-
-
Notifications
You must be signed in to change notification settings - Fork 75
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP] Add RabbitMQ users/vhosts #164
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Running this on an ansible host with CentOS 6 is broken (the machine ansible runs from, not the target host of the playbook) because I used the map filter which is only available in Jinja2 2.7, but CentOS 6 has Jinja2 2.6.
I'm not sure how to accomplish what I did in Jinja 2.6. Can we require an upgrade to 2.7? Maybe using an RPM like https://centos.pkgs.org/6/puias-computational-x86_64/python27-jinja2-2.7.2-2.sdl6.noarch.rpm.html
roles/rabbitmq/tasks/main.yml
Outdated
state: absent | ||
when: | ||
- rmq_users|length > 0 | ||
- "'guest' not in rmq_users|map(attribute='user')" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
map requires jinja 2.7
roles/rabbitmq/tasks/main.yml
Outdated
state: present | ||
loop_control: | ||
loop_var: rmq_vhost | ||
with_items: "{{ lookup('flattened', rmq_users|map(attribute='permissions')|list ) | map(attribute='vhost')|list|unique }}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
map requires jinja2.7.
Another option would be to require an extra play:
|
ad40a72
to
ffad24b
Compare
rebased |
To get that map like functionality, I could use json_query, but that would add a dep on jmespath. |
So far, this only adds the ability to add the user, but the playbook user has to actually add it. So, to accomplish #75 for RabbitMQ, this needs to switch to adding the user by default, and make the host configurable. That's a much bigger change, but maybe then it'll actually get merged. |
215c6d4
to
1a7bec0
Compare
rebased |
c92e3d2
to
7dc95a2
Compare
By default, we just use the guest user. But, this makes it possible to add or remove vhosts and users from rabbitmq. This requires fairly explicit rabbitmq configuration options. Originally, this used a map filter to extract vhosts from the list of users and check for guest in the list of users, but the map filter is not available in EL6 with Jinja2 2.6, so we can't rely on using that here. Instead of extracting vhosts, or checking the list of users to determine whether or not to remove guest, we require explicit configuration of users and vhosts.
This uses the urlsplit filter to extract user and vhost bits from: st2_config.messaging.url The urlsplit filter is only availble with ansible 2.4 and later, so this will probably need to wait until ready to increase the minimum. [skip ci] until we're ready to revisit this.
7dc95a2
to
6ceb2a2
Compare
Closing for now. Once there are resources to review something, I'll deal with it again. |
If
rmq_users
is defined, then the guest user is removed, and the provided users are added.TODO:
st2_config.messaging.url
).TODO for #75 for RabbitMQ security:
To configure the host (in a separate PR) we will need to modify or template
/etc/rabbitmq/rabbitmq.config
(see: https://www.rabbitmq.com/networking.html#interfaces)Ensure we can configure hostServices should run on 127.0.0.1 by defaultLeave pw generation to the playbook user.
If not explicitly set, passwords should be generated randomly and placed in st2.conf