From b5b2bb9af4149304286734ab75f42d2b2730f2b2 Mon Sep 17 00:00:00 2001 From: wade-holler Date: Tue, 17 May 2016 18:46:38 +0000 Subject: [PATCH] Add RabbitMQ mgmt UI through HAProxy Backgroud: Bug Requests ability to access RabbitMQ management UI through HAproxy Approach: --Add rabbitmq ui port 15672 to HAProxy --DO NOT Add monitoring user by default, instead key on existence of rabbitmw_monitoring_userid in user_variables.yml --ADD user_variables.yml update per above with explanation --Add "monitoring" user to rabbitmq for monitoring with "monitoring" user tag --Add monitoring user passwd var to user_secrets --Add features: release note Closes-Bug: 1446434 Change-Id: Idaf02cad6bb292d02f1cf6a733dbbc6ff4b4435e --- etc/openstack_deploy/user_secrets.yml | 1 + etc/openstack_deploy/user_variables.yml | 6 ++++++ playbooks/rabbitmq-install.yml | 14 ++++++++++++++ playbooks/vars/configs/haproxy_config.yml | 12 ++++++++++++ ...-management-ui-haproxy-e9f9ec0343484f2d.yaml | 17 +++++++++++++++++ 5 files changed, 50 insertions(+) create mode 100644 releasenotes/notes/rabbitmw-management-ui-haproxy-e9f9ec0343484f2d.yaml diff --git a/etc/openstack_deploy/user_secrets.yml b/etc/openstack_deploy/user_secrets.yml index 42204c6a76..05265c527a 100644 --- a/etc/openstack_deploy/user_secrets.yml +++ b/etc/openstack_deploy/user_secrets.yml @@ -22,6 +22,7 @@ ## Rabbitmq Options rabbitmq_cookie_token: +rabbitmq_monitoring_password: ## Tokens memcached_encryption_key: diff --git a/etc/openstack_deploy/user_variables.yml b/etc/openstack_deploy/user_variables.yml index 067b48c37e..e50cd2b9a8 100644 --- a/etc/openstack_deploy/user_variables.yml +++ b/etc/openstack_deploy/user_variables.yml @@ -108,6 +108,12 @@ debug: false # is highly recommended for securing the contents of RabbitMQ messages. # rabbitmq_use_ssl: false +# RabbitMQ management plugin is enabled by default, the guest user has been +# removed for security reasons and a new userid 'monitoring' has been created +# with the 'monitoring' user tag. In order to modify the userid, uncomment the +# following and change 'monitoring' to your userid of choice. +# rabbitmq_monitoring_userid: monitoring + ## Additional pinning generator that will allow for more packages to be pinned as you see fit. ## All pins allow for package and versions to be defined. Be careful using this as versions diff --git a/playbooks/rabbitmq-install.yml b/playbooks/rabbitmq-install.yml index 796728cefa..5fc581dadc 100644 --- a/playbooks/rabbitmq-install.yml +++ b/playbooks/rabbitmq-install.yml @@ -69,3 +69,17 @@ tags: - "rabbitmq-rsyslog-client" - "rsyslog-client" + +- name: Ensure rabbitmq user for monitoring GUI + hosts: rabbitmq_all[0] + user: root + tasks: + - name: Create rabbitmq user for monitoring GUI + rabbitmq_user: + user: "{{ rabbitmq_monitoring_userid|default('monitoring') }}" + password: "{{ rabbitmq_monitoring_password }}" + state: "present" + tags: "monitoring" + when: rabbitmq_monitoring_password is defined + tags: + - "rabbitmq_monitoring_user" diff --git a/playbooks/vars/configs/haproxy_config.yml b/playbooks/vars/configs/haproxy_config.yml index a7ff1765d0..ebec2ac6b6 100644 --- a/playbooks/vars/configs/haproxy_config.yml +++ b/playbooks/vars/configs/haproxy_config.yml @@ -201,3 +201,15 @@ haproxy_service_configs: haproxy_balance_type: http haproxy_backend_options: - "httpchk HEAD /" + - service: + haproxy_service_name: rabbitmq_mgmt + haproxy_backend_nodes: "{{ groups['rabbitmq'] | default([]) }}" + haproxy_ssl: "{{ haproxy_ssl }}" + haproxy_port: 15672 + haproxy_balance_type: http + haproxy_backend_options: + - "httpchk HEAD /" + haproxy_whitelist_networks: + - 192.168.0.0/16 + - 172.16.0.0/12 + - 10.0.0.0/8 diff --git a/releasenotes/notes/rabbitmw-management-ui-haproxy-e9f9ec0343484f2d.yaml b/releasenotes/notes/rabbitmw-management-ui-haproxy-e9f9ec0343484f2d.yaml new file mode 100644 index 0000000000..fe1faac013 --- /dev/null +++ b/releasenotes/notes/rabbitmw-management-ui-haproxy-e9f9ec0343484f2d.yaml @@ -0,0 +1,17 @@ +--- +features: + - The RabbitMQ Management UI is now available + through HAProxy on port 15672. The default + userid is ``monitoring``. This user can be + modified by changing the parameter + ``rabbitmq_monitoring_userid`` in the file + ``user_variables.yml``. Please note that ACLs + have been added to this HAProxy service by + default, such that it may only be accessed by + common internal clients. Reference + ``playbooks/vars/configs/haproxy_config.yml`` +upgrade: + - The variable ``rabbitmq_monitoring_password`` + has been added to ``user_secrets.yml``. If + this variable does not exist, the RabbitMQ + monitoring user will not be created.