7:23 a.m.
Hey folks!
After a lot of asking around and quite a bit of testing on staging, I'm
ready to enable topic authorization on production. If your application does
not declare the `sent_topics` regexp in Ansible, it will only be allowed to
publish on topics that start with
`org.fedoraproject.{env}.{rabbit_username}.`.
This is just a heads-up. I'll watch the rabbitmq logs closely to see if
there are permission refused errors, in which case I'll try to contact the
app owner.
Fingers crossed! In theory all goes well :-D
Aurélien
10:43 a.m.
Done. The following users are not protected by ACLs (which means they can
send to any topics):
- notifs-web and notifs-backend, because we'll remove the old FMN soonish
- alt-src: I couldn't contact the owner (Siteshwar?). Related to CentOS
Stream. I tried to contact Brian Stinston.
- coreos: Same, couldn't contact the owner of this account.
- fedora-build-checks: Same story, I contacted Tim who redirected me to
msrb, but got no response.
All the other accounts are only allowed to send to the topics they have
defined in Ansible.
This opens the door to letting external services publish to our message
bus, since we can make sure they can only publish to their namespace.
Please tell me if you see anything erroring out when you publish messages,
I'll look at the logs which, helpfully, tell us when publishing to a topic
is refused.
Thanks!
Aurélien
4:22 p.m.
On Mon, Jul 10, 2023 at 11:44 AM Aurelien Bompard
<abompard(a)fedoraproject.org> wrote:
All the other accounts are only allowed to send to the topics they have defined in
Ansible.
This opens the door to letting external services publish to our message bus, since we can
make sure they can only publish to their namespace.
Awesome! When we're ready to start letting external services board the
bus, that would be a great Community Blog post.
--
Ben Cotton (he/him)
TZ=America/Indiana/Indianapolis
https://fedoraproject.org/wiki/User:Bcotton
1:42 a.m.
So, something broke, I forgot that the bodhi user also publishes to the
org.fedoraproject.{env}.pungi.
I fixed that now but there were quite a few messages rejected during my
night. It may be necessary to restart the compose.
Aurélien
Le lun. 10 juil. 2023 à 17:43, Aurelien Bompard <abompard(a)fedoraproject.org>
a écrit :
Done. The following users are not protected by ACLs (which means they
can
send to any topics):
- notifs-web and notifs-backend, because we'll remove the old FMN soonish
- alt-src: I couldn't contact the owner (Siteshwar?). Related to CentOS
Stream. I tried to contact Brian Stinston.
- coreos: Same, couldn't contact the owner of this account.
- fedora-build-checks: Same story, I contacted Tim who redirected me to
msrb, but got no response.
All the other accounts are only allowed to send to the topics they have
defined in Ansible.
This opens the door to letting external services publish to our message
bus, since we can make sure they can only publish to their namespace.
Please tell me if you see anything erroring out when you publish messages,
I'll look at the logs which, helpfully, tell us when publishing to a topic
is refused.
Thanks!
Aurélien
12:51 p.m.
On Tue, Jul 11, 2023 at 08:42:31AM +0200, Aurelien Bompard wrote:
So, something broke, I forgot that the bodhi user also publishes to
the
org.fedoraproject.{env}.pungi.
I fixed that now but there were quite a few messages rejected during my
night. It may be necessary to restart the compose.
All the composes seem to have finished ok, or failed and will be run
again tonight. ;)
kevin
302
days inactive
303
days old
infrastructure@lists.fedoraproject.org
5 comments
3 participants
participants (3)
-
Aurelien Bompard -
Ben Cotton -
Kevin Fenzi