Prevent incorrect credentials

Currently 3 sets of credentials are generated for MQ, per service: - rabbitmq_password - oslomsg_rpc_password - oslomsg_notify_password In each service, we should use x_oslomsg_rpc_password and x_oslomsg_notify_password, and not rabbitmq. However there is no wiring as of today. This could lead to a username like nova, on a vhost nova, with 3 different passwords. Only one would work. This patch ensures the wiring is done by default, for all the roles to be able to use x_oslomsg_notify_password and x_oslomsg_rpc_password. This is done by always referencing, in the notify part, the credentials to the rpc part. The RPC part is then a reference to the rabbitmq_password, so it's easy to upgrade from queens to Rocky without changes. If a deployer wants to override the credentials, he can do so by uncommenting the appropriate line in the user_secrets. This would then override the existing group_vars and wire the secrets appropriately. A new user should be used in that case, as written in the comments. Change-Id: I834bdc5a33f6b3c49452a9948c889caa79659f3c
openstack · Jul 16, 2018 · f2a3c8e · f2a3c8e
1 parent 491a100
commit f2a3c8e
Show file tree

Hide file tree

Showing 2 changed files with 170 additions and 67 deletions.
diff --git a/etc/openstack_deploy/user_secrets.yml b/etc/openstack_deploy/user_secrets.yml
@@ -19,8 +19,6 @@
 # and may break your OpenStack environment.
 ############################# WARNING ########################################
 
-# TODO(ansmith): remove rabbitmq_passwords once oslomsg_*_passwords are used
-
 ## Rabbitmq Options
 rabbitmq_cookie_token:
 rabbitmq_monitoring_password:
@@ -36,31 +34,47 @@ keystone_container_mysql_password:
 keystone_auth_admin_password:
 keystone_service_password:
 keystone_rabbitmq_password:
-keystone_oslomsg_rpc_password:
-keystone_oslomsg_notify_password:
+#NOTE: Please uncomment those
+# if you want to split rpc and notify users
+# Please also wire the appropriate userid in
+# your user variables.
+#keystone_oslomsg_rpc_password:
+#keystone_oslomsg_notify_password:
 
 ## Ceilometer Options:
 ceilometer_container_db_password:
 ceilometer_service_password:
 ceilometer_telemetry_secret:
 ceilometer_rabbitmq_password:
-ceilometer_oslomsg_rpc_password:
-ceilometer_oslomsg_notify_password:
+#NOTE: Please uncomment those
+# if you want to split rpc and notify users
+# Please also wire the appropriate userid in
+# your user variables.
+#ceilometer_oslomsg_rpc_password:
+#ceilometer_oslomsg_notify_password:
 
 ## Aodh Options:
 aodh_container_db_password:
 aodh_service_password:
 aodh_rabbitmq_password:
-aodh_oslomsg_rpc_password:
-aodh_oslomsg_notify_password:
+#NOTE: Please uncomment those
+# if you want to split rpc and notify users
+# Please also wire the appropriate userid in
+# your user variables.
+#aodh_oslomsg_rpc_password:
+#aodh_oslomsg_notify_password:
 
 ## Cinder Options
 cinder_container_mysql_password:
 cinder_service_password:
 cinder_profiler_hmac_key:
 cinder_rabbitmq_password:
-cinder_oslomsg_rpc_password:
-cinder_oslomsg_notify_password:
+#NOTE: Please uncomment those
+# if you want to split rpc and notify users
+# Please also wire the appropriate userid in
+# your user variables.
+#cinder_oslomsg_rpc_password:
+#cinder_oslomsg_notify_password:
 
 ## Ceph/rbd: a UUID to be used by libvirt to refer to the client.cinder user
 cinder_ceph_client_uuid:
@@ -69,8 +83,13 @@ cinder_ceph_client_uuid:
 glance_container_mysql_password:
 glance_service_password:
 glance_profiler_hmac_key:
-glance_oslomsg_rpc_password:
-glance_oslomsg_notify_password:
+#NOTE: Please uncomment those
+# if you want to split rpc and notify users
+# Please also wire the appropriate userid in
+# your user variables.
+#glance_oslomsg_rpc_password:
+#glance_oslomsg_notify_password:
+glance_rabbitmq_password:
 
 ## Gnocchi Options:
 gnocchi_container_mysql_password:
@@ -84,12 +103,20 @@ heat_auth_encryption_key:
 ### THE HEAT AUTH KEY NEEDS TO BE 32 CHARACTERS LONG ##
 heat_service_password:
 heat_rabbitmq_password:
-heat_oslomsg_rpc_password:
-heat_oslomsg_notify_password:
+#NOTE: Please uncomment those
+# if you want to split rpc and notify users
+# Please also wire the appropriate userid in
+# your user variables.
+#heat_oslomsg_rpc_password:
+#heat_oslomsg_notify_password:
 
