Fixes #31878: Turn on Qpid auth and set ACLs special CN from qpid rou…

…ter cert
theforeman · Feb 16, 2021 · a54b52b · a54b52b
1 parent 40ababa
commit a54b52b
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 18 deletions.
diff --git a/manifests/params.pp b/manifests/params.pp
@@ -27,7 +27,7 @@
 class katello::params (
   String[1] $agent_event_queue_name = 'katello.agent',
   Stdlib::Host $qpid_hostname = 'localhost',
-  String[1] $qpid_url = "amqp:ssl:${qpid_hostname}:5671",
+  String[1] $qpid_url = "amqps://${qpid_hostname}:5671",
   String[1] $candlepin_oauth_key = $katello::globals::candlepin_oauth_key,
   String[1] $candlepin_oauth_secret = $katello::globals::candlepin_oauth_secret,
   Stdlib::Host $candlepin_host = 'localhost',

diff --git a/manifests/qpid.pp b/manifests/qpid.pp
@@ -21,9 +21,10 @@
     ssl_cert_db            => $certs::qpid::nss_db_dir,
     ssl_cert_password_file => $certs::qpid::nss_db_password_file,
     ssl_cert_name          => $certs::qpid::nss_cert_name,
-    acl_content            => template('katello/qpid_acls.acl'),
+    acl_content            => template('katello/qpid_acls.acl.erb'),
     interface              => $interface,
     wcache_page_size       => $wcache_page_size,
+    auth                   => true,
     subscribe              => Class['certs', 'certs::qpid'],
   }
 

diff --git a/spec/classes/application_spec.rb b/spec/classes/application_spec.rb
@@ -82,7 +82,7 @@ class { 'katello::params':
               '    :ssl_key_file: /etc/pki/katello/private/java-client.key',
               '    :ssl_ca_file: /etc/pki/katello/certs/katello-default-ca.crt',
               '  :agent:',
-              '    :broker_url: amqp:ssl:localhost:5671',
+              '    :broker_url: amqps://localhost:5671',
               '    :event_queue_name: katello.agent',
               '  :katello_applicability: true',
             ]
@@ -107,7 +107,7 @@ class { 'katello::params':
               '    :ssl_key_file: /etc/pki/katello/private/java-client.key',
               '    :ssl_ca_file: /etc/pki/katello/certs/katello-default-ca.crt',
               '  :agent:',
-              '    :broker_url: amqp:ssl:localhost:5671',
+              '    :broker_url: amqps://localhost:5671',
               '    :event_queue_name: katello.agent',
               '  :katello_applicability: true',
             ]
@@ -162,7 +162,7 @@ class { 'katello::params':
               '    :ssl_key_file: /etc/pki/katello/private/java-client.key',
               '    :ssl_ca_file: /etc/pki/katello/certs/katello-default-ca.crt',
               '  :agent:',
-              '    :broker_url: amqp:ssl:localhost:5671',
+              '    :broker_url: amqps://localhost:5671',
               '    :event_queue_name: katello.agent',
               '  :katello_applicability: true',
             ]
@@ -187,7 +187,7 @@ class { 'katello::params':
               '    :ssl_key_file: /etc/pki/katello/private/java-client.key',
               '    :ssl_ca_file: /etc/pki/katello/certs/katello-default-ca.crt',
               '  :agent:',
-              '    :broker_url: amqp:ssl:localhost:5671',
+              '    :broker_url: amqps://localhost:5671',
               '    :event_queue_name: katello.agent',
               '  :katello_applicability: true',
             ]
@@ -233,7 +233,7 @@ class {'katello::globals':
               '    :ssl_key_file: /etc/pki/katello/private/java-client.key',
               '    :ssl_ca_file: /etc/pki/katello/certs/katello-default-ca.crt',
               '  :agent:',
-              '    :broker_url: amqp:ssl:localhost:5671',
+              '    :broker_url: amqps://localhost:5671',
               '    :event_queue_name: katello.agent',
               '  :katello_applicability: true',
             ]
@@ -258,7 +258,7 @@ class {'katello::globals':
               '    :ssl_key_file: /etc/pki/katello/private/java-client.key',
               '    :ssl_ca_file: /etc/pki/katello/certs/katello-default-ca.crt',
               '  :agent:',
-              '    :broker_url: amqp:ssl:localhost:5671',
+              '    :broker_url: amqps://localhost:5671',
               '    :event_queue_name: katello.agent',
               '  :katello_applicability: true',
             ]

diff --git a/templates/qpid_acls.acl b/templates/qpid_acls.acl
@@ -1,14 +1,14 @@
-# allow the actions needed by katello_agent
-acl allow katello_agent@QPID create queue
-acl allow katello_agent@QPID consume queue
-acl allow katello_agent@QPID access exchange
-acl allow katello_agent@QPID access queue
-acl allow katello_agent@QPID publish exchange routingkey=<%= @agent_event_queue_name %>
-acl allow katello_agent@QPID publish exchange name=qmf.default.direct
-acl allow katello_agent@QPID access method name=create
+# allow the actions needed by qpid_router_katello_agent
+acl allow qpid_router_katello_agent@QPID create queue
+acl allow qpid_router_katello_agent@QPID consume queue
+acl allow qpid_router_katello_agent@QPID access exchange
+acl allow qpid_router_katello_agent@QPID access queue
+acl allow qpid_router_katello_agent@QPID publish exchange routingkey=<%= @agent_event_queue_name %>
+acl allow qpid_router_katello_agent@QPID publish exchange name=qmf.default.direct
+acl allow qpid_router_katello_agent@QPID access method name=create
 
-acl deny-log katello_agent@QPID access method name=*
-acl deny-log katello_agent@QPID all all
+acl deny-log qpid_router_katello_agent@QPID access method name=*
+acl deny-log qpid_router_katello_agent@QPID all all
 
 # allow anything else
 acl allow all all