Infrastructure/ansible
3
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

Limit topics that can be sent to

Browse source 
Only a few apps have topic permissions, if this works well we'll have to
generalize it.

Fixes: #8167

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
This commit is contained in:
Aurélien Bompard 2022-06-21 11:14:34 +02:00
parent 1b957c58bf
commit 58d703ae27
No known key found for this signature in database
GPG key ID: 31584CFEB9BF64AD
12 changed files with 44 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

5
playbooks/groups/bodhi-backend.yml
View file

@ -92,9 +92,6 @@
key_src: "{{private}}/files/docker-registry/{{env}}/pki/private/containerstable.key" key_src: "{{private}}/files/docker-registry/{{env}}/pki/private/containerstable.key"
certs_group: apache certs_group: apache
- role: rabbit/user
username: "bodhi{{ env_suffix }}"
- role: rabbit/queue - role: rabbit/queue
username: "bodhi{{ env_suffix }}" username: "bodhi{{ env_suffix }}"
queue_name: "bodhi{{ env_suffix }}_composer" queue_name: "bodhi{{ env_suffix }}_composer"
@ -102,6 +99,8 @@
thresholds: thresholds:
warning: 10 warning: 10
critical: 100 critical: 100
sent_topics:
- org\\.fedoraproject\\.{{ env_short }}\\.bodhi\\..*
- role: rabbit/queue - role: rabbit/queue
username: "bodhi{{ env_suffix }}" username: "bodhi{{ env_suffix }}"

5
playbooks/openshift-apps/bodhi.yml
View file

@ -25,8 +25,6 @@
bodhi_version: "{{ bodhi_version }}" bodhi_version: "{{ bodhi_version }}"
roles: roles:
- role: rabbit/user
username: "bodhi{{ env_suffix }}"
- role: rabbit/queue - role: rabbit/queue
username: "bodhi{{ env_suffix }}" username: "bodhi{{ env_suffix }}"
queue_name: "{{ bodhi_message_queue_name }}" queue_name: "{{ bodhi_message_queue_name }}"
@ -34,6 +32,9 @@
thresholds: thresholds:
warning: 10 warning: 10
critical: 100 critical: 100
sent_topics:
- org\\.fedoraproject\\.{{ env_short }}\\.bodhi\\..*
- role: openshift/project - role: openshift/project
app: bodhi app: bodhi
description: bodhi description: bodhi

2
playbooks/openshift-apps/bugzilla2fedmsg.yml
View file

@ -12,6 +12,8 @@
- role: rabbit/user - role: rabbit/user
username: "bugzilla2fedmsg{{ env_suffix }}" username: "bugzilla2fedmsg{{ env_suffix }}"
sent_topics:
- org\\.fedoraproject\\.{{ env_short }}\\.bugzilla\\..*
- role: openshift/project - role: openshift/project
app: bugzilla2fedmsg app: bugzilla2fedmsg

5
playbooks/openshift-apps/datanommer.yml
View file

@ -9,8 +9,6 @@
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles: roles:
- role: rabbit/user
username: "datanommer{{ env_suffix }}"
- role: rabbit/queue - role: rabbit/queue
username: "datanommer{{ env_suffix }}" username: "datanommer{{ env_suffix }}"
queue_name: "datanommer{{ env_suffix }}" queue_name: "datanommer{{ env_suffix }}"
@ -19,6 +17,9 @@
thresholds: thresholds:
warning: 50 warning: 50
critical: 500 critical: 500
# Datanommer does not publish messages
sent_topics:
- "^$"
- role: openshift/project - role: openshift/project
app: datanommer app: datanommer

2
playbooks/openshift-apps/discourse2fedmsg.yml
View file

@ -11,6 +11,8 @@
roles: roles:
- role: rabbit/user - role: rabbit/user
username: "discourse2fedmsg{{ env_suffix }}" username: "discourse2fedmsg{{ env_suffix }}"
sent_topics:
- org\\.fedoraproject\\.{{ env_short }}\\.discourse\\..*
- role: openshift/project - role: openshift/project
app: discourse2fedmsg app: discourse2fedmsg

2
playbooks/openshift-apps/elections.yml
View file

@ -33,6 +33,8 @@
roles: roles:
- role: rabbit/user - role: rabbit/user
username: "elections{{ env_suffix }}" username: "elections{{ env_suffix }}"
sent_topics:
- org\\.fedoraproject\\.{{ env_short }}\\.fedora_elections\\..*
- role: openshift/project - role: openshift/project
app: elections app: elections

