The purpose of this spec is to adjust our current RabbitMQ setup to better use the available system resources by creating a vhost and user per-consumer service within RabbitMQ.
- Include the URL of your launchpad blueprint:
Presently all services use the single root virtual host within RabbitMQ and while this is “OK” for small to mid sized deployments however it would be better to divide services into logical resource groups within RabbitMQ which will bring with it additional security.
All services that utilize RabbitMQ should have their own virtual host, user, and password.
Each role would use the upstream Ansible RabbitMQ user module to create a new user. The username will be customizable with a default being the same as the name of the service.
Each role will use the upstream Ansible RabbitMQ vhost module to create a new virtual host per service. The vhost will be customizable with a default being the same as the name of the service.
A Password entry will be created within the
user_secrets.ymlfile for each RabbitMQ service user.
The oslo config section of each service will be updated to use the new vhost name, username, and password.
Leave RabbitMQ the way it is.
The playbooks will have no impact. The changes being proposed are being done within roles. Ideally this would be a simple default addition, two new tasks, and a simple change within the oslo_messaging section in the service configuration files.
There will be an upgrade impact as the user will need to add the new secret
entries to the
user_secrets.yml file. If this was to be accepted as a
backport to kilo this would have to be targeted to a major version.
Serpentining the services into different vhosts with different users and passwords should improve security. And brings our project more inline with what is described in the OpenStack Messaging Security documentation.
The separation of service into logical vhosts has been not been reported to have any noticeable performance impact.
End user impact¶
The deployer will need to ensure they have passwords entries set within the
user_secrets.yml file. This should not impact greenfield deployments however
it will need to be something covered in an upgrade.
Add new RabbitMQ users for all services.
Add new RabbitMQ vhosts for all services.
Update all service configuration files to use the new vhost, user, and password.
The testing of this change is a convergence test. The gate job will utilize the the changes on every commit.
Docs will need to be updated in terms of upgrades to add the new variables.