Create a rabbit/user role

2019-03-05 08:54:08 +00:00 · 2019-03-05 08:54:08 +00:00 · 756619cee0
commit 756619cee0
parent 8a43e9a745
4 changed files with 32 additions and 50 deletions
--- a/playbooks/groups/koji-hub.yml
+++ b/playbooks/groups/koji-hub.yml
@ -79,6 +79,9 @@
    nfs_src_dir: 'fedora_koji'
    when: env == 'staging' and inventory_hostname.startswith('koji')
  - sudo
+  - role: rabbit/user
+    username: "koji{{ env_suffix }}"
+    when: env == 'staging'

  tasks:
  - import_tasks: "{{ tasks_path }}/2fa_client.yml"
@ -110,30 +113,3 @@

  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"
-
-
-# Setup the rabbitmq user so fedora-messaging can send messages
- name: setup RabbitMQ
-  hosts: rabbitmq-stg[0]
-  #hosts: rabbitmq[0]:rabbitmq-stg[0]
-  user: root
-  gather_facts: False
-
-  vars_files:
-    - /srv/web/infra/ansible/vars/global.yml
-    - "/srv/private/ansible/vars.yml"
-    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
-
-  tasks:
-    - name: Create the RabbitMQ user
-      when: env == 'staging'
-      rabbitmq_user:
-        user: "koji{{ env_suffix }}"
-        vhost: /pubsub
-        read_priv: "^$"
-        write_priv: "amq\\.topic"
-        configure_priv: "^$"
-        state: present
-      tags:
-        - config
-        - fedora-messaging
--- a/playbooks/openshift-apps/release-monitoring.yml
+++ b/playbooks/openshift-apps/release-monitoring.yml
@ -1,26 +1,3 @@
-# Create the RabbitMQ users
-
- name: setup RabbitMQ
-  hosts: rabbitmq[0]:rabbitmq-stg[0]
-  user: root
-  gather_facts: False
-
-  vars_files:
-    - /srv/web/infra/ansible/vars/global.yml
-    - "/srv/private/ansible/vars.yml"
-    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
-
-  tasks:
-    - name: Create the RabbitMQ user
-      rabbitmq_user:
-        user: "anitya{{ env_suffix }}"
-        vhost: /pubsub
-        read_priv: "^anitya.*$"
-        write_priv: "amq.topic"
-        configure_priv: "^$"
-      tags:
-        - config
-
 # Deploy the app

 - name: make the app be real
@ -34,6 +11,8 @@
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml

  roles:
+  - role: rabbit/user
+    username: "anitya{{ env_suffix }}"
  - role: openshift/project
    app: release-monitoring
    description: release-monitoring
--- a/roles/rabbit/user/defaults/main.yml
+++ b/roles/rabbit/user/defaults/main.yml
@ -0,0 +1,2 @@
+rabbitmq_server: "rabbitmq01{{ env_suffix }}.phx2.fedoraproject.org"
+vhost: /pubsub
--- a/roles/rabbit/user/tasks/main.yml
+++ b/roles/rabbit/user/tasks/main.yml
@ -0,0 +1,25 @@
+---
+
+# Ensure a user exists in RabbitMQ with permissions to only publish.
+# This is intended to be something most applications can use, but if you need
+# more flexibility, just use the rabbitmq_user module directly.
+#
+# Required parameters:
+#
+#   - username (str): the username to create in RabbitMQ, which should match the
+#                     CN of the certificate.
+
+# See https://www.rabbitmq.com/access-control.html#permissions for details on
+# the RabbitMQ permissions configuration.
+- name: Create the user in RabbitMQ
+  delegate_to: "{{ rabbitmq_server }}"
+  rabbitmq_user:
+    user: "{{ username }}"
+    vhost: "{{ vhost }}"
+    read_priv: "^$"  # Publish only, no reading
+    write_priv: "amq\\.topic"
+    configure_priv: "^$"  # No configuration permissions
+    state: present
+  tags:
+    - config
+    - fedora-messaging