#8167 Adding topic authorization to our RabbitMQ instances
Opened a month ago by abompard. Modified 4 days ago

Community applications will want to publish messages on the bus (like election in its future CommunityShift home). Currently, any read-write account can publish to any topic, which can be a security issue.

Starting with RabbitMQ 3.7.0, topic authorization is possible, but the version we are running is 3.6.0 since that's what's in EPEL7. If we want to have topic authorizations, we need to upgrade RabbitMQ. Making an infra-specific package seems like a bad idea because of the maintenance it involves. The other way would be to upgrade the servers to RHEL8.

Turns out, rhel8 doesn't seem to have the rabbitmq server in it, only the client libraries. :(

Will have to ponder on a solution here...

Metadata Update from @kevin:
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue tagged with: rabbitmq

a month ago

Metadata Update from @cverna:
- Issue tagged with: backlog

a month ago

A Fedora host?

@abompard do you have any experience/clues on how to upgrade a rabbitmq cluster
from an OS version to another?

I don't... yet! But @jcline may know, and it's very probably in the docs. Others have had this need before us.

EPEL actually comes with 3.3 or something, we are getting it from the OpenStack channel as far as I know. From what I understand 3.7 will come with the next OpenStack release, no idea on the timeline.

Upgrade docs are https://www.rabbitmq.com/upgrade.html

OS15 comes with 3.7.x... for rhel8.

So, we need fasClient working on rhel8 and enough epel8 stuff for us to run things on rhel8 and then we can use the newer one from os15.

Login to comment on this ticket.