[Ovirt-devel] [PATCH recipe] Configure qpidd to use gssapi

Thu Jan 29 13:37:42 UTC 2009

This adds configuration files for qpidd to allow it to use gssapi
for authentication of clients.  Note that we still allow 'plain'
authentication as well.  This is only temporary and is required
because there is currently no way to allow localhost connects to
be anonymous.  Once ruby has gssapi support we can remove the
plain authentication.

Signed-off-by: Ian Main <imain at redhat.com>
---
 Makefile.am                             |    1 +
 appliances/ovirt/files/qpidd.conf       |    8 ++++-
 appliances/ovirt/files/sasl2_qpidd.conf |   47 +++++++++++++++++++++++++++++++
 appliances/ovirt/ovirt.pp.in            |    5 +++
 ovirt-recipe.spec.in                    |    1 +
 5 files changed, 61 insertions(+), 1 deletions(-)
 create mode 100644 appliances/ovirt/files/sasl2_qpidd.conf

diff --git a/Makefile.am b/Makefile.am
index 16d3867..8e1451b 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -28,6 +28,7 @@ EXTRA_DIST =			\
   appliances/ovirt/files/cobbler-import	\
   appliances/ovirt/files/collectd.conf	\
   appliances/ovirt/files/qpidd.conf	\
+  appliances/ovirt/files/sasl2_qpidd.conf	\
   appliances/ovirt/files/ovirt-cfgdb	\
   appliances/ovirt/files/ovirt.repo	\
   appliances/ovirt/files/ovirt-dnsmasq.conf	\
diff --git a/appliances/ovirt/files/qpidd.conf b/appliances/ovirt/files/qpidd.conf
index a7e34bb..bf80918 100644
--- a/appliances/ovirt/files/qpidd.conf
+++ b/appliances/ovirt/files/qpidd.conf
@@ -1,5 +1,11 @@
 # Configuration file for qpidd. Entries are of the form:
 #  name = value
 # Using default settings: "qpidd --help" or "man qpidd" for more details.
-auth=no
+
+
+# This is where we want to be, but we can't actually do that yet because
+# we have unencrypted db-omatic and taskomatic running over localhost.
+# This will change shortly once we have gssapi support for ruby.
+#
+#require-encryption
 
diff --git a/appliances/ovirt/files/sasl2_qpidd.conf b/appliances/ovirt/files/sasl2_qpidd.conf
new file mode 100644
index 0000000..c61131f
--- /dev/null
+++ b/appliances/ovirt/files/sasl2_qpidd.conf
@@ -0,0 +1,47 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+#
+# This configuation allows for either SASL PLAIN or ANONYMOUS
+# authentication. The PLAIN authentication is done on a
+# username+password, which is stored in the sasldb_path
+# file. Usernames and passwords can be added to the file using the
+# command:
+#
+#   saslpasswd2 -f /var/lib/qpidd/qpidd.sasldb -u <REALM> <USER>
+#
+# The REALM is important and should be the same as the --auth-realm
+# option to the broker. This lets the broker properly find the user in
+# the sasldb file.
+#
+# Existing user accounts may be listed with:
+#
+#   sasldblistusers2 -f /var/lib/qpidd/qpidd.sasldb
+#
+# NOTE: The sasldb file must be readable by the user running the qpidd
+# daemon, and should be readable only by that user.
+#
+pwcheck_method: auxprop
+auxprop_plugin: sasldb
+sasldb_path: /var/lib/qpidd/qpidd.sasldb
+
+# For now we allow plain auth too because the local daemons do not yet
+# support kerberos.
+mech_list: gssapi plain
+keytab: /usr/share/ovirt-server/ovirt.keytab
+
diff --git a/appliances/ovirt/ovirt.pp.in b/appliances/ovirt/ovirt.pp.in
index f409ee3..c61f2b2 100644
--- a/appliances/ovirt/ovirt.pp.in
+++ b/appliances/ovirt/ovirt.pp.in
@@ -88,6 +88,11 @@ file {"/etc/qpidd.conf":
     notify => Service["qpidd"]
 }
 
+file {"/etc/sasl2/qpidd.conf":
+    source => "puppet:///ovirt/sasl2_qpidd.conf",
+    notify => Service["qpidd"]
+}
+
 file {"/var/www/html/ovirt-cfgdb":
     source => "puppet:///ovirt/ovirt-cfgdb"
 }
diff --git a/ovirt-recipe.spec.in b/ovirt-recipe.spec.in
index ea51c3a..e8aa596 100644
--- a/ovirt-recipe.spec.in
+++ b/ovirt-recipe.spec.in
@@ -38,6 +38,7 @@ Requires: syslinux
 Requires: lokkit
 Requires: curl
 Requires: qpidd
+Requires: cyrus-sasl-plain
 Requires: rubygem-qpid
 Requires: qpidc
 Requires: qmf
-- 
1.6.0.4


