Allow insecure SSL communications with RabbitMQ

Add insecure option to [rabbitmq] section of murano.conf This is a partial fix because it improves Engine <-> RMQ communications but the same problem exist on Agent <-> RMQ side Partial-Bug: #1578421 Change-Id: I55207c3016da12be45918a7dc33795abf69627b4
2016-05-06 07:51:24 -07:00 · 2016-05-06 07:51:24 -07:00 · 3ccd8981ad
parent f1614d728c
commit 3ccd8981ad
8 changed files with 21 additions and 5 deletions
--- a/doc/source/install/ssl.rst
+++ b/doc/source/install/ssl.rst
@ -96,6 +96,7 @@ Just set *ssl* parameter to True to enable ssl.
    password = guest
    virtual_host = /
    ssl = True
+    insecure = False

 If you want to configure Murano Agent in a different way change
 the default template. It can be found in Murano Core Library, located at *http://git.openstack.org/cgit/openstack/murano/tree/meta/io.murano/Resources/Agent-v1.template*. Take
--- a/meta/io.murano/Classes/Environment.yaml
+++ b/meta/io.murano/Classes/Environment.yaml
@ -61,6 +61,7 @@ Properties:
          virtual_host: $.string() or '/'
          ssl: $.bool() or false
          ca_certs: $.string() or ''
+          insecure: $.bool() or false
    Usage: Config

  region:
--- a/meta/io.murano/Classes/resources/LinuxMuranoInstance.yaml
+++ b/meta/io.murano/Classes/resources/LinuxMuranoInstance.yaml
@ -74,6 +74,7 @@ Methods:
            "%RABBITMQ_PASSWORD%": $rabbitMqParams.password
            "%RABBITMQ_VHOST%": $rabbitMqParams.virtual_host
            "%RABBITMQ_SSL%": str($rabbitMqParams.ssl).toLower()
+            "%RABBITMQ_INSECURE%": str($rabbitMqParams.insecure).toLower()
            "%RABBITMQ_INPUT_QUEUE%": $.agent.queueName()
            "%RESULT_QUEUE%": $environment.agentListener.queueName()
        - $scriptReplacements:
--- a/meta/io.murano/Resources/Agent-v2.template
+++ b/meta/io.murano/Resources/Agent-v2.template
@ -24,6 +24,9 @@ port = %RABBITMQ_PORT%
 # Use SSL for RabbitMQ connections (True or False)
 ssl = %RABBITMQ_SSL%

+# Do not verify SSL certificates
+insecure = %RABBITMQ_INSECURE%
+
 # Path to SSL CA certificate or empty to allow self signed server certificate
 ca_certs = '/etc/murano/certs/ca_certs'

--- a/murano/cmd/manage.py
+++ b/murano/cmd/manage.py
@ -17,7 +17,6 @@
  This file is about to be deprecated, please use python-muranoclient.
  *** Deprecation warning ***
 """
-
 import sys
 import traceback

--- a/murano/common/config.py
+++ b/murano/common/config.py
@ -57,6 +57,10 @@ rabbit_opts = [

    cfg.StrOpt('ca_certs', default='',
               help='SSL cert file (valid only if SSL enabled).'),
+
+    cfg.BoolOpt('insecure', default=False,
+                help='This option explicitly allows Murano to perform '
+                     '"insecure" SSL connections to RabbitMQ'),
 ]

 heat_opts = [
--- a/murano/common/messaging/mqclient.py
+++ b/murano/common/messaging/mqclient.py
@ -25,13 +25,19 @@ kombu = patcher.import_patched('kombu')

 class MqClient(object):
    def __init__(self, login, password, host, port, virtual_host,
-                 ssl=False, ca_certs=None):
+                 ssl=False, ca_certs=None, insecure=False):
        ssl_params = None

-        if ssl is True:
+        if ssl:
+            cert_reqs = ssl_module.CERT_REQUIRED
+            if insecure:
+                if ca_certs:
+                    cert_reqs = ssl_module.CERT_OPTIONAL
+                else:
+                    cert_reqs = ssl_module.CERT_NONE
            ssl_params = {
                'ca_certs': ca_certs,
-                'cert_reqs': ssl_module.CERT_REQUIRED
+                'cert_reqs': cert_reqs
            }

        self._connection = kombu.Connection(
--- a/murano/engine/system/common.py
+++ b/murano/engine/system/common.py
@ -29,6 +29,7 @@ def create_rmq_client():
        'port': rabbitmq.port,
        'virtual_host': rabbitmq.virtual_host,
        'ssl': rabbitmq.ssl,
-        'ca_certs': rabbitmq.ca_certs.strip() or None
+        'ca_certs': rabbitmq.ca_certs.strip() or None,
+        'insecure': rabbitmq.insecure
    }
    return mqclient.MqClient(**connection_params)