[Ovirt-devel] [PATCH server] Update qpid config in installer

[Ian Main]

This patch updates the qpid config to use gssapi etc. as in the
recipe version.

This update includes the change to qpidd.conf which I didn't git add
somehow.

Signed-off-by: Ian Main <imain at redhat.com>
---
 installer/modules/ovirt/files/qpidd.conf       |    9 ++++-
 installer/modules/ovirt/files/sasl2_qpidd.conf |   47 ++++++++++++++++++++++++
 installer/modules/ovirt/manifests/ovirt.pp     |    8 ++++-
 3 files changed, 62 insertions(+), 2 deletions(-)
 create mode 100644 installer/modules/ovirt/files/sasl2_qpidd.conf

diff --git a/installer/modules/ovirt/files/qpidd.conf b/installer/modules/ovirt/files/qpidd.conf
index 014b23c..bf80918 100644
--- a/installer/modules/ovirt/files/qpidd.conf
+++ b/installer/modules/ovirt/files/qpidd.conf
@@ -1,4 +1,11 @@
 # Configuration file for qpidd. Entries are of the form:
 #  name = value
 # Using default settings: "qpidd --help" or "man qpidd" for more details.
-auth=no
+
+
+# This is where we want to be, but we can't actually do that yet because
+# we have unencrypted db-omatic and taskomatic running over localhost.
+# This will change shortly once we have gssapi support for ruby.
+#
+#require-encryption
+
diff --git a/installer/modules/ovirt/files/sasl2_qpidd.conf b/installer/modules/ovirt/files/sasl2_qpidd.conf
new file mode 100644
index 0000000..c61131f
--- /dev/null
+++ b/installer/modules/ovirt/files/sasl2_qpidd.conf
@@ -0,0 +1,47 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+#
+# This configuation allows for either SASL PLAIN or ANONYMOUS
+# authentication. The PLAIN authentication is done on a
+# username+password, which is stored in the sasldb_path
+# file. Usernames and passwords can be added to the file using the
+# command:
+#
+#   saslpasswd2 -f /var/lib/qpidd/qpidd.sasldb -u <REALM> <USER>
+#
+# The REALM is important and should be the same as the --auth-realm
+# option to the broker. This lets the broker properly find the user in
+# the sasldb file.
+#
+# Existing user accounts may be listed with:
+#
+#   sasldblistusers2 -f /var/lib/qpidd/qpidd.sasldb
+#
+# NOTE: The sasldb file must be readable by the user running the qpidd
+# daemon, and should be readable only by that user.
+#
+pwcheck_method: auxprop
+auxprop_plugin: sasldb
+sasldb_path: /var/lib/qpidd/qpidd.sasldb
+
+# For now we allow plain auth too because the local daemons do not yet
+# support kerberos.
+mech_list: gssapi plain
+keytab: /usr/share/ovirt-server/ovirt.keytab
+
diff --git a/installer/modules/ovirt/manifests/ovirt.pp b/installer/modules/ovirt/manifests/ovirt.pp
index 9eab6bd..c5b146b 100644
--- a/installer/modules/ovirt/manifests/ovirt.pp
+++ b/installer/modules/ovirt/manifests/ovirt.pp
@@ -68,6 +68,11 @@ class ovirt::setup {
 		notify => Service[qpidd]
 	}
 
+        file {"/etc/sasl2/qpidd.conf":
+                source => "puppet:///ovirt/sasl2_qpidd.conf",
+                notify => Service["qpidd"]
+        }
+
 	single_exec { "db_migrate" :
 		cwd => "/usr/share/ovirt-server/",
 		command => "/usr/bin/rake db:migrate",
@@ -87,7 +92,8 @@ class ovirt::setup {
 
 	single_exec { "add_host" :
 		command => "/usr/bin/ovirt-add-host $ipa_host /usr/share/ovirt-server/ovirt.keytab",
-		require => Package[ovirt-server]
+		require => Package[ovirt-server],
+		notify => Service[qpidd]
 	}
 
 	exec { "disable_selinux" :
-- 
1.6.0.4