Compartmentalizing RabbitMQ

Presently all services use the single root virtual host within RabbitMQ
and while this is “OK” for small to mid sized deployments however it
would be better to divide services into logical resource groups within
RabbitMQ which will bring with it additional security. This change set
provides OSAD better compartmentalization of consumer services that use
RabbitMQ.

UpgradeImpact
DocImpact
Change-Id: I6f9d07522faf133f3c1c84a5b9046a55d5789e52
Implements: blueprint compartmentalize-rabbitmq
This commit is contained in:
kevin 2015-07-16 14:55:47 -05:00
parent 9ce7f169fc
commit b2624d4a26
No known key found for this signature in database
GPG Key ID: 69FEFFC5E2D9273F
34 changed files with 354 additions and 34 deletions

View File

@ -15,7 +15,6 @@
## Rabbitmq Options
rabbitmq_password:
rabbitmq_cookie_token:
## Tokens
@ -32,17 +31,21 @@ keystone_container_mysql_password:
keystone_auth_admin_token:
keystone_auth_admin_password:
keystone_service_password:
keystone_rabbitmq_password:
## Ceilometer Options:
ceilometer_container_db_password:
ceilometer_service_password:
ceilometer_telemetry_secret:
ceilometer_rabbitmq_password:
## Cinder Options
cinder_container_mysql_password:
cinder_service_password:
cinder_v2_service_password:
cinder_profiler_hmac_key:
cinder_rabbitmq_password:
## Ceph/rbd: a UUID to be used by libvirt to refer to the client.cinder user
#cinder_ceph_client_uuid:
@ -50,6 +53,7 @@ cinder_profiler_hmac_key:
glance_container_mysql_password:
glance_service_password:
glance_profiler_hmac_key:
glance_rabbitmq_password:
## Heat Options
heat_stack_domain_admin_password:
@ -60,6 +64,7 @@ heat_auth_encryption_key:
heat_service_password:
heat_cfn_service_password:
heat_profiler_hmac_key:
heat_rabbitmq_password:
## Horizon Options
horizon_container_mysql_password:
@ -68,6 +73,7 @@ horizon_secret_key:
## Neutron Options
neutron_container_mysql_password:
neutron_service_password:
neutron_rabbitmq_password:
## Nova Options
nova_container_mysql_password:
@ -77,6 +83,7 @@ nova_service_password:
nova_v3_service_password:
nova_v21_service_password:
nova_s3_service_password:
nova_rabbitmq_password:
## Swift Options:
swift_service_password:

View File

@ -46,7 +46,6 @@ lxc_container_caches:
## RabbitMQ
rabbitmq_userid: openstack
rabbitmq_cluster_name: openstack
rabbitmq_port: 5672
rabbitmq_servers: "{% for host in groups['rabbitmq_all'] %}{{ hostvars[host]['ansible_ssh_host'] }}:{{ rabbitmq_port }}{% if not loop.last %},{% endif %}{% endfor %}"
@ -91,6 +90,8 @@ ceilometer_service_tenant_name: service
ceilometer_service_adminuri: "{{ ceilometer_service_proto }}://{{ internal_lb_vip_address }}:{{ ceilometer_service_port }}"
ceilometer_service_adminurl: "{{ ceilometer_service_adminuri }}/"
ceilometer_service_region: "{{ service_region }}"
ceilometer_rabbitmq_userid: ceilometer
ceilometer_rabbitmq_vhost: /ceilometer
## Nova

View File

@ -36,6 +36,11 @@ ceilometer_db_port: 27017
ceilometer_connection_string: "{{ ceilometer_db_type }}://{{ ceilometer_database_user }}:{{ ceilometer_container_db_password }}@{{ ceilometer_db_ip }}:{{ ceilometer_db_port }}/{{ ceilometer_database_name }}"
## RabbitMQ info
ceilometer_rabbitmq_userid: ceilometer
ceilometer_rabbitmq_vhost: /ceilometer
#Ceilometer services info
ceilometer_role_name: admin
ceilometer_api_host_address: 0.0.0.0

