Actions
Issue #1168
closed
Pulp Celery components cannot use RabbitMQ with strict SSL client certificates
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
2.6.5
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:
Description
Originally reported by hgschmie via PR 1767
When using RabbitMQ with SSL client certificates, it is necessary to use the rabbitmq_auth_mechanism_ssl which uses the common_name (CN) of the client certificate as user name and then use SASL EXTERNAL to have RabbitMQ pick up the configuration.
Unfortunately, by default, pulp only supports the default (AMQPLAIN) authentication and it can not be configured.
This change adds a new configuration parameter to the tasks section which allows setting the requested authentication mechanism through the celery BROKER_LOGIN_METHOD configuration setting.
This allows using RabbitMQ with strict SSL client certificates:
[
{rabbit, [
{ssl_listeners, [5671]},
{auth_mechanisms, ['EXTERNAL']},
{ssl_options, [
{cacertfile, '.../cacertfile'},
{certfile, '.../cert.crt'},
{keyfile, '.../cert.key'},
{verify, verify_peer},
{fail_if_no_peer_cert, true}
]},
{ssl_cert_login_from, common_name}]
}
].
and adding the CN values from the client certificates as users to RabbitMQ.
Actions
.
Adds login_method options to [tasks] section of server.conf
If login_method is set, the value is used to configure the BROKER_LOGIN_METHOD Celery option. login_method defaults to '' which allows Celery to use its default values.
This change includes docs updates on practical usage of the new setting and a release note.
closes #1168 https://pulp.plan.io/issues/1168