Limit topics that can be sent to
Only a few apps have topic permissions, if this works well we'll have to generalize it. Fixes: #8167 Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
This commit is contained in:
Aurélien Bompard
parent
1b957c58bf
commit
58d703ae27
12 changed files with 44 additions and 9 deletions
|
|
@ -92,9 +92,6 @@
|
|||
key_src: "{{private}}/files/docker-registry/{{env}}/pki/private/containerstable.key"
|
||||
certs_group: apache
|
||||
|
||||
- role: rabbit/user
|
||||
username: "bodhi{{ env_suffix }}"
|
||||
|
||||
- role: rabbit/queue
|
||||
username: "bodhi{{ env_suffix }}"
|
||||
queue_name: "bodhi{{ env_suffix }}_composer"
|
||||
|
|
@ -102,6 +99,8 @@
|
|||
thresholds:
|
||||
warning: 10
|
||||
critical: 100
|
||||
sent_topics:
|
||||
- org\\.fedoraproject\\.{{ env_short }}\\.bodhi\\..*
|
||||
|
||||
- role: rabbit/queue
|
||||
username: "bodhi{{ env_suffix }}"
|
||||
|
|
|
|||
|
|
@ -25,8 +25,6 @@
|
|||
bodhi_version: "{{ bodhi_version }}"
|
||||
|
||||
roles:
|
||||
- role: rabbit/user
|
||||
username: "bodhi{{ env_suffix }}"
|
||||
- role: rabbit/queue
|
||||
username: "bodhi{{ env_suffix }}"
|
||||
queue_name: "{{ bodhi_message_queue_name }}"
|
||||
|
|
@ -34,6 +32,9 @@
|
|||
thresholds:
|
||||
warning: 10
|
||||
critical: 100
|
||||
sent_topics:
|
||||
- org\\.fedoraproject\\.{{ env_short }}\\.bodhi\\..*
|
||||
|
||||
- role: openshift/project
|
||||
app: bodhi
|
||||
description: bodhi
|
||||
|
|
|
|||
|
|
@ -12,6 +12,8 @@
|
|||
|
||||
- role: rabbit/user
|
||||
username: "bugzilla2fedmsg{{ env_suffix }}"
|
||||
sent_topics:
|
||||
- org\\.fedoraproject\\.{{ env_short }}\\.bugzilla\\..*
|
||||
|
||||
- role: openshift/project
|
||||
app: bugzilla2fedmsg
|
||||
|
|
|
|||
|
|
@ -9,8 +9,6 @@
|
|||
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
|
||||
|
||||
roles:
|
||||
- role: rabbit/user
|
||||
username: "datanommer{{ env_suffix }}"
|
||||
- role: rabbit/queue
|
||||
username: "datanommer{{ env_suffix }}"
|
||||
queue_name: "datanommer{{ env_suffix }}"
|
||||
|
|
@ -19,6 +17,9 @@
|
|||
thresholds:
|
||||
warning: 50
|
||||
critical: 500
|
||||
# Datanommer does not publish messages
|
||||
sent_topics:
|
||||
- "^$"
|
||||
|
||||
- role: openshift/project
|
||||
app: datanommer
|
||||
|
|
|
|||
|
|
@ -11,6 +11,8 @@
|
|||
roles:
|
||||
- role: rabbit/user
|
||||
username: "discourse2fedmsg{{ env_suffix }}"
|
||||
sent_topics:
|
||||
- org\\.fedoraproject\\.{{ env_short }}\\.discourse\\..*
|
||||
|
||||
- role: openshift/project
|
||||
app: discourse2fedmsg
|
||||
|
|
|
|||
|
|
@ -33,6 +33,8 @@
|
|||
roles:
|
||||
- role: rabbit/user
|
||||
username: "elections{{ env_suffix }}"
|
||||
sent_topics:
|
||||
- org\\.fedoraproject\\.{{ env_short }}\\.fedora_elections\\..*
|
||||
|
||||
- role: openshift/project
|
||||
app: elections
|
||||
|
|
|
|||
|
|
@ -13,6 +13,8 @@
|
|||
roles:
|
||||
- role: rabbit/user
|
||||
username: "noggin{{ env_suffix }}"
|
||||
sent_topics:
|
||||
