Enable encryption for all RabbitMQ connections

This change enables encryption between OpenStack services and RabbitMQ by default. Closes-bug: 1509086 Change-Id: Ic95a556e001f66df935ea7db613b497b47062851
2015-10-20 16:04:36 -05:00 · 2015-10-20 16:04:36 -05:00 · d930a7b55c
commit d930a7b55c
parent 8355f191de
12 changed files with 39 additions and 7 deletions
--- a/doc/source/install-guide/configure-rabbitmq.rst
+++ b/doc/source/install-guide/configure-rabbitmq.rst
@ -10,17 +10,34 @@ a SSL/TLS encrypted listener on port 5671.
 Customizing the RabbitMQ deployment is done within
 ``/etc/openstack_deploy/user_variables.yml``.

-Securing RabbitMQ communication with SSL certificates
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+Add a TLS encrypted listener to RabbitMQ
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

 The openstack-ansible project provides the ability to secure RabbitMQ
-communications with self-signed or user-provided SSL certificates.
-
-Refer to `Securing services with SSL certificates`_ for available configuration
+communications with self-signed or user-provided SSL certificates.  Refer to
+`Securing services with SSL certificates`_ for available configuration
 options.

 .. _Securing services with SSL certificates: configure-sslcertificates.html

+Enable encrypted connections to RabbitMQ
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+SSL communication between various OpenStack services and RabbitMQ is
+controlled via the Ansible variable ``rabbit_use_ssl``:
+
+.. code-block:: yaml
+
+    rabbit_use_ssl: true
+
+Setting this variable to ``true`` will adjust the RabbitMQ port to 5671 (the
+default SSL/TLS listener port) and enable SSL connectivity between each
+OpenStack service and RabbitMQ.
+
+Setting this variable to ``false`` will disable SSL encryption between
+OpenStack services and RabbitMQ. The plaintext port for RabbitMQ, 5672, will
+be used for all services.
+
 --------------

 .. include:: navigation.txt
--- a/etc/openstack_deploy/user_variables.yml
+++ b/etc/openstack_deploy/user_variables.yml
@ -132,6 +132,12 @@ ssl_cipher_suite: "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AE
 #rabbitmq_user_ssl_cert: <path to cert on ansible deployment host>
 #rabbitmq_user_ssl_key: <path to cert on ansible deployment host>
 #rabbitmq_user_ssl_ca_cert: <path to cert on ansible deployment host>
+#
+# By default, openstack-ansible configures all OpenStack services to talk to
+# RabbitMQ over encrypted connections on port 5671. To opt-out of this default,
+# set the rabbitmq_use_ssl variable to 'false'. The default setting of 'true'
+# is highly recommended for securing the contents of RabbitMQ messages.
+#rabbitmq_use_ssl: true

 ## Additional pinning generator that will allow for more packages to be pinned as you see fit.
 ## All pins allow for package and versions to be defined. Be careful using this as versions
--- a/playbooks/inventory/group_vars/hosts.yml
+++ b/playbooks/inventory/group_vars/hosts.yml
@ -49,9 +49,9 @@ lxc_container_caches:

 ## RabbitMQ
 rabbitmq_cluster_name: openstack
-rabbitmq_port: 5672
+rabbitmq_port: "{{ (rabbitmq_use_ssl | bool) | ternary(5671, 5672) }}"
 rabbitmq_servers: "{% for host in groups['rabbitmq_all'] %}{{ hostvars[host]['ansible_ssh_host'] }}:{{ rabbitmq_port }}{% if not loop.last %},{% endif %}{% endfor %}"
-
+rabbitmq_use_ssl: true

 ## Galera
 galera_wsrep_cluster_address: "{% for host in groups['galera_all'] %}{{ hostvars[host]['ansible_ssh_host'] }}{% if not loop.last %},{% endif %}{% endfor %}"
--- a/playbooks/roles/os_aodh/templates/aodh.conf.j2
+++ b/playbooks/roles/os_aodh/templates/aodh.conf.j2
@ -13,6 +13,7 @@ rabbit_userid = {{ aodh_rabbitmq_userid }}
 rabbit_password = {{ aodh_rabbitmq_password }}
 rabbit_virtual_host = {{ aodh_rabbitmq_vhost }}
 rabbit_hosts = {{ rabbitmq_servers }}
+rabbit_use_ssl = {{ rabbitmq_use_ssl }}