View File

@ -0,0 +1,37 @@
---
# Copyright 2014, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Ensure Rabbitmq vhost
rabbitmq_vhost:
name: "{{ ceilometer_rabbitmq_vhost }}"
state: "present"
delegate_to: "{{ groups['rabbitmq_all'][0] }}"
tags:
- ceilometer-rabbitmq
- ceilometer-rabbitmq-vhost
- name: Ensure rabbitmq user
rabbitmq_user:
user: "{{ ceilometer_rabbitmq_userid }}"
password: "{{ ceilometer_rabbitmq_password }}"
vhost: "{{ ceilometer_rabbitmq_vhost }}"
configure_priv: ".*"
read_priv: ".*"
write_priv: ".*"
state: "present"
delegate_to: "{{ groups['rabbitmq_all'][0] }}"
tags:
- ceilometer-rabbitmq
- ceilometer-rabbitmq-user

View File

@ -100,3 +100,7 @@
tags:
- sudoers
- ceilometer-sudoers
- include: ceilometer_messaging_setup.yml
when: >
inventory_hostname == groups['ceilometer_api'][0]

View File

@ -12,8 +12,9 @@ policy_file = /etc/ceilometer/policy.json
[oslo_messaging_rabbit]
rpc_backend = rabbit
rabbit_port = {{ rabbitmq_port }}
rabbit_userid = {{ rabbitmq_userid }}
rabbit_password = {{ rabbitmq_password }}
rabbit_userid = {{ ceilometer_rabbitmq_userid }}
rabbit_password = {{ ceilometer_rabbitmq_password }}
rabbit_virtual_host = {{ ceilometer_rabbitmq_vhost }}
rabbit_hosts = {{ rabbitmq_servers }}
[api]

View File

@ -33,6 +33,10 @@ cinder_fatal_deprecations: False
cinder_galera_user: cinder
cinder_galera_database: cinder
## RabbitMQ info
cinder_rabbitmq_userid: cinder
cinder_rabbitmq_vhost: /cinder
## Cinder User / Group
cinder_system_user_name: cinder
cinder_system_group_name: cinder

View File

@ -0,0 +1,37 @@
---
# Copyright 2014, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Ensure Rabbitmq vhost
rabbitmq_vhost:
name: "{{ cinder_rabbitmq_vhost }}"
state: "present"
delegate_to: "{{ groups['rabbitmq_all'][0] }}"
tags:
- cinder-rabbitmq
- cinder-rabbitmq-vhost
- name: Ensure rabbitmq user
rabbitmq_user:
user: "{{ cinder_rabbitmq_userid }}"
password: "{{ cinder_rabbitmq_password }}"
vhost: "{{ cinder_rabbitmq_vhost }}"
configure_priv: ".*"
read_priv: ".*"
write_priv: ".*"
state: "present"
delegate_to: "{{ groups['rabbitmq_all'][0] }}"
tags:
- cinder-rabbitmq
- cinder-rabbitmq-user

View File

@ -87,3 +87,7 @@
tags:
- sudoers
- cinder-sudoers
- include: cinder_messaging_setup.yml
when: >
inventory_hostname == groups['cinder_all'][0]

View File

@ -92,7 +92,7 @@ default_volume_type = {{ cinder_default_volume_type }}
{% if cinder_backends is defined %}
enabled_backends={% for backend in cinder_backends|dictsort %}{{ backend.0 }}{% if not loop.last %},{% endif %}{% endfor %}
#Ceilometer configurations
#cinder configurations
{% if cinder_ceilometer_enabled %}
notification_driver = cinder.openstack.common.notifier.rpc_notifier
{% endif %}
@ -115,8 +115,9 @@ connection = mysql://{{ cinder_galera_user }}:{{ cinder_container_mysql_password
[oslo_messaging_rabbit]
rabbit_port = {{ rabbitmq_port }}
rabbit_userid = {{ rabbitmq_userid }}
rabbit_password = {{ rabbitmq_password }}
rabbit_userid = {{ cinder_rabbitmq_userid }}
rabbit_password = {{ cinder_rabbitmq_password }}
rabbit_virtual_host = {{ cinder_rabbitmq_vhost }}
rabbit_hosts = {{ rabbitmq_servers }}
[oslo_concurrency]

