Relaxing the AMQP broker permissions for authenticated users
by Jeremy Cline
Hi folks,
Over the last couple days I've been sorta-kinda helping Adam move OpenQA
to AMQP and he has, through no fault of his own, had a rough time of it.
The problems boil down to permissions issues and a lack of visibility
into the broker. I'd like to propose two changes so that folks can help
themselves rather than blindly guessing and hoping I am around (there is
a bus around every corner and lottery tickets in every shop).
Firstly, I propose we allow authenticated users to create objects in the
/pubsub (private) vhost using the AMQP client. These users already can
create objects, but they have to do it through Ansible roles rather than
through the AMQP object. Since the AMQP client configuration is checked
into Ansible, though, it's rather redundant to make them declare the
queue separately. When they don't declare it properly, they can't tell
and so it's actually quite a pain point. This is an easy change, we just
change all the accounts to have configure permissions
Secondly, I propose we offer a read-only monitoring account to the web
interface RabbitMQ provides. One great thing about switching from ZeroMQ
to AMQP is that the broker gives us tons of tools to make monitoring and
debugging easier. Allowing users to easily see the objects in the broker
(queues, bindings, exchanges, connections) means they can solve their
own deployment problems rather than pinging me.
I think if we make an account with no AMQP permissions and the
"monitoring"[0] permission, folks should be able to see everything and
not be able to do anything destructive. Then it's just a question of how
to share the credentials (or just make the account name guest with the
username guest?) and how to expose the management UI port (just require
people to sshuttle?).
[0] https://www.rabbitmq.com/management.html#permissions
Thoughts?
- Jeremy
4 years, 10 months
I am no longer watching the infra repo
by Randy Barlow
Notice: I am no longer watching the infrastructure repo, because it
results in a huge volume of mail most of which is not relevant to me,
and I am about to take an extended leave of absence and don't want to
return to thousands of e-mails. However, due to a long-standing Pagure
bug[0], this means that mentioning me with @bowlofeggs will also not
result in an e-mail, nor will assigning an issue to me. Thus, if you
need my attention on something, you should contact me via some other
means.
I plan to watch the repo again once my extended leave ends.
[0] https://pagure.io/pagure/issue/2324
4 years, 10 months
taiga and fas login auth api integration
by Manas Mangaonkar
Hey,
Gsoc Intern here,want to fetch auth token for the user from
team.fedoraproject.taiga via the api to do stuff but it seems there is
no integration on the api end. Would love some more information about
it.
Another thing i noticed is one should be able to login via the normal
login via api even if the user is registered using fas.
- Manas(Pac23)
4 years, 10 months
Meeting Agenda Item: Introduction Alisha Mohanty
by Alisha Mohanty
Hello, I am Alisha Mohanty(IRC Handel- alishpapun, FASID - alishapapun), an Outreachy intern working for Fedora Happiness Packet this summer. My skill set includes Docker and Django which are relevant to the project. But I am new to system administration. In Phase 2 of Outreachy internship, we are looking forward to building a staging environment for our project and get it deployed in a production environment. I am looking forward to having a good mentorship and a great time with you all.
4 years, 11 months
'Meeting Agenda Item: Introduction Shraddha Agrawal
by Shraddha Agrawal
Hi!
I am Shraddha Agrawal, an Outreachy intern with Fedora this summer. My IRC
nick/ FAS ID is shraddhaag.
I'm working on Fedora Happiness Packet. In this phase of my internship,
we'll deploy the application using Docker containers to staging and
eventually automate deployment for production.
My skillset that are relevant to the same include Django and Docker.
Thanks :)
Shraddha Agrawal
shraddha.agrawal000(a)gmail.com
4 years, 11 months
How to consume fedora-messaging?
by Igor Gnatenko
Hello,
I have been trying to write some script which would listen on
generation of new repository / successful build is tagged in Koji and
do some actions locally. Or basically whenever someone pushes commits,
I want to fetch repo locally.
I was reading https://fedora-messaging.readthedocs.io/en/latest/consuming.html,
but it is not very clear to me where I can find list of topics and
what data messages will contain...
Bonus point who can tell me how does it know which messages should be
re-queued and how to manipulate that.
Thanks!
4 years, 11 months
pastebin plans
by Kevin Fenzi
Greetings.
We are currently running modernpaste for paste.fedoraproject.org.
It's pretty dead upstream. The primary maintainer said they wanted to
make a v2 version that was a complete re-write. That was about a year
ago and nothing has happened since. ;( We have several outstanding
issues against it and some folks don't really like it. It's one of the
few things left we have that is using mariadb instead of postgres.
It collects spam and has to be cleaned up all the time.
So, we need a plan. I think our options are:
1) Just keep using modernpaste and hope it stays working/secure.
2) Reach out to CentOS folks and see if we can work out some way to
share a pastebin. Either rebrand things for both, have some way of
branding per virthost or at least run the same code so we can share
knowledge about it.
3) Just stop providing a pastebin and ask people to use any of the other
ones out there.
4) Find another supported open source one and run it in OpenShift.
(perhaps the community openshift since it should have a low SLE)
5) Your clever idea here.
Thoughts?
kevin
4 years, 11 months