2
playbooks/openshift-apps/noggin-centos.yml
View file

@ -13,6 +13,8 @@
roles: roles:
- role: rabbit/user - role: rabbit/user
username: "noggin{{ env_suffix }}" username: "noggin{{ env_suffix }}"
sent_topics:
- org\\.fedoraproject\\.{{ env_short }}\\.noggin\\..*
- role: openshift/project - role: openshift/project
app: noggin-centos app: noggin-centos

2
playbooks/openshift-apps/noggin.yml
View file

@ -13,6 +13,8 @@
roles: roles:
- role: rabbit/user - role: rabbit/user
username: "noggin{{ env_suffix }}" username: "noggin{{ env_suffix }}"
sent_topics:
- org\\.fedoraproject\\.{{ env_short }}\\.noggin\\..*
- role: openshift/project - role: openshift/project
app: noggin app: noggin

1
roles/rabbit/queue/defaults/main.yml
View file

@ -7,3 +7,4 @@ thresholds:
warning: 10000 warning: 10000
critical: 100000 critical: 100000
nagios_server: noc01.iad2.fedoraproject.org nagios_server: noc01.iad2.fedoraproject.org
sent_topics: []

13
roles/rabbit/queue/tasks/main.yml
View file

@ -41,11 +41,21 @@
- fedora-messaging - fedora-messaging
- rabbitmq_cluster - rabbitmq_cluster
- name: Prepare the topic permissions dict
set_fact:
topic_permissions: "{{ topic_permissions|default([]) + [{'vhost': vhost, 'write_priv': item}] }}"
loop: "{{ sent_topics }}"
when: env == "staging"
- debug:
msg: "Topic permissions: {{ topic_permissions|default([]) }}"
when: topic_permissions is defined
# See https://www.rabbitmq.com/access-control.html#permissions for details on # See https://www.rabbitmq.com/access-control.html#permissions for details on
# the RabbitMQ permissions configuration. # the RabbitMQ permissions configuration.
- name: Create the {{ username }} user in RabbitMQ - name: Create the {{ username }} user in RabbitMQ
delegate_to: "{{ rabbitmq_server }}" delegate_to: "{{ rabbitmq_server }}"
rabbitmq_user: community.rabbitmq.rabbitmq_user:
user: "{{ username }}" user: "{{ username }}"
vhost: "{{ vhost }}" vhost: "{{ vhost }}"
# Read from queues prefixed with their name and bind to the topic exchange # Read from queues prefixed with their name and bind to the topic exchange
@ -54,6 +64,7 @@
# write_queues, and publish to the topic exchange # write_queues, and publish to the topic exchange
write_priv: "^(amq\\.topic)|({{ username }}.*){% for queue in write_queues|default([]) %}|({{ queue }}.*){% endfor %}$" write_priv: "^(amq\\.topic)|({{ username }}.*){% for queue in write_queues|default([]) %}|({{ queue }}.*){% endfor %}$"
configure_priv: "^$" # No configuration permissions configure_priv: "^$" # No configuration permissions
topic_permissions: "{{ topic_permissions|default([]) }}"
state: present state: present
tags: tags:
- fedora-messaging - fedora-messaging

1
roles/rabbit/user/defaults/main.yml
View file

@ -1,2 +1,3 @@
rabbitmq_server: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org" rabbitmq_server: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org"
vhost: /pubsub vhost: /pubsub
sent_topics: []

13
roles/rabbit/user/tasks/main.yml
View file

@ -23,14 +23,25 @@
- fedora-messaging - fedora-messaging
- rabbitmq_cluster - rabbitmq_cluster
- name: Prepare the topic permissions dict
set_fact:
topic_permissions: "{{ topic_permissions|default([]) + [{'vhost': vhost, 'write_priv': item}] }}"
loop: "{{ sent_topics }}"
when: env == "staging"
- debug:
msg: "Topic permissions: {{ topic_permissions|default([]) }}"
when: topic_permissions is defined
- name: Create the user in RabbitMQ - name: Create the user in RabbitMQ
delegate_to: "{{ rabbitmq_server }}" delegate_to: "{{ rabbitmq_server }}"
rabbitmq_user: community.rabbitmq.rabbitmq_user:
user: "{{ username }}" user: "{{ username }}"
vhost: "{{ vhost }}" vhost: "{{ vhost }}"
read_priv: "^$" # Publish only, no reading read_priv: "^$" # Publish only, no reading
write_priv: "amq\\.topic" write_priv: "amq\\.topic"
configure_priv: "^$" # No configuration permissions configure_priv: "^$" # No configuration permissions
topic_permissions: "{{ topic_permissions|default([]) }}"
state: present state: present
tags: tags:
- config - config