From 1bb9f13bb28df2c1913f4b433aecf3e730fc09a8 Mon Sep 17 00:00:00 2001
From: Giulio Fidente <gfidente@redhat.com>
Date: Fri, 7 Aug 2015 13:03:05 +0200
Subject: [PATCH] Ensure access to Redis is password protected

Depends-On: I1a8741b9e00775763911222cbe0af677b59e03a1
Change-Id: I373f97ada4e4101700a12b42dfb8ee4b2ff701f2
(cherry picked from commit 9923ead009d89666234f8affdd560990c0e4e52d)
---
 overcloud.yaml         |  5 +++++
 puppet/controller.yaml | 11 ++++++++++-
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/overcloud.yaml b/overcloud.yaml
index a6aced32ef..02681359f0 100644
--- a/overcloud.yaml
+++ b/overcloud.yaml
@@ -307,6 +307,10 @@ parameters:
     default: false
     description: Enable IPv6 in RabbitMQ
     type: boolean
+  RedisPassword:
+    description: The password for Redis
+    type: string
+    hidden: true
   SnmpdReadonlyUserName:
     default: ro_snmp_user
     description: The user name for SNMPd with readonly rights running on all Overcloud nodes
@@ -982,6 +986,7 @@ resources:
           RabbitClientPort: {get_param: RabbitClientPort}
           RabbitFDLimit: {get_param: RabbitFDLimit}
           RabbitIPv6: {get_param: RabbitIPv6}
+          RedisPassword: {get_param: RedisPassword}
           SnmpdReadonlyUserName: {get_param: SnmpdReadonlyUserName}
           SnmpdReadonlyUserPassword: {get_param: SnmpdReadonlyUserPassword}
           RedisVirtualIP: {get_attr: [RedisVirtualIP, ip_address]}
diff --git a/puppet/controller.yaml b/puppet/controller.yaml
index e2c50ea081..54d3db1faa 100644
--- a/puppet/controller.yaml
+++ b/puppet/controller.yaml
@@ -599,6 +599,10 @@ parameters:
     default: false
     description: Enable IPv6 in RabbitMQ
     type: boolean
+  RedisPassword:
+    type: string
+    description: The password to access the Redis service
+    hidden: true
   RedisVirtualIP:
     type: string
     default: ''  # Has to be here because of the ignored empty value bug
@@ -1127,7 +1131,8 @@ resources:
             - ''
             - - 'redis://'
               - {get_param: RedisVirtualIPUri}
-              - ':6379'
+              - ':6379/?password='
+              - {get_param: RedisPassword}
         ceilometer_dsn:
           list_join:
             - ''
@@ -1202,6 +1207,7 @@ resources:
         horizon_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, HorizonNetwork]}]}
         rabbitmq_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, RabbitMqNetwork]}]}
         redis_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, RedisNetwork]}]}
+        redis_password: {get_param: RedisPassword}
         redis_vip: {get_param: RedisVirtualIP}
         memcached_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, MemcachedNetwork]}]}
         mysql_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, MysqlNetwork]}]}
@@ -1537,6 +1543,9 @@ resources:
                 rabbit_ipv6: {get_input: rabbit_ipv6}
                 # Redis
                 redis::bind: {get_input: redis_network}
+                redis::requirepass: {get_input: redis_password}
+                redis::masterauth: {get_input: redis_password}
+                redis::sentinel_auth_pass: {get_input: redis_password}
                 redis_vip: {get_input: redis_vip}
                 # Firewall
                 tripleo::firewall::manage_firewall: {get_input: manage_firewall}