#8227 Need permissions for "coreos" user to publish on fedora-messaging
Closed: Fixed a month ago by jlebon. Opened a month ago by jlebon.

In #7940, "coreos" credentials were created so that the Fedora CoreOS pipeline could send messages to fedora-messaging. However, the credentials don't seem to work.

This is the config we're working with:

$ head my_config.toml -n 7
amqp_url = "amqps://coreos:@rabbitmq.fedoraproject.org/%2Fpubsub"
callback = "fedora_messaging.example:printer"

[tls]
ca_cert = "/etc/fedora-messaging/cacert.pem"
keyfile = "coreos.key"
certfile = "coreos.crt"

Trying it out:

$ fedora-messaging --conf my_config.toml consume
[INFO fedora_messaging.cli] Starting consumer with fedora_messaging.example:printer callback
[INFO fedora_messaging._session] Authenticating with server using x509 (certfile: coreos.crt, keyfile: coreos.key)
[INFO twisted] Starting factory FedoraMessagingFactoryV2(parameters=<URLParameters host=rabbitmq.fedoraproject.org port=5671 virtual_host=/pubsub ssl=True>, confirms=True)
[WARNING pika.channel] Received remote Channel.Close (403): "ACCESS_REFUSED - access to queue 'new' in vhost '/pubsub' refused for user 'coreos'" on <Channel number=2 OPEN conn=<pika.adapters.twisted_connection._TwistedConnectionAdapter object at 0x7f042e269c90>>
[ERROR fedora_messaging.cli] Unable to declare the queue object on the AMQP broker. The broker responded with (403, "ACCESS_REFUSED - access to queue 'new' in vhost '/pubsub' refused for user 'coreos'"). Check permissions for your user.
[INFO fedora_messaging.twisted.protocol] Waiting for 0 consumer(s) to finish processing before halting
[INFO fedora_messaging.twisted.protocol] Finished canceling 0 consumers
[INFO twisted] Stopping factory FedoraMessagingFactoryV2(parameters=<URLParameters host=rabbitmq.fedoraproject.org port=5671 virtual_host=/pubsub ssl=True>, confirms=True)
[INFO fedora_messaging.twisted.protocol] Disconnect requested, but AMQP connection already gone
[INFO twisted] Main loop terminated.

I'm happy to send whatever patches are necessary though will need some guidance on what the SOP is for this (from discussions in #7940, it seemed like that was still being discussed).

This is almost a blocker for us now as we get ready to integrate with the recent RoboSignatory work that went into supporting the releng side of this.


You need to use Ansible to create the queue in RabbitMQ - the broker does not allow client connections to create queues. For example, Bodhi creates its queue here:

https://infrastructure.fedoraproject.org/cgit/ansible.git/tree/playbooks/openshift-apps/bodhi.yml#n25

Metadata Update from @bowlofeggs:
- Issue priority set to: Waiting on Reporter (was: Needs Review)
- Issue tagged with: rabbitmq

a month ago

The user is created in ansible/roles/rabbitmq_cluster/tasks/apps.yml

but possibly there needs to be a queue defined as well there?

Got some feedback from @abompard (thanks!) and sent a v2 version: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org/thread/2ME72L42FPNE2IB7RJGYA5BXCN7RMGGL/

The queue role already creates the associated user, so we can merge the two tasks.

So, the above patch was committed and the Ansible playbook was run, yet this is still failing:

$ fedora-messaging --conf my_config.toml consume
[INFO fedora_messaging.cli] Starting consumer with fedora_messaging.example:printer callback
[INFO fedora_messaging._session] Authenticating with server using x509 (certfile: coreos.crt, keyfile: coreos.key)
[INFO twisted] Starting factory FedoraMessagingFactoryV2(parameters=<URLParameters host=rabbitmq.fedoraproject.org port=5671 virtual_host=/pubsub ssl=True>, confirms=True)
[WARNING pika.channel] Received remote Channel.Close (403): "ACCESS_REFUSED - access to queue 'coreos' in vhost '/pubsub' refused for user 'coreos'" on <Channel number=2 OPEN conn=<pika.adapters.twisted_connection._TwistedConnectionAdapter object at 0x7f97bd73e250>>
[ERROR fedora_messaging.cli] Unable to declare the queue object on the AMQP broker. The broker responded with (403, "ACCESS_REFUSED - access to queue 'coreos' in vhost '/pubsub' refused for user 'coreos'"). Check permissions for your user.
[INFO fedora_messaging.twisted.protocol] Waiting for 0 consumer(s) to finish processing before halting
[INFO fedora_messaging.twisted.protocol] Finished canceling 0 consumers
[INFO twisted] Stopping factory FedoraMessagingFactoryV2(parameters=<URLParameters host=rabbitmq.fedoraproject.org port=5671 virtual_host=/pubsub ssl=True>, confirms=True)
[INFO fedora_messaging.twisted.protocol] Disconnect requested, but AMQP connection already gone
[INFO twisted] Main loop terminated.

At this point, I'm thinking this might be user error. Here's the config I'm using:

amqp_url = "amqps://coreos:@rabbitmq.fedoraproject.org/%2Fpubsub"
callback = "fedora_messaging.example:printer"

[tls]
ca_cert = "/etc/fedora-messaging/cacert.pem"
keyfile = "coreos.key"
certfile = "coreos.crt"

[client_properties]
app = "Example Application"
app_url = "https://github.com/fedora-infra/fedora-messaging"
app_contacts_email = ["jcline@fedoraproject.org"]

[exchanges."amq.topic"]
type = "topic"
durable = true
auto_delete = false
arguments = {}

[queues.coreos]
durable = true
auto_delete = false
exclusive = true
arguments = {}

[[bindings]]
queue = "coreos"
exchange = "amq.topic"
routing_keys = ["#"]  # Set this to the specific topics you are interested in.

[consumer_config]
example_key = "for my consumer"

[qos]
prefetch_size = 0
prefetch_count = 25

Can someone sanity check it?

Yes, you need to set passive_declares = true in the main section (below amqp_url or callback for example).

@abompard Ahh right that makes sense. Thanks, that fixed it.

The only remaining piece then is https://pagure.io/fedora-infrastructure/issue/8189 before we can fully test the new signing approach.

Will close this one out now.
Thanks all!

Metadata Update from @jlebon:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

a month ago

Login to comment on this ticket.

Metadata