From 245cd426947ba4cc841daaf0f71ec68bcfa28f68 Mon Sep 17 00:00:00 2001
From: Doug Szumski <doug@stackhpc.com>
Date: Thu, 2 Nov 2017 13:32:49 +0000
Subject: [PATCH] Add configurable rabbitmq monitoring user
As an operator I want to be able to monitor the status
of RabbitMQ by collecting metrics such as queue length,
message rates (globally and per channel), and information
about resource usage on the host, such as memory use,
open file descriptors and the state of the cluster. Whilst
it is possible to gather all of this information using
the OpenStack RabbitMQ user configured by Kolla Ansible,
this user has write access to the OpenStack vhost. This
feature adds a monitoring user which has access to all of
the information described above, but does not have write
access. An example of a service which may use the
monitoring user is the RabbitMQ plugin for the Monasca
Agent. As not all users will configure monitoring, by
default the monitoring user is disabled. To create it,
the user should override the rabbitmq_monitoring_user
variable.
Implements: blueprint add-monitoring-user-for-rabbit
Change-Id: Ie895ddc59dda1c38faab6305163d9bed6710ff9d
---
ansible/group_vars/all.yml | 1 +
.../rabbitmq/templates/definitions.json.j2 | 6 ++++--
ansible/site.yml | 2 ++
etc/kolla/passwords.yml | 1 +
...ring-user-for-rabbit-d869cddde8e8c5f3.yaml | 21 +++++++++++++++++++
5 files changed, 29 insertions(+), 2 deletions(-)
create mode 100644 releasenotes/notes/bp-add-monitoring-user-for-rabbit-d869cddde8e8c5f3.yaml
diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml
index daadbaaf37..1a76091dfa 100644
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@@ -469,6 +469,7 @@ enable_kibana: "{{ 'yes' if enable_central_logging | bool else 'no' }}"
####################
rabbitmq_hipe_compile: "no"
rabbitmq_user: "openstack"
+rabbitmq_monitoring_user: ""
rabbitmq_version: "rabbitmq_server-3.6/plugins/rabbitmq_clusterer-3.6.x.ez/rabbitmq_clusterer-3.6.x-667f92b0/ebin"
outward_rabbitmq_user: "openstack"
diff --git a/ansible/roles/rabbitmq/templates/definitions.json.j2 b/ansible/roles/rabbitmq/templates/definitions.json.j2
index f617069d52..e06ae867c3 100644
--- a/ansible/roles/rabbitmq/templates/definitions.json.j2
+++ b/ansible/roles/rabbitmq/templates/definitions.json.j2
@@ -5,12 +5,14 @@
{% endif %}
],
"users": [
- {"name": "{{ role_rabbitmq_user }}", "password": "{{ role_rabbitmq_password }}", "tags": "administrator"}{% if project_name == 'outward_rabbitmq' %},
+ {"name": "{{ role_rabbitmq_user }}", "password": "{{ role_rabbitmq_password }}", "tags": "administrator"}{% if role_rabbitmq_monitoring_user is defined and role_rabbitmq_monitoring_user %},
+ {"name": "{{ role_rabbitmq_monitoring_user }}", "password": "{{ role_rabbitmq_monitoring_password }}", "tags": "monitoring"}{% endif %}{% if project_name == 'outward_rabbitmq' %},
{"name": "{{ murano_agent_rabbitmq_user }}", "password": "{{ murano_agent_rabbitmq_password }}", "tags": "management"}
{% endif %}
],
"permissions": [
- {"user": "{{ role_rabbitmq_user }}", "vhost": "/", "configure": ".*", "write": ".*", "read": ".*"}{% if project_name == 'outward_rabbitmq' %},
+ {"user": "{{ role_rabbitmq_user }}", "vhost": "/", "configure": ".*", "write": ".*", "read": ".*"}{% if role_rabbitmq_monitoring_user is defined and role_rabbitmq_monitoring_user %},
+ {"user": "{{ role_rabbitmq_monitoring_user }}", "vhost": "/", "configure": "^$", "write": "^$", "read": ".*"}{% endif %}{% if project_name == 'outward_rabbitmq' %},
{"user": "{{ murano_agent_rabbitmq_user }}", "vhost": "{{ murano_agent_rabbitmq_vhost }}", "configure": ".*", "write": ".*", "read": ".*"}
{% endif %}
],
diff --git a/ansible/site.yml b/ansible/site.yml
index 261667d5c5..808208bc40 100644
--- a/ansible/site.yml
+++ b/ansible/site.yml
@@ -180,6 +180,8 @@
role_rabbitmq_epmd_port: '{{ rabbitmq_epmd_port }}',
role_rabbitmq_groups: rabbitmq,
role_rabbitmq_management_port: '{{ rabbitmq_management_port }}',
+ role_rabbitmq_monitoring_password: '{{ rabbitmq_monitoring_password }}',
+ role_rabbitmq_monitoring_user: '{{ rabbitmq_monitoring_user }}',
role_rabbitmq_password: '{{ rabbitmq_password }}',
role_rabbitmq_port: '{{ rabbitmq_port }}',
role_rabbitmq_user: '{{ rabbitmq_user }}',
diff --git a/etc/kolla/passwords.yml b/etc/kolla/passwords.yml
index 1b659da29d..add66599a5 100644
--- a/etc/kolla/passwords.yml
+++ b/etc/kolla/passwords.yml
@@ -197,6 +197,7 @@ qdrouterd_password:
# RabbitMQ options
####################
rabbitmq_password:
+rabbitmq_monitoring_password:
rabbitmq_cluster_cookie:
outward_rabbitmq_password:
outward_rabbitmq_cluster_cookie:
diff --git a/releasenotes/notes/bp-add-monitoring-user-for-rabbit-d869cddde8e8c5f3.yaml b/releasenotes/notes/bp-add-monitoring-user-for-rabbit-d869cddde8e8c5f3.yaml
new file mode 100644
index 0000000000..cdca815e41
--- /dev/null
+++ b/releasenotes/notes/bp-add-monitoring-user-for-rabbit-d869cddde8e8c5f3.yaml
@@ -0,0 +1,21 @@
+---
+features:
+ - |
+ Kolla-Ansible now supports creating a monitoring
+ user for RabbitMQ.
+ As an operator I want to be able to monitor the status
+ of RabbitMQ by collecting metrics such as queue length,
+ message rates (globally and per channel), and information
+ about resource usage on the host, such as memory use,
+ open file descriptors and the state of the cluster. Whilst
+ it is possible to gather all of this information using
+ the OpenStack RabbitMQ user configured by Kolla Ansible,
+ this user has write access to the OpenStack vhost. This
+ feature adds a monitoring user which has access to all of
+ the information described above, but does not have write
+ access. An example of a service which may use the
+ monitoring user is the RabbitMQ plugin for the Monasca
+ Agent. As not all users will configure monitoring, by
+ default the monitoring user is disabled. To create it,
+ the user should override the rabbitmq_monitoring_user
+ variable.