Hey folks!
I have begun setting topic authorizations on our message bus: apps will no longer be able to send messages to any topics, only to those they are explicitly allowed to. I'll need your help to make sure I'm not forgetting topics that your app wants to send to.
In RabbitMQ these authorizations are implemented as a set of regexps, so it's not necessary to build an exhaustive list of the topics your app may send to, thankfully. In the Ansible role I've implemented it as a variable `sent_topics` that is a list of allowed regexps, usually matching the application name right after the topic prefix. Example for batcave:
sent_topics:
- ^org\.fedoraproject\.{{ env_short }}\.ansible\..*
- ^org\.fedoraproject\.{{ env_short }}\.git\..*
- ^org\.fedoraproject\.{{ env_short }}\.infragit\..*
- ^org\.fedoraproject\.{{ env_short }}\.logger\.log\..*
- ^org\.fedoraproject\.{{ env_short }}\.ansible\..*
- ^org\.fedoraproject\.{{ env_short }}\.git\..*
- ^org\.fedoraproject\.{{ env_short }}\.infragit\..*
- ^org\.fedoraproject\.{{ env_short }}\.logger\.log\..*
Some questions you might ask:
- What happens if I try to send to a topic that is not allowed?
In this case fedora-messaging will raise an exception in the publish() call
- What happens if I don't set the sent_topics list?
When the list is not set, all topics are allowed. Therefore if you don't do anything, your app will technically keep working as before, but you will make infra folks a bit sad because if your certificate gets compromised, someone might send messages to the bus on any topic. If that happens, you will feel bad. Take care of future you and set the variable now.
- What if I my app does not send any message?
Then set the sent_topic to a list containing a single element: ^$
- How do I test this?
At the moment, the sent_topics list is only taken into account on staging. So what you can do is set it to a sensible value, run the playbook(s) on staging, and check your applicaiton's logs for tracebacks when a message should be sent.
- When do you plan to apply these restrictions on prod?
I don't know yet. When we are pretty confident that no topics have been forgotten, we'll announce the prod activation here with a few days notice. Please don't wait until then.
I've tried to set it for existing apps the best I could, but I may have forgotten some topics you want to send to. Please verify your playbooks and roles.
Then there's the issue of the accounts created in roles/rabbitmq_cluster/tasks/apps.yml. My intent for this file was to contain the account creations for applications that are not elsewhere in ansible, such as CentOS applications, etc. As a result I can't examine which topics these apps want to send to, because I don't even know which apps use them. Please reach out to me if your application uses one of the following rabbitmq accounts:
- coreos
- centos-ci
- osci-pipelines
- fedora-build-checks
- alt-src
- gitlab-centos
- koji-centos
- centos-koji
- cbs
- resultsdb-centos
- centos-stream-robosignatory
- distrobuildsync-eln
Thanks!
Aurélien
_______________________________________________ infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure