Project

Profile

Help

Issue #1168

Pulp Celery components cannot use RabbitMQ with strict SSL client certificates

Added by bmbouter over 6 years ago. Updated over 2 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
2.6.5
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:

Description

Originally reported by hgschmie via PR 1767

When using RabbitMQ with SSL client certificates, it is necessary to use the rabbitmq_auth_mechanism_ssl which uses the common_name (CN) of the client certificate as user name and then use SASL EXTERNAL to have RabbitMQ pick up the configuration.

Unfortunately, by default, pulp only supports the default (AMQPLAIN) authentication and it can not be configured.

This change adds a new configuration parameter to the tasks section which allows setting the requested authentication mechanism through the celery BROKER_LOGIN_METHOD configuration setting.

This allows using RabbitMQ with strict SSL client certificates:

[
  {rabbit, [
    {ssl_listeners, [5671]},
    {auth_mechanisms, ['EXTERNAL']},
    {ssl_options, [
      {cacertfile,           '.../cacertfile'},
      {certfile,             '.../cert.crt'},
      {keyfile,              '.../cert.key'},
      {verify,               verify_peer},
      {fail_if_no_peer_cert, true}
    ]},
    {ssl_cert_login_from,  common_name}]
  }
].

and adding the CN values from the client certificates as users to RabbitMQ.

Associated revisions

Revision af7606b8 View on GitHub
Added by bmbouter over 6 years ago

Adds login_method options to [tasks] section of server.conf

If login_method is set, the value is used to configure the BROKER_LOGIN_METHOD Celery option. login_method defaults to '' which allows Celery to use its default values.

This change includes docs updates on practical usage of the new setting and a release note.

closes #1168 https://pulp.plan.io/issues/1168

Revision af7606b8 View on GitHub
Added by bmbouter over 6 years ago

Adds login_method options to [tasks] section of server.conf

If login_method is set, the value is used to configure the BROKER_LOGIN_METHOD Celery option. login_method defaults to '' which allows Celery to use its default values.

This change includes docs updates on practical usage of the new setting and a release note.

closes #1168 https://pulp.plan.io/issues/1168

Revision aa432bf5 View on GitHub
Added by bmbouter over 6 years ago

Patches downstream Kombu with login_method support

This does not bump the release because the -9 version has not yet been built in Koji so it can still be edited.

re #1168 https://pulp.plan.io/issues/1168

Revision aa432bf5 View on GitHub
Added by bmbouter over 6 years ago

Patches downstream Kombu with login_method support

This does not bump the release because the -9 version has not yet been built in Koji so it can still be edited.

re #1168 https://pulp.plan.io/issues/1168

History

#1 Updated by bmbouter over 6 years ago

  • Subject changed from Pulp cannot use RabbitMQ with strict SSL client certificates to Pulp Celery components cannot use RabbitMQ with strict SSL client certificates

I put this against 2.7.0 because it introduces a new setting in server.conf.

#2 Updated by bmbouter over 6 years ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to bmbouter

#3 Updated by bmbouter over 6 years ago

  • Status changed from ASSIGNED to POST

#4 Updated by bmbouter over 6 years ago

QE, to verify this you can use Qpid.

1) Setup the 2.7.0 beta that contains this fix and sanity check that it works
2) Use the `sudo ./pulp-qpid-ssl-cfg` tool and have it generate some certs to the default locations. You'll need to enter the FQDN of the hostname that you are on at that step. See these docs for more info on how to do this.
3) Put these settings (perhaps updated for your cert locations) into /etc/qpid/qpidd.conf and restart qpidd. NOTE: this has auth=yes

auth=yes
# SSL
require-encryption=yes
ssl-require-client-authentication=yes
ssl-cert-db=/etc/pki/pulp/qpid/nss
ssl-cert-password-file=/etc/pki/pulp/qpid/nss/password
ssl-cert-name=broker
ssl-port=5671

4) Add these settings to [tasks] in server.conf. Note you'll have to put the CN of the certificate into the broker string along with the FQDNhostname. Docs were added to help users to do this so you can refer to those.

[tasks]
broker_url: qpid://<CNname>@<FQDNhostname>:5671/
celery_require_ssl: true
cacert: /etc/pki/pulp/qpid/ca.crt
keyfile: /etc/pki/pulp/qpid/client.crt
certfile: /etc/pki/pulp/qpid/client.crt
login_method: EXTERNAL

5) Restart httpd, pulp_workers, pulp_celerybeat, and pulp_resource_manager
6) Observe that when they start at INFO level (the default) they will log the line:

pulp[25776]: kombu.transport.qpid:INFO: Connected to qpid with SASL mechanism ANONYMOUS

7) Verify that Pulp works normally. Note consumers will not work because the [messaging] section of server.conf was not also configured.

#5 Updated by bmbouter over 6 years ago

  • Platform Release changed from 2.7.0 to 2.6.4

This work was rebased against the 2.6-dev and 2.7-testing merge base and is being merged in with this PR: https://github.com/pulp/pulp/pull/2002

#6 Updated by bmbouter over 6 years ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100

#7 Updated by mhrivnak over 6 years ago

  • Triaged changed from No to Yes

#8 Updated by dkliban@redhat.com about 6 years ago

  • Platform Release changed from 2.6.4 to 2.6.5

#9 Updated by dkliban@redhat.com about 6 years ago

  • Status changed from MODIFIED to 5

#10 Updated by dkliban@redhat.com about 6 years ago

  • Status changed from 5 to CLOSED - CURRENTRELEASE

#11 Updated by bmbouter over 2 years ago

  • Tags Pulp 2 added

Please register to edit this issue

Also available in: Atom PDF