- org\\.fedoraproject\\.{{ env_short }}\\.noggin\\..*
|
||||
|
||||
- role: openshift/project
|
||||
app: noggin-centos
|
||||
|
|
|
|||
|
|
@ -13,6 +13,8 @@
|
|||
roles:
|
||||
- role: rabbit/user
|
||||
username: "noggin{{ env_suffix }}"
|
||||
sent_topics:
|
||||
- org\\.fedoraproject\\.{{ env_short }}\\.noggin\\..*
|
||||
|
||||
- role: openshift/project
|
||||
app: noggin
|
||||
|
|
|
|||
|
|
@ -7,3 +7,4 @@ thresholds:
|
|||
warning: 10000
|
||||
critical: 100000
|
||||
nagios_server: noc01.iad2.fedoraproject.org
|
||||
sent_topics: []
|
||||
|
|
|
|||
|
|
@ -41,11 +41,21 @@
|
|||
- fedora-messaging
|
||||
- rabbitmq_cluster
|
||||
|
||||
- name: Prepare the topic permissions dict
|
||||
set_fact:
|
||||
topic_permissions: "{{ topic_permissions|default([]) + [{'vhost': vhost, 'write_priv': item}] }}"
|
||||
loop: "{{ sent_topics }}"
|
||||
when: env == "staging"
|
||||
|
||||
- debug:
|
||||
msg: "Topic permissions: {{ topic_permissions|default([]) }}"
|
||||
when: topic_permissions is defined
|
||||
|
||||
# See https://www.rabbitmq.com/access-control.html#permissions for details on
|
||||
# the RabbitMQ permissions configuration.
|
||||
- name: Create the {{ username }} user in RabbitMQ
|
||||
delegate_to: "{{ rabbitmq_server }}"
|
||||
rabbitmq_user:
|
||||
community.rabbitmq.rabbitmq_user:
|
||||
user: "{{ username }}"
|
||||
vhost: "{{ vhost }}"
|
||||
# Read from queues prefixed with their name and bind to the topic exchange
|
||||
|
|
@ -54,6 +64,7 @@
|
|||
# write_queues, and publish to the topic exchange
|
||||
write_priv: "^(amq\\.topic)|({{ username }}.*){% for queue in write_queues|default([]) %}|({{ queue }}.*){% endfor %}$"
|
||||
configure_priv: "^$" # No configuration permissions
|
||||
topic_permissions: "{{ topic_permissions|default([]) }}"
|
||||
state: present
|
||||
tags:
|
||||
- fedora-messaging
|
||||
|
|
|
|||
|
|
@ -1,2 +1,3 @@
|
|||
rabbitmq_server: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org"
|
||||
vhost: /pubsub
|
||||
sent_topics: []
|
||||
|
|
|
|||
|
|
@ -23,14 +23,25 @@
|
|||
- fedora-messaging
|
||||
- rabbitmq_cluster
|
||||
|
||||
- name: Prepare the topic permissions dict
|
||||
set_fact:
|
||||
topic_permissions: "{{ topic_permissions|default([]) + [{'vhost': vhost, 'write_priv': item}] }}"
|
||||
loop: "{{ sent_topics }}"
|
||||
when: env == "staging"
|
||||
|
||||
- debug:
|
||||
msg: "Topic permissions: {{ topic_permissions|default([]) }}"
|
||||
when: topic_permissions is defined
|
||||
|
||||
- name: Create the user in RabbitMQ
|
||||
delegate_to: "{{ rabbitmq_server }}"
|
||||
rabbitmq_user:
|
||||
community.rabbitmq.rabbitmq_user:
|
||||
user: "{{ username }}"
|
||||
vhost: "{{ vhost }}"
|
||||
read_priv: "^$" # Publish only, no reading
|
||||
write_priv: "amq\\.topic"
|
||||
configure_priv: "^$" # No configuration permissions
|
||||
topic_permissions: "{{ topic_permissions|default([]) }}"
|
||||
state: present
|
||||
tags:
|
||||
- config
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue