puppet-heat

rabbit_use_ssl shouldn't require kombu certs settings

Bug #1356083 reported by Mike Dorman
26
This bug affects 4 people
Affects Status Importance Assigned to Milestone
puppet-ceilometer
Fix Released
Undecided
Mike Dorman
puppet-ceilometer 5.0.0 "5.0.0"
Icehouse
Fix Released
Undecided
Mike Dorman
puppet-ceilometer 4.2.0 "4.2.0"
puppet-cinder
Fix Released
Undecided
Lukas Bezdicka
puppet-cinder 6.0.0 "6.0.0"
Icehouse
Fix Committed
Undecided
Gael Chamoulaud
puppet-cinder 4.3.0 "4.3.0"
Juno
Fix Released
Undecided
Unassigned
puppet-cinder 5.1.0 "5.1.0"
puppet-heat
Fix Released
Undecided
Mike Dorman
puppet-heat 5.0.0 "5.0.0"
Icehouse
Fix Released
Undecided
Mike Dorman
puppet-heat 4.2.0 "4.2.0"
puppet-keystone
Fix Released
Undecided
Emilien Macchi
puppet-keystone 8.0.0 "8.0.0"
puppet-neutron
Fix Released
Undecided
Mike Dorman
puppet-neutron 5.0.0 "5.0.0"
Icehouse
Fix Released
Undecided
Mike Dorman
puppet-neutron 4.3.0 "4.3.0"
puppet-nova
Fix Released
Undecided
Mike Dorman
puppet-nova 5.0.0 "5.0.0"
Icehouse
Fix Released
Undecided
Mike Dorman
puppet-nova 4.2.0 "4.2.0"

Bug Description

When using the neutron puppet module, if you set rabbit_use_ssl => true, the module forces you to provide settings for kombu_ssl_ca_certs, kombu_ssl_certfile, and kombus_ssl_keyfile.

There are cases where you want rabbit_use_ssl => true, but not have the kombu settings. I.e. I want to use SSL to connect to Rabbit, but not use a cert for authentication.

You should be able to have rabbit_use_ssl => true separately from the kombus_ssl settings.

Revision history for this message
Mike Dorman (mdorman-m) wrote :

https://review.openstack.org/#/c/113671/

Changed in puppet-openstack:
assignee: nobody → Mike Dorman (mdorman-m)
status: New → In Progress
Mike Dorman (mdorman-m)
Changed in puppet-openstack:
status: In Progress → Fix Committed
Revision history for this message
David Moreau Simard (dmsimard) wrote :

Bug in Ceilometer closed as duplicate, for reference: https://bugs.launchpad.net/puppet-ceilometer/+bug/1348284

affects: puppet-openstack → puppet-neutron
Changed in puppet-ceilometer:
status: New → Confirmed
summary: - puppet-neutron: rabbit_use_ssl shouldn't require kombu certs settings
+ rabbit_use_ssl shouldn't require kombu certs settings
OpenStack Infra (hudson-openstack)
Changed in puppet-nova:
assignee: nobody → Mike Dorman (mdorman-m)
status: New → In Progress
Mike Dorman (mdorman-m)
Changed in puppet-heat:
assignee: nobody → Mike Dorman (mdorman-m)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-heat (master)

Fix proposed to branch: master
Review: https://review.openstack.org/119131

Changed in puppet-heat:
status: New → In Progress
Mike Dorman (mdorman-m)
Changed in puppet-ceilometer:
assignee: nobody → Mike Dorman (mdorman-m)
status: Confirmed → In Progress
status: In Progress → Confirmed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-ceilometer (master)

Fix proposed to branch: master
Review: https://review.openstack.org/119187

Changed in puppet-ceilometer:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on puppet-ceilometer (master)

Change abandoned by Mike Dorman (<email address hidden>) on branch: master
Review: https://review.openstack.org/119187
Reason: accidentally committed against master.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-ceilometer (master)

Fix proposed to branch: master
Review: https://review.openstack.org/119190

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-nova (master)

Reviewed: https://review.openstack.org/118739
Committed: https://git.openstack.org/cgit/stackforge/puppet-nova/commit/?id=61429e79ddfc0308657482cb57e411f82c8a0165
Submitter: Jenkins
Branch: master

commit 61429e79ddfc0308657482cb57e411f82c8a0165
Author: Mike Dorman <email address hidden>
Date: Wed Sep 3 12:43:11 2014 -0600

    Makes kombu_ssl_* parameters optional when rabbit_use_ssl => true

    The kombu_ssl_* parameters should not be required when rabbit_use_ssl => true
    Rather, rabbit_use_ssl must be set to true if the kombu_ssl_* parameters are
    used.

