[WIP] Add RabbitMQ users/vhosts #164
Conversation
There was a problem hiding this comment.
Running this on an ansible host with CentOS 6 is broken (the machine ansible runs from, not the target host of the playbook) because I used the map filter which is only available in Jinja2 2.7, but CentOS 6 has Jinja2 2.6.
I'm not sure how to accomplish what I did in Jinja 2.6. Can we require an upgrade to 2.7? Maybe using an RPM like https://centos.pkgs.org/6/puias-computational-x86_64/python27-jinja2-2.7.2-2.sdl6.noarch.rpm.html
roles/rabbitmq/tasks/main.yml
Outdated
| state: absent | ||
| when: | ||
| - rmq_users|length > 0 | ||
| - "'guest' not in rmq_users|map(attribute='user')" |
There was a problem hiding this comment.
map requires jinja 2.7
roles/rabbitmq/tasks/main.yml
Outdated
| state: present | ||
| loop_control: | ||
| loop_var: rmq_vhost | ||
| with_items: "{{ lookup('flattened', rmq_users|map(attribute='permissions')|list ) | map(attribute='vhost')|list|unique }}" |
There was a problem hiding this comment.
map requires jinja2.7.
|
Another option would be to require an extra play: |
cognifloyd
force-pushed
the
rmq_users
branch
4 times, most recently
from
ad40a72
to
ffad24b
Compare
|
rebased |
|
To get that map like functionality, I could use json_query, but that would add a dep on jmespath. |
|
So far, this only adds the ability to add the user, but the playbook user has to actually add it. So, to accomplish #75 for RabbitMQ, this needs to switch to adding the user by default, and make the host configurable. That's a much bigger change, but maybe then it'll actually get merged. |
cognifloyd
force-pushed
the
rmq_users
branch
from
215c6d4
to
1a7bec0
Compare
|
rebased |
cognifloyd
force-pushed
the
rmq_users
branch
from
c92e3d2
to
7dc95a2
Compare
By default, we just use the guest user. But, this makes it possible to add or remove vhosts and users from rabbitmq. This requires fairly explicit rabbitmq configuration options. Originally, this used a map filter to extract vhosts from the list of users and check for guest in the list of users, but the map filter is not available in EL6 with Jinja2 2.6, so we can't rely on using that here. Instead of extracting vhosts, or checking the list of users to determine whether or not to remove guest, we require explicit configuration of users and vhosts.
This uses the urlsplit filter to extract user and vhost bits from: st2_config.messaging.url The urlsplit filter is only availble with ansible 2.4 and later, so this will probably need to wait until ready to increase the minimum. [skip ci] until we're ready to revisit this.
cognifloyd
force-pushed
the
rmq_users
branch
from
7dc95a2
to
6ceb2a2
Compare
|
Closing for now. Once there are resources to review something, I'll deal with it again. |
If
rmq_usersis defined, then the guest user is removed, and the provided users are added.TODO:
st2_config.messaging.url).TODO for #75 for RabbitMQ security:
To configure the host (in a separate PR) we will need to modify or template
/etc/rabbitmq/rabbitmq.config(see: https://www.rabbitmq.com/networking.html#interfaces)Ensure we can configure hostServices should run on 127.0.0.1 by defaultLeave pw generation to the playbook user.
If not explicitly set, passwords should be generated randomly and placed in st2.conf