From 756619cee04cedb3c15aa527014ef64dd104c750 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= Date: Tue, 5 Mar 2019 08:54:08 +0000 Subject: [PATCH] Create a rabbit/user role --- playbooks/groups/koji-hub.yml | 30 ++----------------- .../openshift-apps/release-monitoring.yml | 25 ++-------------- roles/rabbit/user/defaults/main.yml | 2 ++ roles/rabbit/user/tasks/main.yml | 25 ++++++++++++++++ 4 files changed, 32 insertions(+), 50 deletions(-) create mode 100644 roles/rabbit/user/defaults/main.yml create mode 100644 roles/rabbit/user/tasks/main.yml diff --git a/playbooks/groups/koji-hub.yml b/playbooks/groups/koji-hub.yml index 252ebe23a8..7facf94c83 100644 --- a/playbooks/groups/koji-hub.yml +++ b/playbooks/groups/koji-hub.yml @@ -79,6 +79,9 @@ nfs_src_dir: 'fedora_koji' when: env == 'staging' and inventory_hostname.startswith('koji') - sudo + - role: rabbit/user + username: "koji{{ env_suffix }}" + when: env == 'staging' tasks: - import_tasks: "{{ tasks_path }}/2fa_client.yml" @@ -110,30 +113,3 @@ handlers: - import_tasks: "{{ handlers_path }}/restart_services.yml" - - -# Setup the rabbitmq user so fedora-messaging can send messages -- name: setup RabbitMQ - hosts: rabbitmq-stg[0] - #hosts: rabbitmq[0]:rabbitmq-stg[0] - user: root - gather_facts: False - - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "/srv/private/ansible/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - tasks: - - name: Create the RabbitMQ user - when: env == 'staging' - rabbitmq_user: - user: "koji{{ env_suffix }}" - vhost: /pubsub - read_priv: "^$" - write_priv: "amq\\.topic" - configure_priv: "^$" - state: present - tags: - - config - - fedora-messaging diff --git a/playbooks/openshift-apps/release-monitoring.yml b/playbooks/openshift-apps/release-monitoring.yml index 823d4fbe72..35e7db9f7b 100644 --- a/playbooks/openshift-apps/release-monitoring.yml +++ b/playbooks/openshift-apps/release-monitoring.yml @@ -1,26 +1,3 @@ -# Create the RabbitMQ users - -- name: setup RabbitMQ - hosts: rabbitmq[0]:rabbitmq-stg[0] - user: root - gather_facts: False - - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "/srv/private/ansible/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - tasks: - - name: Create the RabbitMQ user - rabbitmq_user: - user: "anitya{{ env_suffix }}" - vhost: /pubsub - read_priv: "^anitya.*$" - write_priv: "amq.topic" - configure_priv: "^$" - tags: - - config - # Deploy the app - name: make the app be real @@ -34,6 +11,8 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: + - role: rabbit/user + username: "anitya{{ env_suffix }}" - role: openshift/project app: release-monitoring description: release-monitoring diff --git a/roles/rabbit/user/defaults/main.yml b/roles/rabbit/user/defaults/main.yml new file mode 100644 index 0000000000..c02b334e73 --- /dev/null +++ b/roles/rabbit/user/defaults/main.yml @@ -0,0 +1,2 @@ +rabbitmq_server: "rabbitmq01{{ env_suffix }}.phx2.fedoraproject.org" +vhost: /pubsub diff --git a/roles/rabbit/user/tasks/main.yml b/roles/rabbit/user/tasks/main.yml new file mode 100644 index 0000000000..9333fb70bf --- /dev/null +++ b/roles/rabbit/user/tasks/main.yml @@ -0,0 +1,25 @@ +--- + +# Ensure a user exists in RabbitMQ with permissions to only publish. +# This is intended to be something most applications can use, but if you need +# more flexibility, just use the rabbitmq_user module directly. +# +# Required parameters: +# +# - username (str): the username to create in RabbitMQ, which should match the +# CN of the certificate. + +# See https://www.rabbitmq.com/access-control.html#permissions for details on +# the RabbitMQ permissions configuration. +- name: Create the user in RabbitMQ + delegate_to: "{{ rabbitmq_server }}" + rabbitmq_user: + user: "{{ username }}" + vhost: "{{ vhost }}" + read_priv: "^$" # Publish only, no reading + write_priv: "amq\\.topic" + configure_priv: "^$" # No configuration permissions + state: present + tags: + - config + - fedora-messaging