View File

@ -47,6 +47,10 @@ glance_enable_v1_registry: True
glance_enable_v2_api: True
glance_enable_v2_registry: True
## RabbitMQ info
glance_rabbitmq_userid: glance
glance_rabbitmq_vhost: /glance
## DB info
glance_galera_database: glance
glance_galera_user: glance

View File

@ -0,0 +1,37 @@
---
# Copyright 2014, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Ensure Rabbitmq vhost
rabbitmq_vhost:
name: "{{ glance_rabbitmq_vhost }}"
state: "present"
delegate_to: "{{ groups['rabbitmq_all'][0] }}"
tags:
- glance-rabbitmq
- glance-rabbitmq-vhost
- name: Ensure rabbitmq user
rabbitmq_user:
user: "{{ glance_rabbitmq_userid }}"
password: "{{ glance_rabbitmq_password }}"
vhost: "{{ glance_rabbitmq_vhost }}"
configure_priv: ".*"
read_priv: ".*"
write_priv: ".*"
state: "present"
delegate_to: "{{ groups['rabbitmq_all'][0] }}"
tags:
- glance-rabbitmq
- glance-rabbitmq-user

View File

@ -80,3 +80,7 @@
tags:
- glance-dirs
- glance-logs
- include: glance_messaging_setup.yml
when: >
inventory_hostname == groups['glance_all'][0]

View File

@ -35,8 +35,9 @@ notification_driver = {{ glance_notification_driver }}
rpc_backend = {{ glance_rpc_backend }}
rabbit_hosts = {{ rabbitmq_servers }}
rabbit_port = {{ rabbitmq_port }}
rabbit_userid = {{ rabbitmq_userid }}
rabbit_password = {{ rabbitmq_password }}
rabbit_userid = {{ glance_rabbitmq_userid }}
rabbit_password = {{ glance_rabbitmq_password }}
rabbit_virtual_host = {{ glance_rabbitmq_vhost }}
rabbit_notification_exchange = glance
rabbit_notification_topic = notifications
rabbit_durable_queues = False

View File

@ -20,7 +20,9 @@ limit_param_default = 25
notification_driver = {{ glance_notification_driver }}
rpc_backend = {{ glance_rpc_backend }}
rabbit_hosts = {{ rabbitmq_servers }}
rabbit_password = {{ rabbitmq_password }}
rabbit_userid = {{ glance_rabbitmq_userid }}
rabbit_password = {{ glance_rabbitmq_password }}
rabbit_virtual_host = {{ glance_rabbitmq_vhost }}
{% endif %}
[database]

View File

@ -34,6 +34,10 @@ heat_clients_heat_endpoint: publicURL
heat_galera_user: heat
heat_galera_database: heat
## RabbitMQ info
heat_rabbitmq_userid: heat
heat_rabbitmq_vhost: /heat
## RPC
heat_rpc_backend: heat.openstack.common.rpc.impl_kombu

View File

@ -0,0 +1,37 @@
---
# Copyright 2014, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Ensure Rabbitmq vhost
rabbitmq_vhost:
name: "{{ heat_rabbitmq_vhost }}"
state: "present"
delegate_to: "{{ groups['rabbitmq_all'][0] }}"
tags:
- heat-rabbitmq
- heat-rabbitmq-vhost
- name: Ensure rabbitmq user
rabbitmq_user:
user: "{{ heat_rabbitmq_userid }}"
password: "{{ heat_rabbitmq_password }}"
vhost: "{{ heat_rabbitmq_vhost }}"
configure_priv: ".*"
read_priv: ".*"
write_priv: ".*"
state: "present"
delegate_to: "{{ groups['rabbitmq_all'][0] }}"
tags:
- heat-rabbitmq
- heat-rabbitmq-user

View File

@ -88,3 +88,7 @@
tags:
- heat-dirs
- heat-logs
- include: heat_messaging_setup.yml
when: >
inventory_hostname == groups['heat_all'][0]

