From 245cd426947ba4cc841daaf0f71ec68bcfa28f68 Mon Sep 17 00:00:00 2001 From: Doug Szumski Date: Thu, 2 Nov 2017 13:32:49 +0000 Subject: [PATCH] Add configurable rabbitmq monitoring user As an operator I want to be able to monitor the status of RabbitMQ by collecting metrics such as queue length, message rates (globally and per channel), and information about resource usage on the host, such as memory use, open file descriptors and the state of the cluster. Whilst it is possible to gather all of this information using the OpenStack RabbitMQ user configured by Kolla Ansible, this user has write access to the OpenStack vhost. This feature adds a monitoring user which has access to all of the information described above, but does not have write access. An example of a service which may use the monitoring user is the RabbitMQ plugin for the Monasca Agent. As not all users will configure monitoring, by default the monitoring user is disabled. To create it, the user should override the rabbitmq_monitoring_user variable. Implements: blueprint add-monitoring-user-for-rabbit Change-Id: Ie895ddc59dda1c38faab6305163d9bed6710ff9d --- ansible/group_vars/all.yml | 1 + .../rabbitmq/templates/definitions.json.j2 | 6 ++++-- ansible/site.yml | 2 ++ etc/kolla/passwords.yml | 1 + ...ring-user-for-rabbit-d869cddde8e8c5f3.yaml | 21 +++++++++++++++++++ 5 files changed, 29 insertions(+), 2 deletions(-) create mode 100644 releasenotes/notes/bp-add-monitoring-user-for-rabbit-d869cddde8e8c5f3.yaml diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index daadbaaf37..1a76091dfa 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -469,6 +469,7 @@ enable_kibana: "{{ 'yes' if enable_central_logging | bool else 'no' }}" #################### rabbitmq_hipe_compile: "no" rabbitmq_user: "openstack" +rabbitmq_monitoring_user: "" rabbitmq_version: "rabbitmq_server-3.6/plugins/rabbitmq_clusterer-3.6.x.ez/rabbitmq_clusterer-3.6.x-667f92b0/ebin" outward_rabbitmq_user: "openstack" diff --git a/ansible/roles/rabbitmq/templates/definitions.json.j2 b/ansible/roles/rabbitmq/templates/definitions.json.j2 index f617069d52..e06ae867c3 100644 --- a/ansible/roles/rabbitmq/templates/definitions.json.j2 +++ b/ansible/roles/rabbitmq/templates/definitions.json.j2 @@ -5,12 +5,14 @@ {% endif %} ], "users": [ - {"name": "{{ role_rabbitmq_user }}", "password": "{{ role_rabbitmq_password }}", "tags": "administrator"}{% if project_name == 'outward_rabbitmq' %}, + {"name": "{{ role_rabbitmq_user }}", "password": "{{ role_rabbitmq_password }}", "tags": "administrator"}{% if role_rabbitmq_monitoring_user is defined and role_rabbitmq_monitoring_user %}, + {"name": "{{ role_rabbitmq_monitoring_user }}", "password": "{{ role_rabbitmq_monitoring_password }}", "tags": "monitoring"}{% endif %}{% if project_name == 'outward_rabbitmq' %}, {"name": "{{ murano_agent_rabbitmq_user }}", "password": "{{ murano_agent_rabbitmq_password }}", "tags": "management"} {% endif %} ], "permissions": [ - {"user": "{{ role_rabbitmq_user }}", "vhost": "/", "configure": ".*", "write": ".*", "read": ".*"}{% if project_name == 'outward_rabbitmq' %}, + {"user": "{{ role_rabbitmq_user }}", "vhost": "/", "configure": ".*", "write": ".*", "read": ".*"}{% if role_rabbitmq_monitoring_user is defined and role_rabbitmq_monitoring_user %}, + {"user": "{{ role_rabbitmq_monitoring_user }}", "vhost": "/", "configure": "^$", "write": "^$", "read": ".*"}{% endif %}{% if project_name == 'outward_rabbitmq' %}, {"user": "{{ murano_agent_rabbitmq_user }}", "vhost": "{{ murano_agent_rabbitmq_vhost }}", "configure": ".*", "write": ".*", "read": ".*"} {% endif %} ], diff --git a/ansible/site.yml b/ansible/site.yml index 261667d5c5..808208bc40 100644 --- a/ansible/site.yml +++ b/ansible/site.yml @@ -180,6 +180,8 @@ role_rabbitmq_epmd_port: '{{ rabbitmq_epmd_port }}', role_rabbitmq_groups: rabbitmq, role_rabbitmq_management_port: '{{ rabbitmq_management_port }}', + role_rabbitmq_monitoring_password: '{{ rabbitmq_monitoring_password }}', + role_rabbitmq_monitoring_user: '{{ rabbitmq_monitoring_user }}', role_rabbitmq_password: '{{ rabbitmq_password }}', role_rabbitmq_port: '{{ rabbitmq_port }}', role_rabbitmq_user: '{{ rabbitmq_user }}', diff --git a/etc/kolla/passwords.yml b/etc/kolla/passwords.yml index 1b659da29d..add66599a5 100644 --- a/etc/kolla/passwords.yml +++ b/etc/kolla/passwords.yml @@ -197,6 +197,7 @@ qdrouterd_password: # RabbitMQ options #################### rabbitmq_password: +rabbitmq_monitoring_password: rabbitmq_cluster_cookie: outward_rabbitmq_password: outward_rabbitmq_cluster_cookie: diff --git a/releasenotes/notes/bp-add-monitoring-user-for-rabbit-d869cddde8e8c5f3.yaml b/releasenotes/notes/bp-add-monitoring-user-for-rabbit-d869cddde8e8c5f3.yaml new file mode 100644 index 0000000000..cdca815e41 --- /dev/null +++ b/releasenotes/notes/bp-add-monitoring-user-for-rabbit-d869cddde8e8c5f3.yaml @@ -0,0 +1,21 @@ +--- +features: + - | + Kolla-Ansible now supports creating a monitoring + user for RabbitMQ. + As an operator I want to be able to monitor the status + of RabbitMQ by collecting metrics such as queue length, + message rates (globally and per channel), and information + about resource usage on the host, such as memory use, + open file descriptors and the state of the cluster. Whilst + it is possible to gather all of this information using + the OpenStack RabbitMQ user configured by Kolla Ansible, + this user has write access to the OpenStack vhost. This + feature adds a monitoring user which has access to all of + the information described above, but does not have write + access. An example of a service which may use the + monitoring user is the RabbitMQ plugin for the Monasca + Agent. As not all users will configure monitoring, by + default the monitoring user is disabled. To create it, + the user should override the rabbitmq_monitoring_user + variable.