From 58d703ae2760226b93f3f77096a90bd7a853facc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= Date: Tue, 21 Jun 2022 11:14:34 +0200 Subject: [PATCH] Limit topics that can be sent to MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Only a few apps have topic permissions, if this works well we'll have to generalize it. Fixes: #8167 Signed-off-by: Aurélien Bompard --- playbooks/groups/bodhi-backend.yml | 5 ++--- playbooks/openshift-apps/bodhi.yml | 5 +++-- playbooks/openshift-apps/bugzilla2fedmsg.yml | 2 ++ playbooks/openshift-apps/datanommer.yml | 5 +++-- playbooks/openshift-apps/discourse2fedmsg.yml | 2 ++ playbooks/openshift-apps/elections.yml | 2 ++ playbooks/openshift-apps/noggin-centos.yml | 2 ++ playbooks/openshift-apps/noggin.yml | 2 ++ roles/rabbit/queue/defaults/main.yml | 1 + roles/rabbit/queue/tasks/main.yml | 13 ++++++++++++- roles/rabbit/user/defaults/main.yml | 1 + roles/rabbit/user/tasks/main.yml | 13 ++++++++++++- 12 files changed, 44 insertions(+), 9 deletions(-) diff --git a/playbooks/groups/bodhi-backend.yml b/playbooks/groups/bodhi-backend.yml index 2dacb995af..2862595193 100644 --- a/playbooks/groups/bodhi-backend.yml +++ b/playbooks/groups/bodhi-backend.yml @@ -92,9 +92,6 @@ key_src: "{{private}}/files/docker-registry/{{env}}/pki/private/containerstable.key" certs_group: apache - - role: rabbit/user - username: "bodhi{{ env_suffix }}" - - role: rabbit/queue username: "bodhi{{ env_suffix }}" queue_name: "bodhi{{ env_suffix }}_composer" @@ -102,6 +99,8 @@ thresholds: warning: 10 critical: 100 + sent_topics: + - org\\.fedoraproject\\.{{ env_short }}\\.bodhi\\..* - role: rabbit/queue username: "bodhi{{ env_suffix }}" diff --git a/playbooks/openshift-apps/bodhi.yml b/playbooks/openshift-apps/bodhi.yml index c25a1b00b2..eabbc307f1 100644 --- a/playbooks/openshift-apps/bodhi.yml +++ b/playbooks/openshift-apps/bodhi.yml @@ -25,8 +25,6 @@ bodhi_version: "{{ bodhi_version }}" roles: - - role: rabbit/user - username: "bodhi{{ env_suffix }}" - role: rabbit/queue username: "bodhi{{ env_suffix }}" queue_name: "{{ bodhi_message_queue_name }}" @@ -34,6 +32,9 @@ thresholds: warning: 10 critical: 100 + sent_topics: + - org\\.fedoraproject\\.{{ env_short }}\\.bodhi\\..* + - role: openshift/project app: bodhi description: bodhi diff --git a/playbooks/openshift-apps/bugzilla2fedmsg.yml b/playbooks/openshift-apps/bugzilla2fedmsg.yml index a1a19d218e..c95ddcaeb5 100644 --- a/playbooks/openshift-apps/bugzilla2fedmsg.yml +++ b/playbooks/openshift-apps/bugzilla2fedmsg.yml @@ -12,6 +12,8 @@ - role: rabbit/user username: "bugzilla2fedmsg{{ env_suffix }}" + sent_topics: + - org\\.fedoraproject\\.{{ env_short }}\\.bugzilla\\..* - role: openshift/project app: bugzilla2fedmsg diff --git a/playbooks/openshift-apps/datanommer.yml b/playbooks/openshift-apps/datanommer.yml index a961f72adf..b1bfb4e6a8 100644 --- a/playbooks/openshift-apps/datanommer.yml +++ b/playbooks/openshift-apps/datanommer.yml @@ -9,8 +9,6 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - role: rabbit/user - username: "datanommer{{ env_suffix }}" - role: rabbit/queue username: "datanommer{{ env_suffix }}" queue_name: "datanommer{{ env_suffix }}" @@ -19,6 +17,9 @@ thresholds: warning: 50 critical: 500 + # Datanommer does not publish messages + sent_topics: + - "^$" - role: openshift/project app: datanommer diff --git a/playbooks/openshift-apps/discourse2fedmsg.yml b/playbooks/openshift-apps/discourse2fedmsg.yml index 979073b549..cdc0dcc6f6 100644 --- a/playbooks/openshift-apps/discourse2fedmsg.yml +++ b/playbooks/openshift-apps/discourse2fedmsg.yml @@ -11,6 +11,8 @@ roles: - role: rabbit/user username: "discourse2fedmsg{{ env_suffix }}" + sent_topics: + - org\\.fedoraproject\\.{{ env_short }}\\.discourse\\..* - role: openshift/project app: discourse2fedmsg diff --git a/playbooks/openshift-apps/elections.yml b/playbooks/openshift-apps/elections.yml index 7c7e76491d..753589ccf3 100644 --- a/playbooks/openshift-apps/elections.yml +++ b/playbooks/openshift-apps/elections.yml @@ -33,6 +33,8 @@ roles: - role: rabbit/user username: "elections{{ env_suffix }}" + sent_topics: + - org\\.fedoraproject\\.