Hey folks!
I have begun setting topic authorizations on our message bus: apps will no
longer be able to send messages to any topics, only to those they are
explicitly allowed to. I'll need your help to make sure I'm not forgetting
topics that your app wants to send to.
In RabbitMQ these authorizations are implemented as a set of regexps, so
it's not necessary to build an exhaustive list of the topics your app may
send to, thankfully. In the Ansible role I've implemented it as a variable
`sent_topics` that is a list of allowed regexps, usually matching the
application name right after the topic prefix. Example for batcave:
sent_topics:
- ^org\.fedoraproject\.{{ env_short }}\.ansible\..*
- ^org\.fedoraproject\.{{ env_short }}\.git\..*
- ^org\.fedoraproject\.{{ env_short }}\.infragit\..*
- ^org\.fedoraproject\.{{ env_short }}\.logger\.log\..*
Some questions you might ask:
- What happens if I try to send to a topic that is not allowed?
In this case fedora-messaging will raise an exception in the publish()
call
- What happens if I don't set the sent_topics list?
When the list is not set, all topics are allowed. Therefore if you don't
do anything, your app will technically keep working as before, but you will
make infra folks a bit sad because if your certificate gets compromised,
someone might send messages to the bus on any topic. If that happens, you
will feel bad. Take care of future you and set the variable now.
- What if I my app does not send any message?
Then set the sent_topic to a list containing a single element: ^$
- How do I test this?
At the moment, the sent_topics list is only taken into account on
staging. So what you can do is set it to a sensible value, run the
playbook(s) on staging, and check your applicaiton's logs for tracebacks
when a message should be sent.
- When do you plan to apply these restrictions on prod?
I don't know yet. When we are pretty confident that no topics have been
forgotten, we'll announce the prod activation here with a few days notice.
Please don't wait until then.
I've tried to set it for existing apps the best I could, but I may have
forgotten some topics you want to send to. Please verify your playbooks and
roles.
Then there's the issue of the accounts created in
roles/rabbitmq_cluster/tasks/apps.yml. My intent for this file was to
contain the account creations for applications that are not elsewhere in
ansible, such as CentOS applications, etc. As a result I can't examine
which topics these apps want to send to, because I don't even know which
apps use them. Please reach out to me if your application uses one of the
following rabbitmq accounts:
- coreos
- centos-ci
- osci-pipelines
- fedora-build-checks
- alt-src
- gitlab-centos
- koji-centos
- centos-koji
- cbs
- resultsdb-centos
- centos-stream-robosignatory
- distrobuildsync-eln
Thanks!
Aurélien