From d5b74c688febfafb69ddc3881d9936e0268daa4c Mon Sep 17 00:00:00 2001
From: Abhishek Chanda <abhishek@cloudscaling.com>
Date: Fri, 12 Dec 2014 02:15:55 +0530
Subject: [PATCH] Take an optional rabbit user name as input

Newer versions of rabbitmq (3.3 and later) do not allow the 'guest'
user to access on non-local interfaces.

- Added a new config RABBIT_USERID which defaults to stackrabbit
- Invoked config scripts using that variable

Adopted from:
https://review.openstack.org/#/c/107779/

Change-Id: I43a231c9611b4cc2e390b603aa3bfb49c915bdc5
Closes-Bug: #1343354
Co-Authored-By: Scott Moser <smoser@ubuntu.com>
---
 lib/keystone    |  1 +
 lib/nova        |  4 ++--
 lib/rpc_backend | 26 +++++++++++++++++++++++---
 lib/trove       |  4 ++++
 stack.sh        |  1 +
 5 files changed, 31 insertions(+), 5 deletions(-)

diff --git a/lib/keystone b/lib/keystone
index a218732aaf..9c0b01378c 100644
--- a/lib/keystone
+++ b/lib/keystone
@@ -214,6 +214,7 @@ function configure_keystone {
 
     # Configure rabbitmq credentials
     if is_service_enabled rabbit; then
+        iniset $KEYSTONE_CONF DEFAULT rabbit_userid $RABBIT_USERID
         iniset $KEYSTONE_CONF DEFAULT rabbit_password $RABBIT_PASSWORD
         iniset $KEYSTONE_CONF DEFAULT rabbit_host $RABBIT_HOST
     fi
diff --git a/lib/nova b/lib/nova
index 4c86d79130..cbfbdfa69f 100644
--- a/lib/nova
+++ b/lib/nova
@@ -587,8 +587,8 @@ function init_nova_cells {
         fi
 
         $NOVA_BIN_DIR/nova-manage --config-file $NOVA_CELLS_CONF db sync
-        $NOVA_BIN_DIR/nova-manage --config-file $NOVA_CELLS_CONF cell create --name=region --cell_type=parent --username=guest --hostname=$RABBIT_HOST --port=5672 --password=$RABBIT_PASSWORD --virtual_host=/ --woffset=0 --wscale=1
-        $NOVA_BIN_DIR/nova-manage cell create --name=child --cell_type=child --username=guest --hostname=$RABBIT_HOST --port=5672 --password=$RABBIT_PASSWORD --virtual_host=child_cell --woffset=0 --wscale=1
+        $NOVA_BIN_DIR/nova-manage --config-file $NOVA_CELLS_CONF cell create --name=region --cell_type=parent --username=$RABBIT_USERID --hostname=$RABBIT_HOST --port=5672 --password=$RABBIT_PASSWORD --virtual_host=/ --woffset=0 --wscale=1
+        $NOVA_BIN_DIR/nova-manage cell create --name=child --cell_type=child --username=$RABBIT_USERID --hostname=$RABBIT_HOST --port=5672 --password=$RABBIT_PASSWORD --virtual_host=child_cell --woffset=0 --wscale=1
     fi
 }
 
diff --git a/lib/rpc_backend b/lib/rpc_backend
index 4c1efa66cb..6afec370e8 100644
--- a/lib/rpc_backend
+++ b/lib/rpc_backend
@@ -7,7 +7,7 @@
 # Dependencies:
 #
 # - ``functions`` file
-# - ``RABBIT_{HOST|PASSWORD}`` must be defined when RabbitMQ is used
+# - ``RABBIT_{HOST|PASSWORD|USERID}`` must be defined when RabbitMQ is used
 # - ``RPC_MESSAGING_PROTOCOL`` option for configuring the messaging protocol
 
 # ``stack.sh`` calls the entry points in this order:
@@ -68,6 +68,9 @@ function check_rpc_backend {
 function cleanup_rpc_backend {
     if is_service_enabled rabbit; then
         # Obliterate rabbitmq-server
+        if [ -n "$RABBIT_USERID" ]; then
+            sudo rabbitmqctl delete_user "$RABBIT_USERID"
+        fi
         uninstall_package rabbitmq-server
         sudo killall epmd || sudo killall -9 epmd
         if is_ubuntu; then
@@ -180,15 +183,16 @@ function restart_rpc_backend {
                 # service is not started by default
                 restart_service rabbitmq-server
             fi
+            rabbit_setuser "$RABBIT_USERID" "$RABBIT_PASSWORD"
             # change the rabbit password since the default is "guest"
-            sudo rabbitmqctl change_password guest $RABBIT_PASSWORD && break
+            sudo rabbitmqctl change_password $RABBIT_USERID $RABBIT_PASSWORD && break
             [[ $i -eq "10" ]] && die $LINENO "Failed to set rabbitmq password"
         done
         if is_service_enabled n-cell; then
             # Add partitioned access for the child cell
             if [ -z `sudo rabbitmqctl list_vhosts | grep child_cell` ]; then
                 sudo rabbitmqctl add_vhost child_cell
-                sudo rabbitmqctl set_permissions -p child_cell guest ".*" ".*" ".*"
+                sudo rabbitmqctl set_permissions -p child_cell $RABBIT_USERID ".*" ".*" ".*"
             fi
         fi
     elif is_service_enabled qpid; then
@@ -225,6 +229,7 @@ function iniset_rpc_backend {
         iniset $file $section rpc_backend ${package}.openstack.common.rpc.impl_kombu
         iniset $file $section rabbit_hosts $RABBIT_HOST
         iniset $file $section rabbit_password $RABBIT_PASSWORD
+        iniset $file $section rabbit_userid $RABBIT_USERID
     fi
 }
 
