Permalink
Browse files

Support for configuring the rabbitmq_management web UI

When rabbitmq::admin_enable => true, then also configure RabbitMQ to enable
the rabbitmq_management web UI, running on rabbitmq::management_port.
Or, if ssl => true, then configure it as an SSL listener on
rabbitmq::ssl_management_port.

Also added a ssl_port parameter which defines the SSL port for RabbitMQ
service itself.  Previously, the rabbitmq::ssl_management_port parameter
was used for the RabbitMQ service SSL bind port.  So this potentially
breaks people who are currently using this module to configure RabbitMQ
for SSL on a non-standard port.  (They need to use the ssl_port parmeter
now, instead of ssl_management_port.)  Not exactly sure the best way
to approach a solution to that.
  • Loading branch information...
Mike Dorman
Mike Dorman committed Aug 8, 2014
1 parent e4c4d08 commit 7f5a21f16b254ab3906b22b58db9e0db3f0bcb6a
Showing with 106 additions and 4 deletions.
  1. +3 −0 manifests/config.pp
  2. +2 −1 manifests/init.pp
  3. +2 −1 manifests/params.pp
  4. +83 −1 spec/classes/rabbitmq_spec.rb
  5. +16 −1 templates/rabbitmq.config.erb
@@ -1,5 +1,6 @@
class rabbitmq::config {

$admin_enable = $rabbitmq::admin_enable
$cluster_disk_nodes = $rabbitmq::cluster_disk_nodes
$cluster_node_type = $rabbitmq::cluster_node_type
$cluster_nodes = $rabbitmq::cluster_nodes
@@ -12,6 +13,7 @@
$env_config = $rabbitmq::env_config
$env_config_path = $rabbitmq::env_config_path
$erlang_cookie = $rabbitmq::erlang_cookie
$management_port = $rabbitmq::management_port
$node_ip_address = $rabbitmq::node_ip_address
$plugin_dir = $rabbitmq::plugin_dir
$port = $rabbitmq::port
@@ -21,6 +23,7 @@
$ssl_cacert = $rabbitmq::ssl_cacert
$ssl_cert = $rabbitmq::ssl_cert
$ssl_key = $rabbitmq::ssl_key
$ssl_port = $rabbitmq::ssl_port
$ssl_management_port = $rabbitmq::ssl_management_port
$ssl_stomp_port = $rabbitmq::ssl_stomp_port
$ssl_verify = $rabbitmq::ssl_verify
@@ -33,6 +33,7 @@
$ssl_cacert = $rabbitmq::params::ssl_cacert,
$ssl_cert = $rabbitmq::params::ssl_cert,
$ssl_key = $rabbitmq::params::ssl_key,
$ssl_port = $rabbitmq::params::ssl_port,
$ssl_management_port = $rabbitmq::params::ssl_management_port,
$ssl_stomp_port = $rabbitmq::params::ssl_stomp_port,
$ssl_verify = $rabbitmq::params::ssl_verify,
@@ -91,7 +92,7 @@
validate_string($ssl_cacert)
validate_string($ssl_cert)
validate_string($ssl_key)
validate_string($ssl_management_port)
validate_re($ssl_port, '\d+')
validate_re($ssl_management_port, '\d+')
validate_string($ssl_stomp_port)
validate_re($ssl_stomp_port, '\d+')
@@ -77,7 +77,8 @@
$ssl_cacert = 'UNSET'
$ssl_cert = 'UNSET'
$ssl_key = 'UNSET'
$ssl_management_port = '5671'
$ssl_port = '5671'
$ssl_management_port = '15671'
$ssl_stomp_port = '6164'
$ssl_verify = 'verify_none'
$ssl_fail_if_no_peer_cert = 'false'
@@ -325,7 +325,7 @@
describe 'ssl options' do
let(:params) {
{ :ssl => true,
:ssl_management_port => 3141,
:ssl_port => 3141,
:ssl_cacert => '/path/to/cacert',
:ssl_cert => '/path/to/cert',
:ssl_key => '/path/to/key'
@@ -362,6 +362,88 @@
end
end

describe 'ssl admin options' do
let(:params) {
{ :ssl => true,
:ssl_management_port => 3141,
:ssl_cacert => '/path/to/cacert',
:ssl_cert => '/path/to/cert',
:ssl_key => '/path/to/key',
:admin_enable => true
} }

it 'should set rabbitmq_management ssl options to specified values' do
contain_file('rabbitmq.config').with({
'content' => %r|\{rabbitmq_management, \[.*
\{listener, \[.*
\{port, 3141\},.*
\{ssl, true\},.*
\{ssl_opts, \[\{cacertfile, "/path/to/cacert"\},.*
\{certfile, "/path/to/cert"\},.*
\{keyfile, "/path/to/key"\}\]\}.*
\]\}|,
})
end
end

describe 'admin without ssl' do
let(:params) {
{ :ssl => false,
:management_port => 3141,
:admin_enable => true
} }

