Try dynamically generating some fedmsg config from group/host vars in staging.

filter_plugins/fedmsg.py

@@ -0,0 +1,25 @@
+import operator
+
+
+def invert_fedmsg_authz_policy(vars):
+    """ Given hostvars that map hosts -> topics, invert that
+    and return a dict that maps topics -> hosts.
+
+    Really, returns a list of tuples -- not a dict.
+    """
+
+    inverted = {}
+    for host in vars:
+        prefix = '.'.join([vars[host]['fedmsg_prefix'],
+                           vars[host]['fedmsg_env']])
+        fqdn = vars[host].get('fedmsg_fqdn', vars[host]['ansible_fqdn'])
+
+        for cert in vars[host].get('fedmsg_certs', []):
+            for topic in cert.get('can_send', []):
+                key = prefix + '.' + topic
+                inverted[key] = inverted.get(key, [])
+                inverted[key].append(cert['service'] + '-' + fqdn)
+
+    result = inverted.items()
+    result.sort(key=operator.itemgetter(0))
+    return result

inventory/group_vars/all

@@ -59,6 +59,10 @@ fedmsg_loglevel: INFO
 # active.
 fedmsg_active: False
 
+# Other defaults for fedmsg environments
+fedmsg_prefix: org.fedoraproject
+fedmsg_env: prod
+
 # By default, nodes don't backup any dbs on them unless they declare it.
 dbs_to_backup: []
 

inventory/group_vars/anitya-backend

@@ -29,6 +29,8 @@ fedmsg_certs:
   owner: root
   group: fedmsg
 
+fedmsg_prefix: org.release-monitoring
+fedmsg_env: prod
 
 # For the MOTD
 csi_security_category: Low

inventory/group_vars/anitya-frontend

@@ -31,6 +31,8 @@ fedmsg_certs:
   owner: root
   group: apache
 
+fedmsg_prefix: org.release-monitoring
+fedmsg_env: prod
 
 # For the MOTD
 csi_security_category: Low

inventory/group_vars/badges-backend

@@ -20,6 +20,9 @@ fedmsg_certs:
 - service: fedbadges
   owner: root
   group: fedmsg
+  can_send:
+  - fedbadges.badge.award
+  - fedbadges.person.rank.advance
 
 
 # For the MOTD

inventory/group_vars/badges-backend-stg

@@ -20,6 +20,9 @@ fedmsg_certs:
 - service: fedbadges
   owner: root
   group: fedmsg
+  can_send:
+  - fedbadges.badge.award
+  - fedbadges.person.rank.advance
 
 
 # For the MOTD

inventory/group_vars/badges-web

@@ -25,6 +25,10 @@ fedmsg_certs:
 - service: tahrir
   owner: root
   group: tahrir
+  can_send:
+  - fedbadges.badge.award
+  - fedbadges.person.rank.advance
+  - fedbadges.person.login.first
 
 
 # For the MOTD

inventory/group_vars/badges-web-stg

@@ -25,6 +25,10 @@ fedmsg_certs:
 - service: tahrir
   owner: root
   group: tahrir
+  can_send:
+  - fedbadges.badge.award
+  - fedbadges.person.rank.advance
+  - fedbadges.person.login.first
 
 
 # For the MOTD

inventory/group_vars/pagure

@@ -20,6 +20,9 @@ fedmsg_certs:
   owner: git
   group: apache
 
+fedmsg_prefix: io.pagure
+fedmsg_env: prod
+
 fas_client_groups: sysadmin-noc,sysadmin-web
 
 freezes: false

inventory/group_vars/pagure-stg

@@ -20,6 +20,9 @@ fedmsg_certs:
   owner: git
   group: apache
 
+fedmsg_prefix: io.pagure
+fedmsg_env: stg
+
 fas_client_groups: sysadmin-noc,sysadmin-web
 
 freezes: false

inventory/group_vars/staging

@@ -9,3 +9,6 @@ wildcard_cert_name: wildcard-2014.stg.fedoraproject.org
 
 # This only does anything if the host is not RHEL6
 collectd_graphite: True
+
+fedmsg_prefix: org.fedoraproject
+fedmsg_env: stg

roles/anitya/fedmsg/templates/base.py.j2

@@ -1,7 +1,6 @@
 config = dict(
-    topic_prefix="org.release-monitoring",
-
-    environment="prod",
+    topic_prefix="{{ fedmsg_prefix }}",
+    environment="{{ fedmsg_env }}",
 
     # This used to be set to 1 for safety, but it turns out it was
     # excessive.  It is the number of seconds that fedmsg should sleep

roles/fedmsg/base/templates/base.py.j2

@@ -1,11 +1,7 @@
 config = dict(
     # Set this to dev if you're hacking on fedmsg or an app locally.
     # Set to stg or prod if running in the Fedora Infrastructure.
-    {% if env == 'staging' %}
-    environment="stg",
-    {% else %}
-    environment="prod",
-    {% endif %}
+    environment="{{ fedmsg_env }}",
 
     # Most hosts will be "false" here indicating that if they publish messages,
     # they will passively bind to ports and have other consuming services

roles/fedmsg/base/templates/policy.py.j2

@@ -216,6 +216,17 @@ config = dict(
         topic_prefix + "announce.announcement": [
             "announce-lockbox01.phx2.fedoraproject.org",
         ],
+
+        {% if env == 'staging' %}
+        # ** policy dynamically generated from inventory vars
+        # See ansible/filter_plugins/fedmsg.py for this inversion filter.
+        {% for topic, certs in hostvars | invert_fedmsg_authz_policy %}
+        "{{topic}}": [
+        {% for cert in certs %}
+            "{{ cert }}",{% endfor %}
+        ],
+        {% endfor %}
+        {% endif %}
     },
 )
 

roles/pagure/fedmsg/templates/base.py.j2

@@ -1,11 +1,11 @@
 config = dict(
-    topic_prefix="io.pagure",
 
     # Tell every call to `fedmsg.publish` to use the relay
     active=True,
     cert_prefix="pagure",
 
-    environment="prod",
+    topic_prefix="{{ fedmsg_prefix }}",
+    environment="{{ fedmsg_env }}",
 
     # This used to be set to 1 for safety, but it turns out it was
     # excessive.  It is the number of seconds that fedmsg should sleep