[Ovirt-devel] [PATCH server] Batten Down the Hatch!
Ian Main
imain at redhat.com
Fri Feb 6 04:18:11 UTC 2009
This patch switches to upstream ruby-qpid package instead of the
rubygem-qpid patch that dlutter and I created. Upstream now supports
GSSAPI so we can require that all connections to qpidd now be
authenticated and encrypted.
Signed-off-by: Ian Main <imain at redhat.com>
---
installer/modules/ovirt/files/qpidd.conf | 7 +------
installer/modules/ovirt/files/sasl2_qpidd.conf | 5 ++---
ovirt-server.spec.in | 2 +-
src/db-omatic/db_omatic.rb | 4 +++-
src/dutils/dutils.rb | 6 +++---
src/qmf-libvirt-example.rb | 7 ++++++-
src/task-omatic/taskomatic.rb | 5 +++--
7 files changed, 19 insertions(+), 17 deletions(-)
diff --git a/installer/modules/ovirt/files/qpidd.conf b/installer/modules/ovirt/files/qpidd.conf
index bf80918..4480460 100644
--- a/installer/modules/ovirt/files/qpidd.conf
+++ b/installer/modules/ovirt/files/qpidd.conf
@@ -2,10 +2,5 @@
# name = value
# Using default settings: "qpidd --help" or "man qpidd" for more details.
-
-# This is where we want to be, but we can't actually do that yet because
-# we have unencrypted db-omatic and taskomatic running over localhost.
-# This will change shortly once we have gssapi support for ruby.
-#
-#require-encryption
+require-encryption
diff --git a/installer/modules/ovirt/files/sasl2_qpidd.conf b/installer/modules/ovirt/files/sasl2_qpidd.conf
index c61131f..e5c4143 100644
--- a/installer/modules/ovirt/files/sasl2_qpidd.conf
+++ b/installer/modules/ovirt/files/sasl2_qpidd.conf
@@ -40,8 +40,7 @@ pwcheck_method: auxprop
auxprop_plugin: sasldb
sasldb_path: /var/lib/qpidd/qpidd.sasldb
-# For now we allow plain auth too because the local daemons do not yet
-# support kerberos.
-mech_list: gssapi plain
+# Only allow GSSAPI
+mech_list: gssapi
keytab: /usr/share/ovirt-server/ovirt.keytab
diff --git a/ovirt-server.spec.in b/ovirt-server.spec.in
index a35ff6f..b2ffdd6 100644
--- a/ovirt-server.spec.in
+++ b/ovirt-server.spec.in
@@ -35,7 +35,7 @@ Requires: iscsi-initiator-utils
Requires: cyrus-sasl-gssapi
Requires: ovirt-docs
Requires: qpidd
-Requires: rubygem-qpid
+Requires: ruby-qpid
Requires: qpidc
Requires: qmf
Requires: ruby-qpid
diff --git a/src/db-omatic/db_omatic.rb b/src/db-omatic/db_omatic.rb
index 2ba9456..06adc19 100755
--- a/src/db-omatic/db_omatic.rb
+++ b/src/db-omatic/db_omatic.rb
@@ -324,9 +324,11 @@ def main()
puts "#{Time.now}: db_omatic started."
end
+ get_credentials('qpidd')
+
dbsync = DbOmatic.new()
s = Qpid::Qmf::Session.new(:console => dbsync, :rcv_events => false)
- b = s.add_broker("amqp://guest:guest@localhost:5672")
+ b = s.add_broker("amqp://management.priv.ovirt.org:5672", :mechanism => 'GSSAPI')
dbsync.db_init_cleanup()
diff --git a/src/dutils/dutils.rb b/src/dutils/dutils.rb
index fd47a8f..6df2f06 100644
--- a/src/dutils/dutils.rb
+++ b/src/dutils/dutils.rb
@@ -22,10 +22,10 @@ include Krb5Auth
ENV['KRB5CCNAME'] = '/usr/share/ovirt-server/ovirt-cc'
-def get_credentials
+def get_credentials(service = 'libvirt')
krb5 = Krb5.new
default_realm = krb5.get_default_realm
- princ = 'libvirt/' + Socket::gethostname + '@' + default_realm
+ princ = service + '/' + Socket::gethostname + '@' + default_realm
now = Time.now
renew = true
@@ -45,7 +45,7 @@ def get_credentials
if renew
begin
- krb5.get_init_creds_keytab('libvirt/' + Socket::gethostname + '@' + default_realm, '/usr/share/ovirt-server/ovirt.keytab')
+ krb5.get_init_creds_keytab(service + '/' + Socket::gethostname + '@' + default_realm, '/usr/share/ovirt-server/ovirt.keytab')
krb5.cache(ENV['KRB5CCNAME'])
rescue
# well, if we run into an error here, there's not much we can do. Just
diff --git a/src/qmf-libvirt-example.rb b/src/qmf-libvirt-example.rb
index 8fac3c9..f8d6aca 100644
--- a/src/qmf-libvirt-example.rb
+++ b/src/qmf-libvirt-example.rb
@@ -1,10 +1,15 @@
#!/usr/bin/ruby
+$: << File.join(File.dirname(__FILE__), "./dutils")
+
require "rubygems"
require "qpid"
+require "dutils"
+
+get_credentials('qpidd')
s = Qpid::Qmf::Session.new()
-b = s.add_broker("amqp://guest:guest@localhost:5672")
+b = s.add_broker("amqp://management.priv.ovirt.org:5672", :mechanism => 'GSSAPI')
while true:
nodes = s.objects(:class => "node")
diff --git a/src/task-omatic/taskomatic.rb b/src/task-omatic/taskomatic.rb
index 9382f2b..79e2082 100755
--- a/src/task-omatic/taskomatic.rb
+++ b/src/task-omatic/taskomatic.rb
@@ -48,7 +48,7 @@ class TaskOmatic
@session = Qpid::Qmf::Session.new()
# FIXME: Should come from some kind of config or DNS SRV or what have you.
- @broker = @session.add_broker("amqp://guest:guest@localhost:5672")
+ @broker = @session.add_broker("amqp://management.priv.ovirt.org:5672", :mechanism => 'GSSAPI')
do_daemon = true
@@ -754,7 +754,8 @@ class TaskOmatic
tasks.each do |task|
# make sure we get our credentials up-front
- get_credentials
+ get_credentials('libvirt')
+ get_credentials('qpidd')
task.time_started = Time.now
--
1.6.0.4
More information about the ovirt-devel
mailing list