    (Similar to this patch to puppet-neutron: https://review.openstack.org/#/c/113671/ )

    Closes-Bug: 1356083
    Change-Id: I6a27ebf359c1910e221e9dc31711c6af569dc0ce

Changed in puppet-nova:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-ceilometer (master)

Reviewed: https://review.openstack.org/119190
Committed: https://git.openstack.org/cgit/stackforge/puppet-ceilometer/commit/?id=957c2120d0ee0b9db08bfddcce996686ba61d97d
Submitter: Jenkins
Branch: master

commit 957c2120d0ee0b9db08bfddcce996686ba61d97d
Author: Mike Dorman <email address hidden>
Date: Thu Sep 4 13:49:30 2014 -0600

    Makes kombu_ssl_* parameters optional when rabbit_use_ssl => true

    The kombu_ssl_* parameters should not be required when rabbit_use_ssl => true
    Rather, rabbit_use_ssl must be set to true if the kombu_ssl_* parameters are
    used.

    Change-Id: I7664dda2c66ffb34ceb56ada722574ae0e490f8f
    Closes-Bug: 1356083

Changed in puppet-ceilometer:
status: In Progress → Fix Committed
Changed in puppet-heat:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-heat (master)

Reviewed: https://review.openstack.org/119131
Committed: https://git.openstack.org/cgit/stackforge/puppet-heat/commit/?id=a4a20a9012114ee21ad175422d3a9d5f0ab41120
Submitter: Jenkins
Branch: master

commit a4a20a9012114ee21ad175422d3a9d5f0ab41120
Author: Mike Dorman <email address hidden>
Date: Thu Sep 4 10:59:21 2014 -0600

    Makes kombu_ssl_* parameters optional when rabbit_use_ssl => true

    The kombu_ssl_* parameters should not be required when rabbit_use_ssl => true
    Rather, rabbit_use_ssl must be set to true if the kombu_ssl_* parameters are
    used.

    Change-Id: If9cceb4f4090c8b39079aa1aae2f53640c9ac0ff
    Closes-Bug: 1356083

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-ceilometer (stable/icehouse)

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/124524

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-heat (stable/icehouse)

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/124527

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-neutron (stable/icehouse)

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/124530

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-nova (stable/icehouse)

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/124532

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-ceilometer (stable/icehouse)

Reviewed: https://review.openstack.org/124524
Committed: https://git.openstack.org/cgit/stackforge/puppet-ceilometer/commit/?id=aa3933ccde8a4f8d39736a2d503cb085d4fae998
Submitter: Jenkins
Branch: stable/icehouse

commit aa3933ccde8a4f8d39736a2d503cb085d4fae998
Author: Mike Dorman <email address hidden>
Date: Thu Sep 4 13:49:30 2014 -0600

    Makes kombu_ssl_* parameters optional when rabbit_use_ssl => true

    The kombu_ssl_* parameters should not be required when rabbit_use_ssl => true
    Rather, rabbit_use_ssl must be set to true if the kombu_ssl_* parameters are
    used.

    Change-Id: I7664dda2c66ffb34ceb56ada722574ae0e490f8f
    Closes-Bug: 1356083
    (cherry picked from commit 957c2120d0ee0b9db08bfddcce996686ba61d97d)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-heat (stable/icehouse)

Reviewed: https://review.openstack.org/124527
Committed: https://git.openstack.org/cgit/stackforge/puppet-heat/commit/?id=ecc5bfce8af53709ec67e90ce64b5eb600446cbd
Submitter: Jenkins
Branch: stable/icehouse

commit ecc5bfce8af53709ec67e90ce64b5eb600446cbd
Author: Mike Dorman <email address hidden>
Date: Thu Sep 4 10:59:21 2014 -0600

    Makes kombu_ssl_* parameters optional when rabbit_use_ssl => true

    The kombu_ssl_* parameters should not be required when rabbit_use_ssl => true
    Rather, rabbit_use_ssl must be set to true if the kombu_ssl_* parameters are
    used.

    Change-Id: If9cceb4f4090c8b39079aa1aae2f53640c9ac0ff
    Closes-Bug: 1356083
    (cherry picked from commit a4a20a9012114ee21ad175422d3a9d5f0ab41120)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-neutron (stable/icehouse)

Reviewed: https://review.openstack.org/124530
Committed: https://git.openstack.org/cgit/stackforge/puppet-neutron/commit/?id=d74795561b23a41be1eedf3d8c63bfb9f92360f4
Submitter: Jenkins
Branch: stable/icehouse

commit d74795561b23a41be1eedf3d8c63bfb9f92360f4
Author: Mike Dorman <email address hidden>
Date: Tue Aug 12 16:47:10 2014 -0600

    Makes kombu_ssl_* parameters optional when rabbit_use_ssl => true

    The kombu_ssl_* parameters should not be required when rabbit_use_ssl => true
    Rather, rabbit_use_ssl must be set to true if the kombu_ssl_* parameters are
    used.

