Merge "Add configurable rabbitmq monitoring user"

ansible/group_vars/all.yml

@@ -492,6 +492,7 @@ enable_kibana: "{{ 'yes' if enable_central_logging | bool else 'no' }}"
 ####################
 rabbitmq_hipe_compile: "no"
 rabbitmq_user: "openstack"
+rabbitmq_monitoring_user: ""
 rabbitmq_version: "rabbitmq_server-3.6/plugins/rabbitmq_clusterer-3.6.x.ez/rabbitmq_clusterer-3.6.x-667f92b0/ebin"
 outward_rabbitmq_user: "openstack"
 

ansible/roles/rabbitmq/templates/definitions.json.j2

@@ -5,12 +5,14 @@
     {% endif %}
   ],
   "users": [
-    {"name": "{{ role_rabbitmq_user }}", "password": "{{ role_rabbitmq_password }}", "tags": "administrator"}{% if project_name == 'outward_rabbitmq' %},
+    {"name": "{{ role_rabbitmq_user }}", "password": "{{ role_rabbitmq_password }}", "tags": "administrator"}{% if role_rabbitmq_monitoring_user is defined and role_rabbitmq_monitoring_user %},
+    {"name": "{{ role_rabbitmq_monitoring_user }}", "password": "{{ role_rabbitmq_monitoring_password }}", "tags": "monitoring"}{% endif %}{% if project_name == 'outward_rabbitmq' %},
     {"name": "{{ murano_agent_rabbitmq_user }}", "password": "{{ murano_agent_rabbitmq_password }}", "tags": "management"}
     {% endif %}
   ],
   "permissions": [
-    {"user": "{{ role_rabbitmq_user }}", "vhost": "/", "configure": ".*", "write": ".*", "read": ".*"}{% if project_name == 'outward_rabbitmq' %},
+    {"user": "{{ role_rabbitmq_user }}", "vhost": "/", "configure": ".*", "write": ".*", "read": ".*"}{% if role_rabbitmq_monitoring_user is defined and role_rabbitmq_monitoring_user %},
+    {"user": "{{ role_rabbitmq_monitoring_user }}", "vhost": "/", "configure": "^$", "write": "^$", "read": ".*"}{% endif %}{% if project_name == 'outward_rabbitmq' %},
     {"user": "{{ murano_agent_rabbitmq_user }}", "vhost": "{{ murano_agent_rabbitmq_vhost }}", "configure": ".*", "write": ".*", "read": ".*"}
     {% endif %}
   ],

ansible/site.yml

@@ -180,6 +180,8 @@
         role_rabbitmq_epmd_port: '{{ rabbitmq_epmd_port }}',
         role_rabbitmq_groups: rabbitmq,
         role_rabbitmq_management_port: '{{ rabbitmq_management_port }}',
+        role_rabbitmq_monitoring_password: '{{ rabbitmq_monitoring_password }}',
+        role_rabbitmq_monitoring_user: '{{ rabbitmq_monitoring_user }}',
         role_rabbitmq_password: '{{ rabbitmq_password }}',
         role_rabbitmq_port: '{{ rabbitmq_port }}',
         role_rabbitmq_user: '{{ rabbitmq_user }}',

etc/kolla/passwords.yml

@@ -208,6 +208,7 @@ qdrouterd_password:
 # RabbitMQ options
 ####################
 rabbitmq_password:
+rabbitmq_monitoring_password:
 rabbitmq_cluster_cookie:
 outward_rabbitmq_password:
 outward_rabbitmq_cluster_cookie:

releasenotes/notes/bp-add-monitoring-user-for-rabbit-d869cddde8e8c5f3.yaml

@@ -0,0 +1,21 @@
+---
+features:
+  - |
+    Kolla-Ansible now supports creating a monitoring
+    user for RabbitMQ.
+    As an operator I want to be able to monitor the status
+    of RabbitMQ by collecting metrics such as queue length,
+    message rates (globally and per channel), and information
+    about resource usage on the host, such as memory use,
+    open file descriptors and the state of the cluster. Whilst
+    it is possible to gather all of this information using
+    the OpenStack RabbitMQ user configured by Kolla Ansible,
+    this user has write access to the OpenStack vhost. This
+    feature adds a monitoring user which has access to all of
+    the information described above, but does not have write
+    access. An example of a service which may use the
+    monitoring user is the RabbitMQ plugin for the Monasca
+    Agent. As not all users will configure monitoring, by
+    default the monitoring user is disabled. To create it,
+    the user should override the rabbitmq_monitoring_user
+    variable.