View File

@ -57,8 +57,9 @@ bind_port = {{ heat_watch_port }}
[oslo_messaging_rabbit]
rabbit_port = {{ rabbitmq_port }}
rabbit_userid = {{ rabbitmq_userid }}
rabbit_password = {{ rabbitmq_password }}
rabbit_userid = {{ heat_rabbitmq_userid }}
rabbit_password = {{ heat_rabbitmq_password }}
rabbit_virtual_host = {{ heat_rabbitmq_vhost }}
rabbit_hosts = {{ rabbitmq_servers }}

View File

@ -78,6 +78,10 @@ keystone_database_min_pool_size: 5
keystone_database_max_pool_size: 120
keystone_database_pool_timeout: 30
## RabbitMQ info
keystone_rabbitmq_userid: keystone
keystone_rabbitmq_vhost: /keystone
## Role info
keystone_role_name: admin
keystone_default_role_name: _member_

View File

@ -0,0 +1,37 @@
---
# Copyright 2014, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Ensure Rabbitmq vhost
rabbitmq_vhost:
name: "{{ keystone_rabbitmq_vhost }}"
state: "present"
delegate_to: "{{ groups['rabbitmq_all'][0] }}"
tags:
- keystone-rabbitmq
- keystone-rabbitmq-vhost
- name: Ensure rabbitmq user
rabbitmq_user:
user: "{{ keystone_rabbitmq_userid }}"
password: "{{ keystone_rabbitmq_password }}"
vhost: "{{ keystone_rabbitmq_vhost }}"
configure_priv: ".*"
read_priv: ".*"
write_priv: ".*"
state: "present"
delegate_to: "{{ groups['rabbitmq_all'][0] }}"
tags:
- keystone-rabbitmq
- keystone-rabbitmq-user

View File

@ -106,3 +106,7 @@
tags:
- keystone-dirs
- keystone-logs
- include: keystone_messaging_setup.yml
when: >
inventory_hostname == groups['keystone_all'][0]

View File

@ -134,9 +134,11 @@ admin_port = {{ keystone_admin_port }}
public_port = {{ keystone_service_port }}
[oslo_messaging_rabbit]
rabbit_port = {{ rabbitmq_port }}
rabbit_userid = {{ keystone_rabbitmq_userid }}
rabbit_password = {{ keystone_rabbitmq_password }}
rabbit_virtual_host = {{ keystone_rabbitmq_vhost }}
rabbit_hosts = {{ rabbitmq_servers }}
rabbit_userid = {{ rabbitmq_userid }}
rabbit_password = {{ rabbitmq_password }}
{% if keystone_sp is defined %}
[federation]
@ -147,3 +149,4 @@ trusted_dashboard = {{ item }}
{% endfor %}
{% endif %}
{% endif %}

View File

@ -39,6 +39,10 @@ neutron_db_max_overflow: 20
neutron_db_pool_size: 120
neutron_db_pool_timeout: 30
## RabbitMQ info
neutron_rabbitmq_userid: neutron
neutron_rabbitmq_vhost: /neutron
## Plugins
neutron_plugin_core: neutron.plugins.ml2.plugin.Ml2Plugin
# Other plugins can be added to the system by simply extending the list `neutron_plugin_base`.

View File

@ -0,0 +1,37 @@
---
# Copyright 2014, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Ensure Rabbitmq vhost
rabbitmq_vhost:
name: "{{ neutron_rabbitmq_vhost }}"
state: "present"
delegate_to: "{{ groups['rabbitmq_all'][0] }}"
tags:
- neutron-rabbitmq
- neutron-rabbitmq-vhost
- name: Ensure rabbitmq user
rabbitmq_user:
user: "{{ neutron_rabbitmq_userid }}"
password: "{{ neutron_rabbitmq_password }}"
vhost: "{{ neutron_rabbitmq_vhost }}"
configure_priv: ".*"
read_priv: ".*"
write_priv: ".*"
state: "present"
delegate_to: "{{ groups['rabbitmq_all'][0] }}"
tags:
- neutron-rabbitmq
- neutron-rabbitmq-user

View File

@ -92,3 +92,7 @@
tags:
- sudoers
- neutron-sudoers
- include: neutron_messaging_setup.yml
when: >
inventory_hostname == groups['neutron_all'][0]