{{ env_short }}\\.fedora_elections\\..* - role: openshift/project app: elections diff --git a/playbooks/openshift-apps/noggin-centos.yml b/playbooks/openshift-apps/noggin-centos.yml index 3784a9a0a2..37fac589c5 100644 --- a/playbooks/openshift-apps/noggin-centos.yml +++ b/playbooks/openshift-apps/noggin-centos.yml @@ -13,6 +13,8 @@ roles: - role: rabbit/user username: "noggin{{ env_suffix }}" + sent_topics: + - org\\.fedoraproject\\.{{ env_short }}\\.noggin\\..* - role: openshift/project app: noggin-centos diff --git a/playbooks/openshift-apps/noggin.yml b/playbooks/openshift-apps/noggin.yml index 70c739e55f..c9f3032311 100644 --- a/playbooks/openshift-apps/noggin.yml +++ b/playbooks/openshift-apps/noggin.yml @@ -13,6 +13,8 @@ roles: - role: rabbit/user username: "noggin{{ env_suffix }}" + sent_topics: + - org\\.fedoraproject\\.{{ env_short }}\\.noggin\\..* - role: openshift/project app: noggin diff --git a/roles/rabbit/queue/defaults/main.yml b/roles/rabbit/queue/defaults/main.yml index 08e7d77658..8528fa87a2 100644 --- a/roles/rabbit/queue/defaults/main.yml +++ b/roles/rabbit/queue/defaults/main.yml @@ -7,3 +7,4 @@ thresholds: warning: 10000 critical: 100000 nagios_server: noc01.iad2.fedoraproject.org +sent_topics: [] diff --git a/roles/rabbit/queue/tasks/main.yml b/roles/rabbit/queue/tasks/main.yml index 9e1e039d42..8c5c8f9bdb 100644 --- a/roles/rabbit/queue/tasks/main.yml +++ b/roles/rabbit/queue/tasks/main.yml @@ -41,11 +41,21 @@ - fedora-messaging - rabbitmq_cluster +- name: Prepare the topic permissions dict + set_fact: + topic_permissions: "{{ topic_permissions|default([]) + [{'vhost': vhost, 'write_priv': item}] }}" + loop: "{{ sent_topics }}" + when: env == "staging" + +- debug: + msg: "Topic permissions: {{ topic_permissions|default([]) }}" + when: topic_permissions is defined + # See https://www.rabbitmq.com/access-control.html#permissions for details on # the RabbitMQ permissions configuration. - name: Create the {{ username }} user in RabbitMQ delegate_to: "{{ rabbitmq_server }}" - rabbitmq_user: + community.rabbitmq.rabbitmq_user: user: "{{ username }}" vhost: "{{ vhost }}" # Read from queues prefixed with their name and bind to the topic exchange @@ -54,6 +64,7 @@ # write_queues, and publish to the topic exchange write_priv: "^(amq\\.topic)|({{ username }}.*){% for queue in write_queues|default([]) %}|({{ queue }}.*){% endfor %}$" configure_priv: "^$" # No configuration permissions + topic_permissions: "{{ topic_permissions|default([]) }}" state: present tags: - fedora-messaging diff --git a/roles/rabbit/user/defaults/main.yml b/roles/rabbit/user/defaults/main.yml index 367d43e680..6fed45064d 100644 --- a/roles/rabbit/user/defaults/main.yml +++ b/roles/rabbit/user/defaults/main.yml @@ -1,2 +1,3 @@ rabbitmq_server: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org" vhost: /pubsub +sent_topics: [] diff --git a/roles/rabbit/user/tasks/main.yml b/roles/rabbit/user/tasks/main.yml index adcca71cb1..9d51298963 100644 --- a/roles/rabbit/user/tasks/main.yml +++ b/roles/rabbit/user/tasks/main.yml @@ -23,14 +23,25 @@ - fedora-messaging - rabbitmq_cluster +- name: Prepare the topic permissions dict + set_fact: + topic_permissions: "{{ topic_permissions|default([]) + [{'vhost': vhost, 'write_priv': item}] }}" + loop: "{{ sent_topics }}" + when: env == "staging" + +- debug: + msg: "Topic permissions: {{ topic_permissions|default([]) }}" + when: topic_permissions is defined + - name: Create the user in RabbitMQ delegate_to: "{{ rabbitmq_server }}" - rabbitmq_user: + community.rabbitmq.rabbitmq_user: user: "{{ username }}" vhost: "{{ vhost }}" read_priv: "^$" # Publish only, no reading write_priv: "amq\\.topic" configure_priv: "^$" # No configuration permissions + topic_permissions: "{{ topic_permissions|default([]) }}" state: present tags: - config