Infrastructure/ansible
3
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

Refactor the rabbit/queue role to include the rabbit/user role

Browse source 
Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
This commit is contained in:
Aurélien Bompard 2023-05-09 11:20:32 +02:00
parent 5920da4334
commit 93eaa5129b
No known key found for this signature in database
GPG key ID: 31584CFEB9BF64AD
4 changed files with 29 additions and 65 deletions
Download patch file Download diff file Expand all files Collapse all files

1
roles/rabbit/queue/defaults/main.yml
View file

@ -8,4 +8,3 @@ thresholds:
warning: 10000 warning: 10000
critical: 100000 critical: 100000
nagios_server: noc01.iad2.fedoraproject.org nagios_server: noc01.iad2.fedoraproject.org
sent_topics: null

51
roles/rabbit/queue/tasks/main.yml
View file

@ -30,53 +30,10 @@
- fedora-messaging - fedora-messaging
- rabbitmq_cluster - rabbitmq_cluster
- name: Validate the user parameter - include_role:
assert: name: rabbit/user
that: vars:
- username != "admin" publish_only: false
- username != "guest"
- username != "nagios-monitoring"
fail_msg: "This user name is reserved"
tags:
- fedora-messaging
- rabbitmq_cluster
- name: Prepare the topic permissions dict
set_fact:
topic_permissions:
- vhost: "{{ vhost }}"
read_priv: .*
write_priv: "{{ sent_topics }}"
tags:
- fedora-messaging
- rabbitmq_cluster
when: env == "staging" and sent_topics
- debug:
msg: "Topic permissions: {{ topic_permissions|default([]) }}"
when: topic_permissions is defined
tags:
- fedora-messaging
- rabbitmq_cluster
# See https://www.rabbitmq.com/access-control.html#permissions for details on
# the RabbitMQ permissions configuration.
- name: Create the {{ username }} user in RabbitMQ
delegate_to: "{{ rabbitmq_server }}"
community.rabbitmq.rabbitmq_user:
user: "{{ username }}"
vhost: "{{ vhost }}"
# Read from queues prefixed with their name and bind to the topic exchange
read_priv: "^(zmq\\.topic)|^(amq\\.topic)|({{ username }}.*)$"
# Write to queues prefixed with their name and any prefixes in
# write_queues, and publish to the topic exchange
write_priv: "^(amq\\.topic)|({{ username }}.*){% for queue in write_queues|default([]) %}|({{ queue }}.*){% endfor %}$"
configure_priv: "^$" # No configuration permissions
topic_permissions: "{{ topic_permissions|default([]) }}"
state: present
tags:
- fedora-messaging
- rabbitmq_cluster
- name: Create the {{ queue_name }} queue in RabbitMQ - name: Create the {{ queue_name }} queue in RabbitMQ
delegate_to: "{{ rabbitmq_server }}" delegate_to: "{{ rabbitmq_server }}"

21
roles/rabbit/user/defaults/main.yml
View file

@ -1,3 +1,22 @@
rabbitmq_server: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org" rabbitmq_server: "rabbitmq01{{ env_suffix }}.iad2.fedoraproject.org"
vhost: /pubsub vhost: /pubsub
sent_topics: null publish_only: true
# Read privileges:
# If publish_only: no reading. Otherwise, read from queues prefixed
# with their name and bind to the topic exchange
read_priv: "{{ publish_only|ternary('^$', '^(zmq\\.topic)|^(amq\\.topic)|(' + username + '.*)$') }}"
# Write privileges:
# If publish_only: only write to the exchange. Otherwise, write to
# queues prefixed with their name and any prefixes in write_queues,
# and publish to the topic exchange
write_priv: "^(amq\\.topic){% if not publish_only %}|({{ username }}.*){% for queue in write_queues|default([]) %}|({{ queue }}.*){% endfor %}{% endif %}$"
# Topic authorization:
# Ref: https://www.rabbitmq.com/access-control.html#topic-authorisation
sent_topics: .*
topic_permissions:
- vhost: "{{ vhost }}"
read_priv: .*
write_priv: "{{ sent_topics }}"

21
roles/rabbit/user/tasks/main.yml
View file

@ -24,35 +24,24 @@
- fedora-messaging - fedora-messaging
- rabbitmq_cluster - rabbitmq_cluster
- name: Prepare the topic permissions dict
set_fact:
topic_permissions:
- vhost: "{{ vhost }}"
read_priv: .*
write_priv: "{{ sent_topics }}"
tags:
- config
- fedora-messaging
- rabbitmq_cluster
when: env == "staging" and sent_topics
- debug: - debug:
msg: "Topic permissions: {{ topic_permissions|default([]) }}" msg: "Topic permissions: {{ topic_permissions|default([]) }}"
tags: tags:
- config - config
- fedora-messaging - fedora-messaging
- rabbitmq_cluster - rabbitmq_cluster
when: topic_permissions is defined
# See https://www.rabbitmq.com/access-control.html#permissions for details on
# the RabbitMQ permissions configuration.
- name: Create the user in RabbitMQ - name: Create the user in RabbitMQ
delegate_to: "{{ rabbitmq_server }}" delegate_to: "{{ rabbitmq_server }}"
community.rabbitmq.rabbitmq_user: community.rabbitmq.rabbitmq_user:
user: "{{ username }}" user: "{{ username }}"
vhost: "{{ vhost }}" vhost: "{{ vhost }}"
read_priv: "^$" # Publish only, no reading read_priv: "{{ read_priv }}"
write_priv: "amq\\.topic" write_priv: "{{ write_priv }}"
configure_priv: "^$" # No configuration permissions configure_priv: "^$" # No configuration permissions
topic_permissions: "{{ topic_permissions|default([]) }}" topic_permissions: "{{ (env == 'staging')|ternary(topic_permissions, []) }}"
state: present state: present
tags: tags:
- config - config