Project

Profile

Help

Issue #1799

closed

Broker client certificate and key paths should default to empty string

Added by rbarlow over 6 years ago. Updated over 3 years ago.

Status:
CLOSED - WONTFIX
Priority:
Normal
Assignee:
-
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:

Description

For the [messaging] and [tasks] sections, Pulp has non-emptystring defaults set for TLS connections to use client certificates:

https://github.com/pulp/pulp/blob/2.8.0/server/pulp/server/config.py#L99
https://github.com/pulp/pulp/blob/2.8.0/server/pulp/server/config.py#L127-L128

This is a problem for two reasons:

0) Admins who wish to use client certificates to authenticate to the broker are going to have their own CA infrastructure, and so anyone using these settings are going to need to explicitly set them anyway (i.e., if I deploy a broker, I'm going to configure it to use my corporate CA and I will need to generate my own certs for Pulp to use.)

1) The more common deployment strategy is to use password authentication. However, when these certificates are configured (as they are by default) TLS certificate auth is attempted instead of password authentication (at least for RabbitMQ), and the authentication will fail (at least for RabbitMQ). This means that users who want to use the common case deployment need to both set the password, and uncomment the client certificate settings, and set those settings to the empty string. That's too many and's for the common case, IMO, especially since this is undocumented behavior.

It would be much more sane if the default for the client certificate were the empty string.

Unfortunately, this is a backwards incompatible change.

Actions #1

Updated by rbarlow over 6 years ago

  • Description updated (diff)
Actions #2

Updated by bmbouter over 6 years ago

A blank default would have been better since the user likely has to take some step to enable TLS.

Note that the TLS is disabled by default for all celery usage. These certificate settings are only used[0] if the celery_require_ssl setting is True and it defaults to false[1]. They also could enable it with the broker string modification, but the server.conf cert values still won't be used unless celery_require_ssl is True.

[0]: https://github.com/pulp/pulp/blob/2debdb5972809d4a97b94515e1d90836029971db/server/pulp/server/async/celery_instance.py#L83-L90
[1]: https://github.com/pulp/pulp/blob/0f100dbb81db860753cc97958bc315bc57eee4bc/server/pulp/server/config.py#L125

Actions #3

Updated by rbarlow over 6 years ago

  • Subject changed from Pulp defaults to using TLS client certificates for the broker settings to Broker client certificate and key paths should default to empty string
Actions #4

Updated by mhrivnak over 6 years ago

  • Triaged changed from No to Yes
Actions #5

Updated by bmbouter over 3 years ago

  • Status changed from NEW to CLOSED - WONTFIX
Actions #6

Updated by bmbouter over 3 years ago

Pulp 2 is approaching maintenance mode, and this Pulp 2 ticket is not being actively worked on. As such, it is being closed as WONTFIX. Pulp 2 is still accepting contributions though, so if you want to contribute a fix for this ticket, please reopen or comment on it. If you don't have permissions to reopen this ticket, or you want to discuss an issue, please reach out via the developer mailing list.

Actions #7

Updated by bmbouter over 3 years ago

  • Tags Pulp 2 added

Also available in: Atom PDF