    Change-Id: Ia3d71eaccdfb736068478b935e5be46719eb49db
    Closes-Bug: 1356083
    (cherry picked from commit 141e65a7ddc07b682fc730bab98bffbd7d49f53f)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-nova (stable/icehouse)

Reviewed: https://review.openstack.org/124532
Committed: https://git.openstack.org/cgit/stackforge/puppet-nova/commit/?id=6412d84dfe86293ac3a4abf0494001f07e86c7f6
Submitter: Jenkins
Branch: stable/icehouse

commit 6412d84dfe86293ac3a4abf0494001f07e86c7f6
Author: Mike Dorman <email address hidden>
Date: Wed Sep 3 12:43:11 2014 -0600

    Makes kombu_ssl_* parameters optional when rabbit_use_ssl => true

    The kombu_ssl_* parameters should not be required when rabbit_use_ssl => true
    Rather, rabbit_use_ssl must be set to true if the kombu_ssl_* parameters are
    used.

    (Similar to this patch to puppet-neutron: https://review.openstack.org/#/c/113671/ )

    Conflicts:
     manifests/init.pp
     spec/classes/nova_init_spec.rb

    Closes-Bug: 1356083
    Change-Id: I6a27ebf359c1910e221e9dc31711c6af569dc0ce
    (cherry picked from commit 61429e79ddfc0308657482cb57e411f82c8a0165)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-cinder (master)

Fix proposed to branch: master
Review: https://review.openstack.org/152128

Changed in puppet-cinder:
assignee: nobody → Lukas Bezdicka (social-b)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-cinder (master)

Reviewed: https://review.openstack.org/152128
Committed: https://git.openstack.org/cgit/stackforge/puppet-cinder/commit/?id=1c3fd4da9e329400e7c92196a8ddd6dd8b95dafe
Submitter: Jenkins
Branch: master

commit 1c3fd4da9e329400e7c92196a8ddd6dd8b95dafe
Author: Lukas Bezdicka <email address hidden>
Date: Mon Feb 2 15:15:58 2015 +0100

    Makes kombu_ssl_* parameters optional when rabbit_use_ssl => true

    The kombu_ssl_* parameters should not be required when rabbit_use_ssl => true
    Rather, rabbit_use_ssl must be set to true if the kombu_ssl_* parameters are
    used.

    Change-Id: I5e138adea60d2dc8b398bb05896def8508cd9f44
    Closes-Bug: 1356083

Changed in puppet-cinder:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-cinder (stable/juno)

Fix proposed to branch: stable/juno
Review: https://review.openstack.org/152968

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-cinder (stable/juno)

Reviewed: https://review.openstack.org/152968
Committed: https://git.openstack.org/cgit/stackforge/puppet-cinder/commit/?id=5241a3994453601a8b715d9923f10eada386b9c9
Submitter: Jenkins
Branch: stable/juno

commit 5241a3994453601a8b715d9923f10eada386b9c9
Author: Lukas Bezdicka <email address hidden>
Date: Mon Feb 2 15:15:58 2015 +0100

    Makes kombu_ssl_* parameters optional when rabbit_use_ssl => true

    The kombu_ssl_* parameters should not be required when rabbit_use_ssl => true
    Rather, rabbit_use_ssl must be set to true if the kombu_ssl_* parameters are
    used.

    Change-Id: I5e138adea60d2dc8b398bb05896def8508cd9f44
    Closes-Bug: 1356083
    (cherry picked from commit 1c3fd4da9e329400e7c92196a8ddd6dd8b95dafe)

tags: added: in-stable-juno
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-cinder (stable/icehouse)

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/167421

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-cinder (stable/icehouse)

Reviewed: https://review.openstack.org/167421
Committed: https://git.openstack.org/cgit/stackforge/puppet-cinder/commit/?id=8ac0d838b8c0dcea3e0aecc5a1f6f000088d1185
Submitter: Jenkins
Branch: stable/icehouse

commit 8ac0d838b8c0dcea3e0aecc5a1f6f000088d1185
Author: Lukas Bezdicka <email address hidden>
Date: Mon Feb 2 15:15:58 2015 +0100

    Makes kombu_ssl_* parameters optional when rabbit_use_ssl => true

    The kombu_ssl_* parameters should not be required when rabbit_use_ssl => true
    Rather, rabbit_use_ssl must be set to true if the kombu_ssl_* parameters are
    used.

