Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refs #26571 - Support ACL file & router auth #120

Merged
merged 1 commit into from Apr 11, 2019
Merged

Refs #26571 - Support ACL file & router auth #120

merged 1 commit into from Apr 11, 2019

Conversation

jturel
Copy link
Contributor

@jturel jturel commented Apr 9, 2019
edited

Consider testing in conjunction with:

theforeman/puppet-katello#283
theforeman/puppet-foreman_proxy_content#197

To test (assumes forklifted dev env):

  • follow forklift docs (https://github.com/theforeman/forklift/blob/master/docs/development.md#test-puppet-module-pull-requests) to test the linked PRs
  • 'vagrant provision centos7-katello-devel'
  • verify that /etc/qpid/qpid.acl is populated according to the PR
  • verify that /etc/qpid-dispatch/qdrouter.conf "connector" has sasl-mechanism PLAIN, sasl-username katello_agent and sasl-password that resembles a password
  • verify that services qpidd and qdrouterd are running properly
  • register a client, verify that package actions can be performed as usual via katello-agent

scripts should not be able to perform the actions in the ACL file. Here's an example which attempts to list queues:

from proton import Message, SSLDomain, SSLException
from proton.reactor import DynamicNodeProperties
from proton.utils import BlockingConnection
from uuid import uuid4
from gofer.config import Config

QMF_SUBJECT = 'broker'
RHSM_CONFIG_PATH = '/etc/rhsm/rhsm.conf'

domain = SSLDomain(SSLDomain.MODE_CLIENT)
domain.set_trusted_ca_db('/etc/rhsm/ca/katello-server-ca.pem')
domain.set_credentials('/etc/pki/consumer/bundle.pem', '/etc/pki/consumer/bundle.pem', None)
domain.set_peer_authentication(SSLDomain.VERIFY_PEER)

rhsm_conf = Config(RHSM_CONFIG_PATH)
ROUTER_ADDRESS = 'proton+amqps://%s:5647' % rhsm_conf['server']['hostname']

def qmf_properties(opcode):
    return {
        'qmf.opcode': opcode,
        'x-amqp-0-10.app-id': 'qmf2'
    }

def qmf_query_body():
    return {
        '_what': 'OBJECT',
        '_schema_id': { '_class_name': 'queue' }
    }


qmf_conn = BlockingConnection(ROUTER_ADDRESS, ssl_domain=domain, heartbeat=10)
qmf_rec = qmf_conn.create_receiver(None, name=str(uuid4()), dynamic=True, options=DynamicNodeProperties({'x-opt-qd.address': unicode("qmf.default.direct")}))
qmf_snd = qmf_conn.create_sender("qmf.default.direct", name=str(uuid4()))


# query for list all queues
request = Message(
    body=qmf_query_body(),
    reply_to=qmf_rec.remote_source.address,
    properties=qmf_properties('_query_request'),
    correlation_id=str(uuid4()),
    subject=QMF_SUBJECT
)
qmf_snd.send(request)
reply = qmf_rec.receive()
print(reply)

@theforeman-bot

This comment has been minimized.

Sign in to view
This was referenced Apr 9, 2019
Merged
Merged
@jturel
Copy link
Contributor Author

jturel commented Apr 9, 2019

@ekohl this set of PRs should look familiar. would you mind reviewing?

@parthaa
Copy link

parthaa commented Apr 11, 2019

I tested this in my katello nightly release and it worked well. ACK
Got a nice Closed due to: Condition('amqp:unauthorized-access', 'katello_agent@QPID cannot publish to queue error message

@ekohl ekohl merged commit 6946aa8 into theforeman:master Apr 11, 2019
@jturel jturel deleted the connector_auth_acl branch April 11, 2019 19:09
@jturel jturel mentioned this pull request Apr 15, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ekohl ekohl ekohl approved these changes

Assignees
No one assigned
Labels
Enhancement Needs testing Not yet reviewed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@jturel @theforeman-bot @parthaa @ekohl