pki/pulp/qpid/nss/password
ssl-cert-name=broker
ssl-port=5671
4) Add these settings to [tasks] in server.conf. Note you'll have to put the CN of the certificate into the broker string along with the FQDNhostname. Docs were added to help users to do this so you can refer to those.
[tasks]
broker_url: qpid://<CNname>@<FQDNhostname>:5671/
celery_require_ssl: true
cacert: /etc/pki/pulp/qpid/ca.crt
keyfile: /etc/pki/pulp/qpid/client.crt
certfile: /etc/pki/pulp/qpid/client.crt
login_method: EXTERNAL
5) Restart httpd, pulp_workers, pulp_celerybeat, and pulp_resource_manager
6) Observe that when they start at INFO level (the default) they will log the line:
pulp[25776]: kombu.transport.qpid:INFO: Connected to qpid with SASL mechanism ANONYMOUS
7) Verify that Pulp works normally. Note consumers will not work because the [messaging] section of server.conf was not also configured.
Added by bmbouter over 9 years ago
Added by bmbouter over 9 years ago
Revision af7606b8 | View on GitHub
Adds login_method options to [tasks] section of server.conf
If login_method is set, the value is used to configure the BROKER_LOGIN_METHOD Celery option. login_method defaults to '' which allows Celery to use its default values.
This change includes docs updates on practical usage of the new setting and a release note.
Updated by bmbouter over 9 years ago
- Platform Release changed from 2.7.0 to 2.6.4
This work was rebased against the 2.6-dev and 2.7-testing merge base and is being merged in with this PR: https://github.com/pulp/pulp/pull/2002
Updated by bmbouter over 9 years ago
- Status changed from POST to MODIFIED
- % Done changed from 0 to 100
Applied in changeset pulp|af7606b8d1ba7d3c094f731a3a5b0ebd1dc852d1.
Added by bmbouter about 9 years ago
Revision aa432bf5 | View on GitHub
Patches downstream Kombu with login_method support
This does not bump the release because the -9 version has not yet been built in Koji so it can still be edited.
Added by bmbouter about 9 years ago
Revision aa432bf5 | View on GitHub
Patches downstream Kombu with login_method support
This does not bump the release because the -9 version has not yet been built in Koji so it can still be edited.
Updated by dkliban@redhat.com about 9 years ago
- Platform Release changed from 2.6.4 to 2.6.5
Updated by dkliban@redhat.com about 9 years ago
- Status changed from MODIFIED to 5
Updated by dkliban@redhat.com about 9 years ago
- Status changed from 5 to CLOSED - CURRENTRELEASE
.
Adds login_method options to [tasks] section of server.conf
If login_method is set, the value is used to configure the BROKER_LOGIN_METHOD Celery option. login_method defaults to '' which allows Celery to use its default values.
This change includes docs updates on practical usage of the new setting and a release note.
closes #1168 https://pulp.plan.io/issues/1168