Hey folks!
After a lot of asking around and quite a bit of testing on staging, I'm ready to enable topic authorization on production. If your application does not declare the `sent_topics` regexp in Ansible, it will only be allowed to publish on topics that start with `org.fedoraproject.{env}.{rabbit_username}.`.
This is just a heads-up. I'll watch the rabbitmq logs closely to see if there are permission refused errors, in which case I'll try to contact the app owner.
Fingers crossed! In theory all goes well :-D
Aurélien
Done. The following users are not protected by ACLs (which means they can send to any topics): - notifs-web and notifs-backend, because we'll remove the old FMN soonish - alt-src: I couldn't contact the owner (Siteshwar?). Related to CentOS Stream. I tried to contact Brian Stinston. - coreos: Same, couldn't contact the owner of this account. - fedora-build-checks: Same story, I contacted Tim who redirected me to msrb, but got no response.
All the other accounts are only allowed to send to the topics they have defined in Ansible. This opens the door to letting external services publish to our message bus, since we can make sure they can only publish to their namespace. Please tell me if you see anything erroring out when you publish messages, I'll look at the logs which, helpfully, tell us when publishing to a topic is refused. Thanks!
Aurélien
On Mon, Jul 10, 2023 at 11:44 AM Aurelien Bompard abompard@fedoraproject.org wrote:
All the other accounts are only allowed to send to the topics they have defined in Ansible. This opens the door to letting external services publish to our message bus, since we can make sure they can only publish to their namespace.
Awesome! When we're ready to start letting external services board the bus, that would be a great Community Blog post.
So, something broke, I forgot that the bodhi user also publishes to the org.fedoraproject.{env}.pungi. I fixed that now but there were quite a few messages rejected during my night. It may be necessary to restart the compose.
Aurélien
Le lun. 10 juil. 2023 à 17:43, Aurelien Bompard abompard@fedoraproject.org a écrit :
Done. The following users are not protected by ACLs (which means they can send to any topics):
- notifs-web and notifs-backend, because we'll remove the old FMN soonish
- alt-src: I couldn't contact the owner (Siteshwar?). Related to CentOS
Stream. I tried to contact Brian Stinston.
- coreos: Same, couldn't contact the owner of this account.
- fedora-build-checks: Same story, I contacted Tim who redirected me to
msrb, but got no response.
All the other accounts are only allowed to send to the topics they have defined in Ansible. This opens the door to letting external services publish to our message bus, since we can make sure they can only publish to their namespace. Please tell me if you see anything erroring out when you publish messages, I'll look at the logs which, helpfully, tell us when publishing to a topic is refused. Thanks!
Aurélien
On Tue, Jul 11, 2023 at 08:42:31AM +0200, Aurelien Bompard wrote:
So, something broke, I forgot that the bodhi user also publishes to the org.fedoraproject.{env}.pungi. I fixed that now but there were quite a few messages rejected during my night. It may be necessary to restart the compose.
All the composes seem to have finished ok, or failed and will be run again tonight. ;)
kevin
infrastructure@lists.fedoraproject.org