From 944e410f02f4c0d18563aaadac7c2df1fc563d59 Mon Sep 17 00:00:00 2001
From: Pierre-Yves Chibon <pingou@pingoured.fr>
Date: Tue, 2 Apr 2019 22:04:19 +0200
Subject: [PATCH] greenwave: replace the rabbit/user role by explicit calls to
 rabbitmq_user

The rabbit/user role is intended setting up for simple, write-only users,
but in this case we need an user who can write and read (listen) to the
bus, so we're just calling rabbitmq_user directly.

Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>
---
 playbooks/openshift-apps/greenwave.yml | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/playbooks/openshift-apps/greenwave.yml b/playbooks/openshift-apps/greenwave.yml
index 448a50804a..f376690e75 100644
--- a/playbooks/openshift-apps/greenwave.yml
+++ b/playbooks/openshift-apps/greenwave.yml
@@ -8,9 +8,21 @@
     - "/srv/private/ansible/vars.yml"
     - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
 
+  tasks:
+  - name: Create the user in RabbitMQ
+    delegate_to: "rabbitmq01{{ env_suffix }}.phx2.fedoraproject.org"
+    rabbitmq_user:
+      user: "greenwave{{ env_suffix }}"
+      vhost: "/pubsub"
+      read_priv: "amq\\.topic"  # Publish only, no reading
+      write_priv: "amq\\.topic"
+      configure_priv: "^$"  # No configuration permissions
+      state: present
+    tags:
+      - config
+      - fedora-messaging
+
   roles:
-  - role: rabbit/user
-    username: "greenwave{{ env_suffix }}"
   # The openshift/project role breaks if the project already exists:
   # https://pagure.io/fedora-infrastructure/issue/6404
   - role: openshift/project