View File

@ -149,8 +149,9 @@ root_helper = sudo /usr/local/bin/neutron-rootwrap /etc/neutron/rootwrap.conf
# Messaging service
[oslo_messaging_rabbit]
rabbit_port = {{ rabbitmq_port }}
rabbit_userid = {{ rabbitmq_userid }}
rabbit_password = {{ rabbitmq_password }}
rabbit_userid = {{ neutron_rabbitmq_userid }}
rabbit_password = {{ neutron_rabbitmq_password }}
rabbit_virtual_host = {{ neutron_rabbitmq_vhost }}
rabbit_hosts = {{ rabbitmq_servers }}
# Concurrency (locking mechanisms)

View File

@ -38,6 +38,10 @@ nova_db_max_overflow: 10
nova_db_max_pool_size: 120
nova_db_pool_timeout: 30
## RabbitMQ info
nova_rabbitmq_userid: nova
nova_rabbitmq_vhost: /nova
## RPC
nova_rpc_backend: nova.openstack.common.rpc.impl_kombu
nova_rpc_thread_pool_size: 64

View File

@ -0,0 +1,37 @@
---
# Copyright 2014, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Ensure Rabbitmq vhost
rabbitmq_vhost:
name: "{{ nova_rabbitmq_vhost }}"
state: "present"
delegate_to: "{{ groups['rabbitmq_all'][0] }}"
tags:
- nova-rabbitmq
- nova-rabbitmq-vhost
- name: Ensure rabbitmq user
rabbitmq_user:
user: "{{ nova_rabbitmq_userid }}"
password: "{{ nova_rabbitmq_password }}"
vhost: "{{ nova_rabbitmq_vhost }}"
configure_priv: ".*"
read_priv: ".*"
write_priv: ".*"
state: "present"
delegate_to: "{{ groups['rabbitmq_all'][0] }}"
tags:
- nova-rabbitmq
- nova-rabbitmq-user

View File

@ -109,3 +109,7 @@
tags:
- sudoers
- nova-sudoers
- include: nova_messaging_setup.yml
when: >
inventory_hostname == groups['nova_all'][0]

View File

@ -226,10 +226,10 @@ lock_path = /var/lock/nova
[oslo_messaging_rabbit]
amqp_auto_delete = False
rabbit_port = {{ rabbitmq_port }}
rabbit_userid = {{ rabbitmq_userid }}
rabbit_password = {{ rabbitmq_password }}
rabbit_userid = {{ nova_rabbitmq_userid }}
rabbit_password = {{ nova_rabbitmq_password }}
rabbit_virtual_host = {{ nova_rabbitmq_vhost }}
rabbit_hosts = {{ rabbitmq_servers }}

View File

@ -144,7 +144,7 @@ use = egg:swift#xprofile
paste.filter_factory = ceilometermiddleware.swift:filter_factory
control_exchange = swift
driver = messagingv2
url = rabbit://openstack:{{ rabbitmq_password }}@{{ groups['rabbitmq_all'][0] }}
url = rabbit://{{ ceilometer_rabbitmq_userid }}:{{ ceilometer_rabbitmq_password }}@{{ hostvars[groups['rabbitmq_all'][0]]['ansible_ssh_host'] }}:5672{{ ceilometer_rabbitmq_vhost }}
topic = notifications
log_level = WARN
{% endif %}

View File

@ -38,8 +38,6 @@ rabbitmq_pip_packages:
- python-memcached
- pycrypto
rabbitmq_userid: rabbitmq
# Name of the rabbitmq cluster
rabbitmq_cluster_name: rabbitmq_cluster1

View File

@ -46,18 +46,6 @@
- include: rabbitmq_restart.yml
when: rabbit_config_changed|changed or rabbitmq_plugin|changed or rabbitmq_queue_mirror|changed
- name: Ensure rabbitmq user
rabbitmq_user:
user: "{{ rabbitmq_userid }}"
password: "{{ rabbitmq_password }}"
vhost: "/"
configure_priv: ".*"
read_priv: ".*"
write_priv: ".*"
state: "present"
tags:
- rabbitmq-user
# This is being done because the rabbitctl command used by the module
# is not very effective at returning proper status codes for failure
# and the module does not error detection. until we can go upstream