@@ -239,6 +244,21 @@ function qpid_is_supported {
     ( ! is_suse )
 }
 
+function rabbit_setuser {
+    local user="$1" pass="$2" found="" out=""
+    out=$(sudo rabbitmqctl list_users) ||
+        { echo "failed to list users" 1>&2; return 1; }
+    found=$(echo "$out" | awk '$1 == user { print $1 }' "user=$user")
+    if [ "$found" = "$user" ]; then
+        sudo rabbitmqctl change_password "$user" "$pass" ||
+            { echo "failed changing pass for '$user'" 1>&2; return 1; }
+    else
+        sudo rabbitmqctl add_user "$user" "$pass" ||
+            { echo "failed changing pass for $user"; return 1; }
+    fi
+    sudo rabbitmqctl set_permissions "$user" ".*" ".*" ".*"
+}
+
 # Set up the various configuration files used by the qpidd broker
 function _configure_qpid {
 
diff --git a/lib/trove b/lib/trove
index 6cc5fa8f53..4149b0d592 100644
--- a/lib/trove
+++ b/lib/trove
@@ -134,6 +134,7 @@ function configure_trove {
     rm -f $TROVE_CONF_DIR/trove-taskmanager.conf
     rm -f $TROVE_CONF_DIR/trove-conductor.conf
 
+    iniset $TROVE_CONF_DIR/trove.conf DEFAULT rabbit_userid $RABBIT_USERID
     iniset $TROVE_CONF_DIR/trove.conf DEFAULT rabbit_password $RABBIT_PASSWORD
     iniset $TROVE_CONF_DIR/trove.conf DEFAULT sql_connection `database_connection_url trove`
     iniset $TROVE_CONF_DIR/trove.conf DEFAULT default_datastore $TROVE_DATASTORE_TYPE
@@ -145,6 +146,7 @@ function configure_trove {
     if is_service_enabled tr-tmgr; then
         TROVE_AUTH_ENDPOINT=$KEYSTONE_AUTH_URI/v$IDENTITY_API_VERSION
 
+        iniset $TROVE_CONF_DIR/trove.conf DEFAULT rabbit_userid $RABBIT_USERID
         iniset $TROVE_CONF_DIR/trove-taskmanager.conf DEFAULT rabbit_password $RABBIT_PASSWORD
         iniset $TROVE_CONF_DIR/trove-taskmanager.conf DEFAULT sql_connection `database_connection_url trove`
         iniset $TROVE_CONF_DIR/trove-taskmanager.conf DEFAULT taskmanager_manager trove.taskmanager.manager.Manager
@@ -157,6 +159,7 @@ function configure_trove {
 
     # (Re)create trove conductor conf file if needed
     if is_service_enabled tr-cond; then
+        iniset $TROVE_CONF_DIR/trove.conf DEFAULT rabbit_userid $RABBIT_USERID
         iniset $TROVE_CONF_DIR/trove-conductor.conf DEFAULT rabbit_password $RABBIT_PASSWORD
         iniset $TROVE_CONF_DIR/trove-conductor.conf DEFAULT sql_connection `database_connection_url trove`
         iniset $TROVE_CONF_DIR/trove-conductor.conf DEFAULT nova_proxy_admin_user radmin
@@ -168,6 +171,7 @@ function configure_trove {
     fi
 
     # Set up Guest Agent conf
+    iniset $TROVE_CONF_DIR/trove.conf DEFAULT rabbit_userid $RABBIT_USERID
     iniset $TROVE_CONF_DIR/trove-guestagent.conf DEFAULT rabbit_host $TROVE_HOST_GATEWAY
     iniset $TROVE_CONF_DIR/trove-guestagent.conf DEFAULT rabbit_password $RABBIT_PASSWORD
     iniset $TROVE_CONF_DIR/trove-guestagent.conf DEFAULT nova_proxy_admin_user radmin
diff --git a/stack.sh b/stack.sh
index 375be2846d..d97139aaa7 100755
--- a/stack.sh
+++ b/stack.sh
@@ -643,6 +643,7 @@ initialize_database_backends && echo "Using $DATABASE_TYPE database backend" ||
 
 # Rabbit connection info
 if is_service_enabled rabbit; then
+    RABBIT_USERID=${RABBIT_USERID:-stackrabbit}
     RABBIT_HOST=${RABBIT_HOST:-$SERVICE_HOST}
     read_password RABBIT_PASSWORD "ENTER A PASSWORD TO USE FOR RABBIT."
 fi