Comments (13)
@wenchma those two matter for MQTT users. The right thing to do is to use encrypted data bags.
from chef-cookbook.
@michaelklishin yes, those two matter is stored in encrypted data bags in encrypted text, but the values fetched from data bag are decrypted, the values are also configured in rabbitmq.config with plain text(decrypted text).
In fact, we don't need to configure the two matter, and rabbit also works well, the values are stored in rabbit database.
from chef-cookbook.
@wenchma the solution should be then to not have these attributes in your data bags. Yes, RabbitMQ can operate without those values but clients that connect w/o credentials often can't use the default user "guest" (because it does not exist on many production systems).
Anyway, the point is that if this does not work for you, the cookbook doesn't need to be modified, you should either
- Not specify the attributes
- Use Encrypted data bags
Encrypted values are not currently supported by RabbitMQ (technically, Erlang's application
) and if that isn't OK with you, the solution is to not have such values in the config. For which no cookbook modifications are necessary.
from chef-cookbook.
@michaelklishin my concern is that exposing the password in plain text is not secure, but the two attributes have to be specified for clients' connecting.
Of course we specified the two attributes with the values which make sense for itself in actual deployment.
Does not expose the password in plain text in rabbitmq conf file, it will look like better, isn't it ?
from chef-cookbook.
the two attributes have to be specified for clients' connecting
That's not true. Unfortunately, authentication in MQTT is optional. It is a really bad idea if you ask me
but that's just what the committee decided on. Like I said earlier, encrypted config values are not supported by RabbitMQ at the moment. Sorry. Removing these values means one of the features
of MQTT that is not listed as limitation in RabbitMQ documentation won't be available to the users.
RabbitMQ has pluggable authentication mechanisms, e.g. you can authenticate using x509 certificates or LDAP. This can be extended to MQTT to a large degree.
In the meantime, you can specify random values for default_user
and default_pass
and not use credential-less authentication in your apps.
from chef-cookbook.
Would another option be to add an IF check to the template such that when the default_user is nil, these two lines are not added to the conf file?
from chef-cookbook.
Ok, maybe we should step back and re look at what is being asked for here. Based upon this doc: https://www.rabbitmq.com/access-control.html a user named guest will be created. The requirement here is for a "No Guest" configuration. Meaning, this cookbook should be changed as follows:
- allow an option for not having a guest account [rabbit][allow_guest] = false (default is true)
- in the default recipe after server is started:
rabbitmq_user 'remove rabbit guest user' do
user 'guest'
action :delete
not_if { node[rabbit][allow_guest] }
end
- in the rabbit conf template, no need to put guest in there as it's handled by server.
<% if node['rabbitmq']['default_user'] != 'guest' -%>
{default_user, <<"<%= node['rabbitmq']['default_user'] %>">>},
{default_pass, <<"<%= node['rabbitmq']['default_pass'] %>">>}
<% end -%>
No change in current behavior, but cleanup guest from server and conf if asked for.
Reasonable?
from chef-cookbook.
@kramvan1 it looks like a good method to address this problem.
from chef-cookbook.
@wenchma Do you still need a fix for this?
from chef-cookbook.
@cmluciano yes, I still need a fix, these two attributes should be only stored in rabbitmq db, not exposed in the conf file.
from chef-cookbook.
@wenchma Does #237 work for you?
from chef-cookbook.
@cmluciano and @wenchma seriously it's a clever fix. works for me ;)
from chef-cookbook.
Fix provided by #237 closing now due to inactivity
from chef-cookbook.
Related Issues (20)
- rabbitmq 3.8 new cluster_status cli output breaks cluster resource HOT 7
- logrotate_app works only for upstart HOT 4
- CLI tools are not included in PATH for non-login shells HOT 1
- Environment variable file is not named correctly on Windows
- Plugin installation breaks on Chef >= 16 HOT 4
- Incorrect config file path when deploying Rabbit 3.6.x HOT 4
- Permissions containing backslash not correctly handled
- Socat RPM for CentOS 6 is no longer available HOT 4
- oracle support HOT 2
- Bintray deprecation HOT 2
- Cloudsmith url points to non-existing binary HOT 4
- Code error: providers/cluster.rb#L259 HOT 1
- undefined method 'unified_mode' HOT 2
- Is rabbit_auth_backend_cache supported to avoid too many connections to ldap in chef-cookbook syntax? HOT 1
- chef-client 16: undefined method `dpkg_autostart' at early stage of the cookbook HOT 3
- RabbitMQ restart each time I run chef-client
- Make all LWRPs in to custom resources HOT 3
- Chef >=14 compatibility only? HOT 2
- Invalid configuration produced for Ubuntu 22.04 / 3.9.13 HOT 2
- Unable to install versions 24 or 25 of erlang on Ubuntu 18.04 HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from chef-cookbook.