Issue #1799
closed
Broker client certificate and key paths should default to empty string
Description
For the [messaging] and [tasks] sections, Pulp has non-emptystring defaults set for TLS connections to use client certificates:
https://github.com/pulp/pulp/blob/2.8.0/server/pulp/server/config.py#L99
https://github.com/pulp/pulp/blob/2.8.0/server/pulp/server/config.py#L127-L128
This is a problem for two reasons:
0) Admins who wish to use client certificates to authenticate to the broker are going to have their own CA infrastructure, and so anyone using these settings are going to need to explicitly set them anyway (i.e., if I deploy a broker, I'm going to configure it to use my corporate CA and I will need to generate my own certs for Pulp to use.)
1) The more common deployment strategy is to use password authentication. However, when these certificates are configured (as they are by default) TLS certificate auth is attempted instead of password authentication (at least for RabbitMQ), and the authentication will fail (at least for RabbitMQ). This means that users who want to use the common case deployment need to both set the password, and uncomment the client certificate settings, and set those settings to the empty string. That's too many and's for the common case, IMO, especially since this is undocumented behavior.
It would be much more sane if the default for the client certificate were the empty string.
Unfortunately, this is a backwards incompatible change.
Updated by bmbouter about 8 years ago
A blank default would have been better since the user likely has to take some step to enable TLS.
Note that the TLS is disabled by default for all celery usage. These certificate settings are only used[0] if the celery_require_ssl setting is True and it defaults to false[1]. They also could enable it with the broker string modification, but the server.conf cert values still won't be used unless celery_require_ssl is True.
[0]: https://github.com/pulp/pulp/blob/2debdb5972809d4a97b94515e1d90836029971db/server/pulp/server/async/celery_instance.py#L83-L90
[1]: https://github.com/pulp/pulp/blob/0f100dbb81db860753cc97958bc315bc57eee4bc/server/pulp/server/config.py#L125
Updated by rbarlow about 8 years ago
- Subject changed from Pulp defaults to using TLS client certificates for the broker settings to Broker client certificate and key paths should default to empty string
Updated by bmbouter about 5 years ago
- Status changed from NEW to CLOSED - WONTFIX
Updated by bmbouter about 5 years ago
Pulp 2 is approaching maintenance mode, and this Pulp 2 ticket is not being actively worked on. As such, it is being closed as WONTFIX. Pulp 2 is still accepting contributions though, so if you want to contribute a fix for this ticket, please reopen or comment on it. If you don't have permissions to reopen this ticket, or you want to discuss an issue, please reach out via the developer mailing list.
.