 [api]
 port = {{ aodh_service_port }}
--- a/playbooks/roles/os_ceilometer/templates/ceilometer.conf.j2
+++ b/playbooks/roles/os_ceilometer/templates/ceilometer.conf.j2
@ -16,6 +16,7 @@ rabbit_userid = {{ ceilometer_rabbitmq_userid }}
 rabbit_password = {{ ceilometer_rabbitmq_password }}
 rabbit_virtual_host = {{ ceilometer_rabbitmq_vhost }}
 rabbit_hosts = {{ rabbitmq_servers }}
+rabbit_use_ssl = {{ rabbitmq_use_ssl }}

 [api]
 port = 8777
--- a/playbooks/roles/os_cinder/templates/cinder.conf.j2
+++ b/playbooks/roles/os_cinder/templates/cinder.conf.j2
@ -119,6 +119,7 @@ rabbit_userid = {{ cinder_rabbitmq_userid }}
 rabbit_password = {{ cinder_rabbitmq_password }}
 rabbit_virtual_host = {{ cinder_rabbitmq_vhost }}
 rabbit_hosts = {{ rabbitmq_servers }}
+rabbit_use_ssl = {{ rabbitmq_use_ssl }}

 [oslo_concurrency]
 lock_path = /var/lock/cinder
--- a/playbooks/roles/os_glance/templates/glance-api.conf.j2
+++ b/playbooks/roles/os_glance/templates/glance-api.conf.j2
@ -87,6 +87,7 @@ rabbit_port = {{ rabbitmq_port }}
 rabbit_userid = {{ glance_rabbitmq_userid }}
 rabbit_password = {{ glance_rabbitmq_password }}
 rabbit_virtual_host = {{ glance_rabbitmq_vhost }}
+rabbit_use_ssl = {{ rabbitmq_use_ssl }}
 rabbit_notification_exchange = glance
 rabbit_notification_topic = notifications

--- a/playbooks/roles/os_glance/templates/glance-registry.conf.j2
+++ b/playbooks/roles/os_glance/templates/glance-registry.conf.j2
@ -53,6 +53,7 @@ rabbit_port = {{ rabbitmq_port }}
 rabbit_userid = {{ glance_rabbitmq_userid }}
 rabbit_password = {{ glance_rabbitmq_password }}
 rabbit_virtual_host = {{ glance_rabbitmq_vhost }}
+rabbit_use_ssl = {{ rabbitmq_use_ssl }}
 rabbit_notification_exchange = glance
 rabbit_notification_topic = notifications

--- a/playbooks/roles/os_heat/templates/heat.conf.j2
+++ b/playbooks/roles/os_heat/templates/heat.conf.j2
@ -65,6 +65,7 @@ rabbit_userid = {{ heat_rabbitmq_userid }}
 rabbit_password = {{ heat_rabbitmq_password }}
 rabbit_virtual_host = {{ heat_rabbitmq_vhost }}
 rabbit_hosts = {{ rabbitmq_servers }}
+rabbit_use_ssl = {{ rabbitmq_use_ssl }}


 [profiler]
--- a/playbooks/roles/os_keystone/templates/keystone.conf.j2
+++ b/playbooks/roles/os_keystone/templates/keystone.conf.j2
@ -139,6 +139,7 @@ rabbit_userid = {{ keystone_rabbitmq_userid }}
 rabbit_password = {{ keystone_rabbitmq_password }}
 rabbit_virtual_host = {{ keystone_rabbitmq_vhost }}
 rabbit_hosts = {{ rabbitmq_servers }}
+rabbit_use_ssl = {{ rabbitmq_use_ssl }}

 {% if keystone_sp is defined %}
 [federation]
--- a/playbooks/roles/os_neutron/templates/neutron.conf.j2
+++ b/playbooks/roles/os_neutron/templates/neutron.conf.j2
@ -173,6 +173,7 @@ rabbit_userid = {{ neutron_rabbitmq_userid }}
 rabbit_password = {{ neutron_rabbitmq_password }}
 rabbit_virtual_host = {{ neutron_rabbitmq_vhost }}
 rabbit_hosts = {{ rabbitmq_servers }}
+rabbit_use_ssl = {{ rabbitmq_use_ssl }}

 # Concurrency (locking mechanisms)
 [oslo_concurrency]
--- a/playbooks/roles/os_nova/templates/nova.conf.j2
+++ b/playbooks/roles/os_nova/templates/nova.conf.j2
@ -220,6 +220,7 @@ rabbit_userid = {{ nova_rabbitmq_userid }}
 rabbit_password = {{ nova_rabbitmq_password }}
 rabbit_virtual_host = {{ nova_rabbitmq_vhost }}
 rabbit_hosts = {{ rabbitmq_servers }}
+rabbit_use_ssl = {{ rabbitmq_use_ssl }}


 [libvirt]