 ## Ironic options
 ironic_rabbitmq_password:
-ironic_oslomsg_rpc_password:
+#NOTE: Please uncomment those
+# if you want to split rpc and notify users
+# Please also wire the appropriate userid in
+# your user variables.
+#ironic_oslomsg_rpc_password:
 ironic_container_mysql_password:
 ironic_service_password:
 ironic_swift_temp_url_secret_key:
@@ -102,8 +129,12 @@ horizon_secret_key:
 neutron_container_mysql_password:
 neutron_service_password:
 neutron_rabbitmq_password:
-neutron_oslomsg_rpc_password:
-neutron_oslomsg_notify_password:
+#NOTE: Please uncomment those
+# if you want to split rpc and notify users
+# Please also wire the appropriate userid in
+# your user variables.
+#neutron_oslomsg_rpc_password:
+#neutron_oslomsg_notify_password:
 neutron_ha_vrrp_auth_password:
 
 ## Nova Options
@@ -112,8 +143,12 @@ nova_api_container_mysql_password:
 nova_metadata_proxy_secret:
 nova_service_password:
 nova_rabbitmq_password:
-nova_oslomsg_rpc_password:
-nova_oslomsg_notify_password:
+#NOTE: Please uncomment those
+# if you want to split rpc and notify users
+# Please also wire the appropriate userid in
+# your user variables.
+#nova_oslomsg_rpc_password:
+#nova_oslomsg_notify_password:
 nova_placement_service_password:
 
 # LXD Options for nova compute
@@ -124,15 +159,23 @@ octavia_container_mysql_password:
 octavia_service_password:
 octavia_health_hmac_key:
 octavia_rabbitmq_password:
-octavia_oslomsg_rpc_password:
-octavia_oslomsg_notify_password:
+#NOTE: Please uncomment those
+# if you want to split rpc and notify users
+# Please also wire the appropriate userid in
+# your user variables.
+#octavia_oslomsg_rpc_password:
+#octavia_oslomsg_notify_password:
 octavia_cert_client_password:
 
 ## Sahara Options
 sahara_container_mysql_password:
 sahara_rabbitmq_password:
-sahara_oslomsg_rpc_password:
-sahara_oslomsg_notify_password:
+#NOTE: Please uncomment those
+# if you want to split rpc and notify users
+# Please also wire the appropriate userid in
+# your user variables.
+#sahara_oslomsg_rpc_password:
+#sahara_oslomsg_notify_password:
 sahara_service_password:
 
 ## Swift Options:
@@ -143,8 +186,12 @@ swift_hash_path_suffix:
 swift_hash_path_prefix:
 # Swift needs a telemetry password when using ceilometer
 swift_rabbitmq_telemetry_password:
-swift_oslomsg_rpc_password:
-swift_oslomsg_notify_password:
+#NOTE: Please uncomment those
+# if you want to split rpc and notify users
+# Please also wire the appropriate userid in
+# your user variables.
+#swift_oslomsg_rpc_password:
+#swift_oslomsg_notify_password:
 
 ## haproxy stats password
 haproxy_stats_password:
@@ -154,8 +201,12 @@ haproxy_keepalived_authentication_password:
 magnum_service_password:
 magnum_galera_password:
 magnum_rabbitmq_password:
-magnum_oslomsg_rpc_password:
-magnum_oslomsg_notify_password:
+#NOTE: Please uncomment those
+# if you want to split rpc and notify users
+# Please also wire the appropriate userid in
+# your user variables.
+#magnum_oslomsg_rpc_password:
+#magnum_oslomsg_notify_password:
 magnum_trustee_password:
 
 ## Rally Options:
@@ -164,8 +215,12 @@ rally_galera_password:
 ## Trove Options
 trove_galera_password:
 trove_rabbitmq_password:
-trove_oslomsg_rpc_password:
-trove_oslomsg_notify_password:
+#NOTE: Please uncomment those
+# if you want to split rpc and notify users
+# Please also wire the appropriate userid in
+# your user variables.
+#trove_oslomsg_rpc_password:
+#trove_oslomsg_notify_password:
 trove_service_password:
 trove_admin_user_password:
 trove_taskmanager_rpc_encr_key:
@@ -174,24 +229,36 @@ trove_inst_rpc_key_encr_key:
 ## Barbican Options
 barbican_galera_password:
 barbican_rabbitmq_password:
-barbican_oslomsg_rpc_password:
-barbican_oslomsg_notify_password:
+#NOTE: Please uncomment those
+# if you want to split rpc and notify users
+# Please also wire the appropriate userid in
+# your user variables.
+#barbican_oslomsg_rpc_password:
+#barbican_oslomsg_notify_password:
 barbican_service_password:
 
 ## Designate Options
 designate_galera_password:
 designate_rabbitmq_password:
-designate_oslomsg_rpc_password:
-designate_oslomsg_notify_password:
+#NOTE: Please uncomment those
+# if you want to split rpc and notify users
+# Please also wire the appropriate userid in
+# your user variables.
+#designate_oslomsg_rpc_password:
+#designate_oslomsg_notify_password:
 designate_service_password:
 
 ## Molteniron Options:
 molteniron_container_mysql_password:
 
 ## Tacker options
 tacker_rabbitmq_password:
-tacker_oslomsg_rpc_password:
-tacker_oslomsg_notify_password:
+#NOTE: Please uncomment those
+# if you want to split rpc and notify users
+# Please also wire the appropriate userid in
+# your user variables.
+#tacker_oslomsg_rpc_password:
+#tacker_oslomsg_notify_password:
 tacker_service_password:
 tacker_container_mysql_password: