This adds a new virtual host in RabbitMQ, /public_pubsub, intended to be used by consumers outside Fedora's infrastructure. The federation plugin is used to push any messages published to the /pubsub amq.topic exchange into the /public_pubsub amq.topic exchange. A user called "fedora" with the password of "fedora" is created in this virtual host with permissions to create UUIDish queues. A policy is applied to queues that deletes them after 7 days of not being used and sets a maximum size of 50MB to a queue to ensure abandoned queues don't get too big. Signed-off-by: Jeremy Cline <jcline@xxxxxxxxxx> --- I'm sending this out for review, but I'm happy to apply it myself, run the playbooks when it's convenient for folks, and troubleshoot. I'm dubious about my ability to get the URL correct on the first try, and it also needs certificates to be generated for federation user it creates. roles/rabbitmq_cluster/tasks/main.yml | 88 ++++++++++++++++++++++++++- 1 file changed, 87 insertions(+), 1 deletion(-) diff --git a/roles/rabbitmq_cluster/tasks/main.yml b/roles/rabbitmq_cluster/tasks/main.yml index d88fb8102..753d7596e 100644 --- a/roles/rabbitmq_cluster/tasks/main.yml +++ b/roles/rabbitmq_cluster/tasks/main.yml @@ -101,7 +101,10 @@ - name: Enable the HTTP management console and SSL authentication plugins rabbitmq_plugin: - names: rabbitmq_management,rabbitmq_auth_mechanism_ssl + names: "rabbitmq_management,\ + rabbitmq_auth_mechanism_ssl,\ + rabbitmq_federation,\ + rabbitmq_federation_management" tags: - rabbitmq_cluster - config @@ -177,3 +180,86 @@ tags: - rabbitmq_cluster - config + +# This is the publicly accessible virtual host +- name: Configure the publicly accessible vhost + rabbitmq_vhost: + name: /public_pubsub + state: present + tags: + - rabbitmq_cluster + - config + +- name: Configure a policy to ensure the public vhost stays swept up and tidy + rabbitmq_policy: + apply_to: queues + name: sweeper + state: present + pattern: ".*" + tags: + # Unused queues are killed after 1000 * 60 * 60 * 24 * 7 (1 week in milliseconds) + expires: 604800000 + # Queues can use at most 1024 * 1024 * 50 (50MB) to store messages + max-length-bytes: 52428800 + vhost: /public_pubsub + tags: + - rabbitmq_cluster + - config + +# Create a user with: +# * permission to configure and write to any uuidish-named objects +# * permission to read anything since users need to read exchanges for bindings +# read queues for consuming +- name: Create a user for public access + rabbitmq_user: + user: fedora + password: fedora + permissions: + - vhost: /public_pubsub + # Matches, for example, de23804a-304a-4228-b239-35099c98bd1e + # Regex is Erlang flavored: http://erlang.org/doc/man/re.html + configure_priv: "^(\w{8}(-\w{4}){3}-\w{12})$" + write_priv: "^(\w{8}(-\w{4}){3}-\w{12})$" + read_priv: .* + state: present + tags: + - rabbitmq_cluster + - config + +# User with permissions to shovel messages out of pubsub into the public vhost. +# This user needs permissions to create a new exchange, bind an exchange to an +# exchange, create a queue, and bind a queue to an exchange. +- name: Create a user for federation + rabbitmq_user: + user: pubsub_federation + password: pubsub_federation + permissions: + - vhost: /pubsub + configure_priv: "^federation.*" + write_priv: "^federation.*" + read_priv: .* + state: present + tags: + - rabbitmq_cluster + - config + +# This is the connection from our public vhost to the private pubsub vhost. +# Note that at present they live on the same cluster, but they don't need to. +- name: Configure federation upstream from pubsub to the public_pubsub vhost + rabbitmq_parameter: + component: federation-upstream + name: pubsub-to-public_pubsub + value: '{"uri":"amqp://pubsub_federation:@rabbitmq01{{ env_suffix }}.phx2.fedoraproject.org/%2Fpubsub?cacertfile=/etc/pki/rabbitmq/ca/rabbitmq-ca.crt&certfile=/etc/pki/rabbitmq/crt/rabbitmq-pubsub_federation.crt&keyfile=/etc/pki/rabbitmq/key/rabbitmq-pubsub_federation.key&verify=verify_peer&fail_if_no_peer_cert=true&auth_mechanism=external","ack-mode":"on-confirm"}' + state: present + vhost: /public_pubsub + +- name: Configure a policy to federate the pubsub topic exchange to public_pubsub + rabbitmq_policy: + apply_to: exchanges + name: pubsub-to-public_pubsub + state: present + pattern: "^amq\\.topic$" + tags: + federation-upstream: "pubsub-to-public_pubsub" + vhost: /public_pubsub -- 2.20.1 _______________________________________________ infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
