Add configurable rabbitmq monitoring user

As an operator I want to be able to monitor the status
of RabbitMQ by collecting metrics such as queue length,
message rates (globally and per channel), and information
about resource usage on the host, such as memory use,
open file descriptors and the state of the cluster. Whilst
it is possible to gather all of this information using
the OpenStack RabbitMQ user configured by Kolla Ansible,
this user has write access to the OpenStack vhost. This
feature adds a monitoring user which has access to all of
the information described above, but does not have write
access. An example of a service which may use the
monitoring user is the RabbitMQ plugin for the Monasca
Agent. As not all users will configure monitoring, by
default the monitoring user is disabled. To create it,
the user should override the rabbitmq_monitoring_user
variable.

Implements: blueprint add-monitoring-user-for-rabbit
Change-Id: Ie895ddc59dda1c38faab6305163d9bed6710ff9d
This commit is contained in:
Doug Szumski 2017-11-02 13:32:49 +00:00
parent 214866350a
commit 245cd42694
5 changed files with 29 additions and 2 deletions

View File

@ -469,6 +469,7 @@ enable_kibana: "{{ 'yes' if enable_central_logging | bool else 'no' }}"
#################### ####################
rabbitmq_hipe_compile: "no" rabbitmq_hipe_compile: "no"
rabbitmq_user: "openstack" rabbitmq_user: "openstack"
rabbitmq_monitoring_user: ""
rabbitmq_version: "rabbitmq_server-3.6/plugins/rabbitmq_clusterer-3.6.x.ez/rabbitmq_clusterer-3.6.x-667f92b0/ebin" rabbitmq_version: "rabbitmq_server-3.6/plugins/rabbitmq_clusterer-3.6.x.ez/rabbitmq_clusterer-3.6.x-667f92b0/ebin"
outward_rabbitmq_user: "openstack" outward_rabbitmq_user: "openstack"

View File

@ -5,12 +5,14 @@
{% endif %} {% endif %}
], ],
"users": [ "users": [
{"name": "{{ role_rabbitmq_user }}", "password": "{{ role_rabbitmq_password }}", "tags": "administrator"}{% if project_name == 'outward_rabbitmq' %}, {"name": "{{ role_rabbitmq_user }}", "password": "{{ role_rabbitmq_password }}", "tags": "administrator"}{% if role_rabbitmq_monitoring_user is defined and role_rabbitmq_monitoring_user %},
{"name": "{{ role_rabbitmq_monitoring_user }}", "password": "{{ role_rabbitmq_monitoring_password }}", "tags": "monitoring"}{% endif %}{% if project_name == 'outward_rabbitmq' %},
{"name": "{{ murano_agent_rabbitmq_user }}", "password": "{{ murano_agent_rabbitmq_password }}", "tags": "management"} {"name": "{{ murano_agent_rabbitmq_user }}", "password": "{{ murano_agent_rabbitmq_password }}", "tags": "management"}
{% endif %} {% endif %}
], ],
"permissions": [ "permissions": [
{"user": "{{ role_rabbitmq_user }}", "vhost": "/", "configure": ".*", "write": ".*", "read": ".*"}{% if project_name == 'outward_rabbitmq' %}, {"user": "{{ role_rabbitmq_user }}", "vhost": "/", "configure": ".*", "write": ".*", "read": ".*"}{% if role_rabbitmq_monitoring_user is defined and role_rabbitmq_monitoring_user %},
{"user": "{{ role_rabbitmq_monitoring_user }}", "vhost": "/", "configure": "^$", "write": "^$", "read": ".*"}{% endif %}{% if project_name == 'outward_rabbitmq' %},
{"user": "{{ murano_agent_rabbitmq_user }}", "vhost": "{{ murano_agent_rabbitmq_vhost }}", "configure": ".*", "write": ".*", "read": ".*"} {"user": "{{ murano_agent_rabbitmq_user }}", "vhost": "{{ murano_agent_rabbitmq_vhost }}", "configure": ".*", "write": ".*", "read": ".*"}
{% endif %} {% endif %}
], ],

View File

@ -180,6 +180,8 @@
role_rabbitmq_epmd_port: '{{ rabbitmq_epmd_port }}', role_rabbitmq_epmd_port: '{{ rabbitmq_epmd_port }}',
role_rabbitmq_groups: rabbitmq, role_rabbitmq_groups: rabbitmq,
role_rabbitmq_management_port: '{{ rabbitmq_management_port }}', role_rabbitmq_management_port: '{{ rabbitmq_management_port }}',
role_rabbitmq_monitoring_password: '{{ rabbitmq_monitoring_password }}',
role_rabbitmq_monitoring_user: '{{ rabbitmq_monitoring_user }}',
role_rabbitmq_password: '{{ rabbitmq_password }}', role_rabbitmq_password: '{{ rabbitmq_password }}',
role_rabbitmq_port: '{{ rabbitmq_port }}', role_rabbitmq_port: '{{ rabbitmq_port }}',
role_rabbitmq_user: '{{ rabbitmq_user }}', role_rabbitmq_user: '{{ rabbitmq_user }}',

View File

@ -197,6 +197,7 @@ qdrouterd_password:
# RabbitMQ options # RabbitMQ options
#################### ####################
rabbitmq_password: rabbitmq_password:
rabbitmq_monitoring_password:
rabbitmq_cluster_cookie: rabbitmq_cluster_cookie:
outward_rabbitmq_password: outward_rabbitmq_password:
outward_rabbitmq_cluster_cookie: outward_rabbitmq_cluster_cookie:

View File

@ -0,0 +1,21 @@
---
features:
- |
Kolla-Ansible now supports creating a monitoring
user for RabbitMQ.
As an operator I want to be able to monitor the status
of RabbitMQ by collecting metrics such as queue length,
message rates (globally and per channel), and information
about resource usage on the host, such as memory use,
open file descriptors and the state of the cluster. Whilst
it is possible to gather all of this information using
the OpenStack RabbitMQ user configured by Kolla Ansible,
this user has write access to the OpenStack vhost. This
feature adds a monitoring user which has access to all of
the information described above, but does not have write
access. An example of a service which may use the
monitoring user is the RabbitMQ plugin for the Monasca
Agent. As not all users will configure monitoring, by
default the monitoring user is disabled. To create it,
the user should override the rabbitmq_monitoring_user
variable.