Add RabbitMQ user/vhost configuration

By default, we just use the guest user. But, this makes it possible to
add or remove vhosts and users from rabbitmq.

This requires fairly explicit rabbitmq configuration options.

Originally, this used a map filter to extract vhosts from the list of
users and check for guest in the list of users, but the map filter is
not available in EL6 with Jinja2 2.6, so we can't rely on using that
here. Instead of extracting vhosts, or checking the list of users to
determine whether or not to remove guest, we require explicit
configuration of users and vhosts.

roles/rabbitmq/README.md

@@ -0,0 +1,73 @@
+Ansible Role: stackstorm.rabbitmq
+=================================
+
+Installs RabbitMQ. If `rmq_users` is defined, then the guest user is removed, and the provided users are added.
+
+Requirements
+------------
+
+No additional requirements.
+
+Role Variables
+--------------
+
+These default variables can be set in the inventory's group or host vars, or pass them in as vars in the playbook that
+uses this role. An example of passing in some of these vars is shown in an example playbook below.
+
+* `rabbitmq_plugins`: A list of plugins to install (none by default: `[]`)
+* `rabbitmq_plugins_new_only`: If `no`, remove any plugins that aren't in the `rmq_plugins` list. (default: `yes`)
+* `rabbitmq_vhosts`: A list of vhosts to add (make sure to include all vhosts included in `permissions` of `rabbitmq_users`. (default: `[]`)
+* `rabbitmq_absent_vhosts`: A list of vhosts to remove. (default: `[]`)
+* `rabbitmq_keep_guest_user`: Whether to keep or delete the guest user (default: `yes`)
+* `rabbitmq_users`: A list of users to add (default: `[]`)
+* `rabbitmq_absent_users`: A list of users to remove (default: `[]`)
+* `rabbitmq_force_user_recreate`: Boolean to force user recreation. This is best set from extra-vars on the command line.
+
+If you delete the guest (with `rabbitmq_keep_guest_user: no`), then make sure to specify at least one other user in `rabbitmq_users`. Note, you don't need to add the guest user to the `rabbitmq_absent_users` list, just set the `rabbitmq_keep_guest_user` bool to no.
+
+Dependencies
+------------
+
+No role dependencies.
+
+Example Playbook
+----------------
+
+This playbook installs rabbitmq without adding any users (leaving the default guest user):
+
+    - hosts: localhost
+      roles:
+        - role: StackStorm.stackstorm/roles/rabbitmq
+
+
+This playbook installs rabbitmq, removes the guest user, and adds a stackstorm user:
+
+    - hosts: localhost
+      roles:
+        - role: StackStorm.stackstorm/roles/mongodb
+          vars:
+            rmq_users:
+              - username: st2rmq
+                password: stackstorm
+                tags: policymaker
+                permissions:
+                  - vhost: 'st2'
+                    configure_priv: .*
+                    read_priv: .*
+                    write_priv: .*
+
+Note that tags can be zero, one, or more (comma separated) of these: management,policymaker,monitoring,administrator
+
+WARNING: vhost should not have a leading / or you'd have to remember to encode it in the uri.
+
+| vhost      | URI                                       |
+|------------|-------------------------------------------|
+| `/myvhost` | `amqp://user:pass@rabbit:5672/%2Fmyvhost` |
+| `myvhost`  | `amqp://user:pass@rabbit:5672/myvhost`    |
+| `/`        | `amqp://user:pass@rabbit:5672/`           |
+
+License
+-------
+
+Apache 2.0
+

roles/rabbitmq/defaults/main.yml

@@ -3,3 +3,27 @@ rabbitmq_plugins: []
 # To enable the management plugin (in which case you'd want at least one user tagged with administrator):
 #rabbitmq_plugins:
 #  - rabbitmq_management
+
+
+# Make sure to include an entry for every vhost listed in rabbitmq_users.*.permissions
+rabbitmq_vhosts: []
+# - st2
+rabbitmq_absent_vhosts: []
+
+rabbitmq_keep_guest_user: yes
+rabbitmq_users: []
+#  - user: st2rmq
+#    password: stackstorm
+    # tags can be zero, one, or more of (comma separated): management,policymaker,monitoring,administrator
+#    tags: policymaker
+#    permissions:
+#      - vhost: 'st2'
+#        configure_priv: .*
+#        read_priv: .*
+#        write_priv: .*
+
+# Users (other than guest) that should not be present
+rabbitmq_absent_users: []
+
+# Set this (probably via extra-vars) to force user recreation
+#rabbitmq_force_user_recreate: yes

roles/rabbitmq/tasks/main.yml

@@ -1,4 +1,10 @@
 ---
+- name: Make sure rabbitmq user options are specified correctly
+  assert:
+    that: (rabbitmq_keep_guest_user and 'guest' not in rabbitmq_absent_users) or rabbitmq_users|length > 0
+    msg: "If the guest user is deleted, at least one other user needs to be added."
+  tags: rabbitmq
+
 - name: Install rabbitmq package on {{ ansible_distribution }}
   become: yes
   package:
@@ -31,3 +37,55 @@
     prefix: "{{ rabbitmq_on_el6 | ternary(rabbitmq_el6_prefix, omit) }}"
   when: rabbitmq_plugins
   tags: rabbitmq
+
+- name: Remove RabbitMQ vhosts
+  become: yes
+  rabbitmq_vhost:
+    vhost: "{{ _rmq_vhost }}"
+    state: absent
+  loop_control:
+    loop_var: _rmq_vhost
+  with_items: "{{ rabbitmq_absent_vhosts }}"
+  tags: rabbitmq
+
+- name: Add RabbitMQ vhosts
+  become: yes
+  rabbitmq_vhost:
+    vhost: "{{ _rmq_vhost }}"
+    state: present
+  loop_control:
+    loop_var: _rmq_vhost
+  with_items: "{{ rabbitmq_vhosts }}"
+  tags: rabbitmq
+
+- name: Remove the guest user from RabbitMQ
+  become: yes
+  rabbitmq_user:
+    user: guest
+    state: absent
+  when: not rabbitmq_keep_guest_user
+  tags: rabbitmq
+
+- name: Remove other users from RabbitMQ
+  become: yes
+  rabbitmq_user:
+    user: "{{ _rmq_user }}"
+    state: absent
+  with_items: "{{ rabbitmq_absent_users }}"
+  tags: rabbitmq
+
+- name: Add RabbitMQ Users
+  become: yes
+  rabbitmq_user:
+    force: "{{ rabbitmq_force_user_recreate|default(omit) }}"
+    # NOTE: This does not handle erlang nodes other than "rabbit" (when is that even used?)
+    user: "{{ _rmq_user.user }}"
+    password: "{{ _rmq_user.password }}"
+    permissions: "{{ _rmq_user.permissions }}"
+    tags: "{{ _rmq_user.tags | default(omit) }}"
+    state: present
+  loop_control:
+    loop_var: _rmq_user
+    label: "{{ _rmq_user.user }}"
+  with_items: "{{ rabbitmq_users }}"
+  tags: rabbitmq