    Change-Id: I5e138adea60d2dc8b398bb05896def8508cd9f44
    Closes-Bug: 1356083
    (cherry picked from commit 1c3fd4da9e329400e7c92196a8ddd6dd8b95dafe)

Revision history for this message
Mathieu Gagné (mgagne) wrote :

Neutron change: https://review.openstack.org/#/c/113671/

Changed in puppet-nova:
milestone: none → 5.0.0
status: Fix Committed → Fix Released
Changed in puppet-ceilometer:
milestone: none → 5.0.0
status: Fix Committed → Fix Released
Changed in puppet-heat:
milestone: none → 5.0.0
status: Fix Committed → Fix Released
Changed in puppet-cinder:
milestone: none → 6.0.0
Changed in puppet-neutron:
milestone: none → 5.0.0
status: Fix Committed → Fix Released
Mathieu Gagné (mgagne)
Changed in puppet-cinder:
status: Fix Committed → Fix Released
OpenStack Infra (hudson-openstack)
Changed in puppet-keystone:
assignee: nobody → Colleen Murphy (krinkle)
status: New → In Progress
Colleen Murphy (krinkle)
Changed in puppet-keystone:
milestone: none → 8.0.0
OpenStack Infra (hudson-openstack)
Changed in puppet-keystone:
assignee: Colleen Murphy (krinkle) → Emilien Macchi (emilienm)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-keystone (master)

Reviewed: https://review.openstack.org/280462
Committed: https://git.openstack.org/cgit/openstack/puppet-keystone/commit/?id=d850c3e34b59c2305901a7692e1a90c0952ae59c
Submitter: Jenkins
Branch: master

commit d850c3e34b59c2305901a7692e1a90c0952ae59c
Author: Colleen Murphy <email address hidden>
Date: Mon Feb 15 17:26:55 2016 -0800

    Fix rabbitmq ssl logic

    Saying ! is_service_default($rabbit_use_ssl) and $rabbit_use_ssl is
    invalid logic: it checks that the value is not the ensure=>absent
    default and is also boolean true, when it should be checking whether it
    is boolean false. This was leading to an error where if the kombu_*
    parameters were not set but $rabbitmq_use_ssl was set to true, puppet
    would fail. It is valid to set rabbitmq_use_false to true while not
    setting the kombu_* parameters, it is just not valid the other way
    around. This change fixes the logic, adds checks for definition and
    truthiness of the kombu_* params, and fixes the error message. This
    makes the logic identical to the rabbitmq SSL handling in the neutron
    module[1].

    [1] http://git.openstack.org/cgit/openstack/puppet-neutron/tree/manifests/init.pp#n356

    Closes-Bug: #1356083
    Change-Id: I1f4a67c4b8d43670793331254818b6991b8de640

Changed in puppet-keystone:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-keystone (stable/liberty)

Fix proposed to branch: stable/liberty
Review: https://review.openstack.org/287510

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-keystone (stable/liberty)

Reviewed: https://review.openstack.org/287510
Committed: https://git.openstack.org/cgit/openstack/puppet-keystone/commit/?id=23cd211aeb58e5be870e1c8d998b43fb4343e1d4
Submitter: Jenkins
Branch: stable/liberty

commit 23cd211aeb58e5be870e1c8d998b43fb4343e1d4
Author: Colleen Murphy <email address hidden>
Date: Mon Feb 15 17:26:55 2016 -0800

    Fix rabbitmq ssl logic

    Saying ! is_service_default($rabbit_use_ssl) and $rabbit_use_ssl is
    invalid logic: it checks that the value is not the ensure=>absent
    default and is also boolean true, when it should be checking whether it
    is boolean false. This was leading to an error where if the kombu_*
    parameters were not set but $rabbitmq_use_ssl was set to true, puppet
    would fail. It is valid to set rabbitmq_use_false to true while not
    setting the kombu_* parameters, it is just not valid the other way
    around. This change fixes the logic, adds checks for definition and
    truthiness of the kombu_* params, and fixes the error message. This
    makes the logic identical to the rabbitmq SSL handling in the neutron
    module[1].

    [1] http://git.openstack.org/cgit/openstack/puppet-neutron/tree/manifests/init.pp#n356

    Closes-Bug: #1356083
    Change-Id: I1f4a67c4b8d43670793331254818b6991b8de640
    (cherry picked from commit d850c3e34b59c2305901a7692e1a90c0952ae59c)

tags: added: in-stable-liberty
Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/puppet-keystone 7.1.0

This issue was fixed in the openstack/puppet-keystone 7.1.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.