Refactor the rabbit/queue role to include the rabbit/user role

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
2023-05-09 11:20:32 +02:00 · 2023-05-09 11:20:32 +02:00 · 93eaa5129b
commit 93eaa5129b
parent 5920da4334
4 changed files with 29 additions and 65 deletions
--- a/roles/rabbit/queue/defaults/main.yml
+++ b/roles/rabbit/queue/defaults/main.yml
@ -8,4 +8,3 @@ thresholds:
  warning:  10000
  critical: 100000
 nagios_server: noc01.iad2.fedoraproject.org
-sent_topics: null
--- a/roles/rabbit/queue/tasks/main.yml
+++ b/roles/rabbit/queue/tasks/main.yml
@ -30,53 +30,10 @@
    - fedora-messaging
    - rabbitmq_cluster

- name: Validate the user parameter
-  assert:
-    that:
-    - username != "admin"
-    - username != "guest"
-    - username != "nagios-monitoring"
-    fail_msg: "This user name is reserved"
-  tags:
-    - fedora-messaging
-    - rabbitmq_cluster
-
- name: Prepare the topic permissions dict
-  set_fact:
-    topic_permissions:
-      - vhost: "{{ vhost }}"
-        read_priv: .*
-        write_priv: "{{ sent_topics }}"
-  tags:
-    - fedora-messaging
-    - rabbitmq_cluster
-  when: env == "staging" and sent_topics
-
- debug:
-    msg: "Topic permissions: {{ topic_permissions|default([]) }}"
-  when: topic_permissions is defined
-  tags:
-    - fedora-messaging
-    - rabbitmq_cluster
-
-# See https://www.rabbitmq.com/access-control.html#permissions for details on
-# the RabbitMQ permissions configuration.
- name: Create the {{ username }} user in RabbitMQ
-  delegate_to: "{{ rabbitmq_server }}"
-  community.rabbitmq.rabbitmq_user:
-    user: "{{ username }}"
-    vhost: "{{ vhost }}"
-    # Read from queues prefixed with their name and bind to the topic exchange
-    read_priv: "^(zmq\\.topic)|^(amq\\.topic)|({{ username }}.*)$"
-    # Write to queues prefixed with their name and any prefixes in
-    # write_queues, and publish to the topic exchange
-    write_priv: "^(amq\\.topic)|({{ username }}.*){% for queue in write_queues|default([]) %}|({{ queue }}.*){% endfor %}$"
-    configure_priv: "^$"  # No configuration permissions
-    topic_permissions: "{{ topic_permissions|default([]) }}"
-    state: present
-  tags:
-    - fedora-messaging
-    - rabbitmq_cluster
+- include_role:
+    name: rabbit/user
+  vars:
+    publish_only: false

 - name: Create the {{ queue_name }} queue in RabbitMQ
  delegate_to: "{{ rabbitmq_server }}"
--- a/roles/rabbit/user/defaults/main.yml
+++ b/roles/rabbit/user/defaults/main.yml
@ -1,3 +1,22 @@
 rabbitmq_server: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org"
 vhost: /pubsub
-sent_topics: null
+publish_only: true
+
+# Read privileges:
+# If publish_only: no reading. Otherwise, read from queues prefixed
+# with their name and bind to the topic exchange
+read_priv: "{{ publish_only|ternary('^$', '^(zmq\\.topic)|^(amq\\.topic)|(' + username + '.*)$') }}"
+
+# Write privileges:
+# If publish_only: only write to the exchange. Otherwise, write to
+# queues prefixed with their name and any prefixes in write_queues,
+# and publish to the topic exchange
+write_priv: "^(amq\\.topic){% if not publish_only %}|({{ username }}.*){% for queue in write_queues|default([]) %}|({{ queue }}.*){% endfor %}{% endif %}$"
+
+# Topic authorization:
+# Ref: https://www.rabbitmq.com/access-control.html#topic-authorisation
+sent_topics: .*
+topic_permissions:
+  - vhost: "{{ vhost }}"
+    read_priv: .*
+    write_priv: "{{ sent_topics }}"
--- a/roles/rabbit/user/tasks/main.yml
+++ b/roles/rabbit/user/tasks/main.yml
@ -24,35 +24,24 @@
    - fedora-messaging
    - rabbitmq_cluster

- name: Prepare the topic permissions dict
-  set_fact:
-    topic_permissions:
-      - vhost: "{{ vhost }}"
-        read_priv: .*
-        write_priv: "{{ sent_topics }}"
-  tags:
-    - config
-    - fedora-messaging
-    - rabbitmq_cluster
-  when: env == "staging" and sent_topics
-
 - debug:
    msg: "Topic permissions: {{ topic_permissions|default([]) }}"
  tags:
    - config
    - fedora-messaging
    - rabbitmq_cluster
-  when: topic_permissions is defined

+# See https://www.rabbitmq.com/access-control.html#permissions for details on
+# the RabbitMQ permissions configuration.
 - name: Create the user in RabbitMQ
  delegate_to: "{{ rabbitmq_server }}"
  community.rabbitmq.rabbitmq_user:
    user: "{{ username }}"
    vhost: "{{ vhost }}"
-    read_priv: "^$"  # Publish only, no reading
-    write_priv: "amq\\.topic"
+    read_priv: "{{ read_priv }}"
+    write_priv: "{{ write_priv }}"
    configure_priv: "^$"  # No configuration permissions
-    topic_permissions: "{{ topic_permissions|default([]) }}"
+    topic_permissions: "{{ (env == 'staging')|ternary(topic_permissions, []) }}"
    state: present
  tags:
    - config