it 'should set rabbitmq_management options to specified values' do
contain_file('rabbitmq.config').with({
'content' => /\{rabbitmq_management, \[.*
\{listener, \[.*
\{port, 3141\},.*
\]\}/,
})
end
end

describe 'ssl admin options' do
let(:params) {
{ :ssl => true,
:ssl_management_port => 3141,
:ssl_cacert => '/path/to/cacert',
:ssl_cert => '/path/to/cert',
:ssl_key => '/path/to/key',
:admin_enable => true
} }

it 'should set rabbitmq_management ssl options to specified values' do
contain_file('rabbitmq.config').with({
'content' => %r|\{rabbitmq_management, \[.*
\{listener, \[.*
\{port, 3141\},.*
\{ssl, true\},.*
\{ssl_opts, \[\{cacertfile, "/path/to/cacert"\},.*
\{certfile, "/path/to/cert"\},.*
\{keyfile, "/path/to/key"\}\]\}.*
\]\}|,
})
end
end

describe 'admin without ssl' do
let(:params) {
{ :ssl => false,
:management_port => 3141,
:admin_enable => true
} }

it 'should set rabbitmq_management options to specified values' do
contain_file('rabbitmq.config').with({
'content' => /\{rabbitmq_management, \[.*
\{listener, \[.*
\{port, 3141\},.*
\]\}/,
})
end
end

describe 'config_variables options' do
let(:params) {{ :config_variables => {
'hipe_compile' => true,
@@ -13,7 +13,7 @@
{tcp_listeners, []},
<%- end -%>
<%- if @ssl -%>
{ssl_listeners, [<%= @ssl_management_port %>]},
{ssl_listeners, [<%= @ssl_port %>]},
{ssl_options, [{cacertfile,"<%= @ssl_cacert %>"},
{certfile,"<%= @ssl_cert %>"},
{keyfile,"<%= @ssl_key %>"},
@@ -32,6 +32,21 @@
<%= @config_kernel_variables.sort.map{|k,v| "{#{k}, #{v}}"}.join(",\n ") %>
]}
<%- end -%>
<%- if @admin_enable -%>,
{rabbitmq_management, [
{listener, [
<%- if @ssl -%>

This comment has been minimized.

@davewongillies

davewongillies Nov 9, 2014

Contributor

When this is set, anything in the module that uses rabbitmqadmin fails with *** Could not connect: [Errno 101] Network is unreachable since you haven't provided a way for rabbitmqadmin to be told that it needs to connect using ssl or an alternate port.

Example error:
Error: Execution of '/usr/local/bin/rabbitmqadmin declare exchange --vhost=/my_vhost--user=admin --password=my_pass name=my_exchange type=direct' returned 1: *** Could not connect: [Errno 101] Network is unreachable

Full command to make it run successfully:

# rabbitmqadmin -s -P 15671 declare exchange --vhost=/my_vhost --user=admin --password=my_pass name=my_exchange type=direct
exchange declared

This comment has been minimized.

@davewongillies

davewongillies Nov 10, 2014

Contributor

A couple of solutions to the problem:

  • configure an additional non-SSL listener that just listens on 127.0.0.1:15671
  • pass the port & whether its SSL into the provider
  • create a rabbitmqadmin.conf in say /etc/rabbitmq and have it with the required connection options eg:
[default]
ssl = True
port = 15671

then have the provider always exec rabbitmqadmin -c /etc/rabbitmq/rabbitmqadmin.conf

This comment has been minimized.

@misterdorm

misterdorm Dec 8, 2014

Contributor

I have actually been working on implementing the first solution there (adding another rabbitmq_management listener.) But I can't for the life of me get it to work. No matter how I configure it with rabbitmq_management or rabbitmq_mochiweb, I only end up with the management service listening on a single port. I'll keep at it, but it may ultimately have to be one of the other solutions.

This comment has been minimized.

@davewongillies

davewongillies Dec 9, 2014

Contributor

@misterdorm I tried the first one too and wasn't able to get it to work either. I'm fairly certain that its not possible and any hint in the docs that it might work is just a grammatical error.

This comment has been minimized.

@misterdorm

misterdorm Dec 9, 2014

Contributor

I suspect that, too. I'll see if I can come up with a good alternative solution. I'm thinking that for my specific setup, but might be cleaner to just run rabbitmq_management on localhost only, as cleartext, and do the SSL termination with HA Proxy for external requests.

{port, <%= @ssl_management_port %>},
{ssl, true},
{ssl_opts, [{cacertfile, "<%= @ssl_cacert %>"},
{certfile, "<%= @ssl_cert %>"},
{keyfile, "<%= @ssl_key %>"}]}
<%- else -%>
{port, <%= @management_port %>}
<%- end -%>
]}
]}
<%- end -%>
<% if @config_stomp -%>,
% Configure the Stomp Plugin listening port
{rabbitmq_stomp, [

0 comments on commit 7f5a21f

Please sign in to comment.