From 869e3f21c2e929c8d6731a09e0283ced92cdbf6a Mon Sep 17 00:00:00 2001
From: Jeffrey Zhang <zhang.lei.fly@gmail.com>
Date: Wed, 29 Apr 2020 13:34:45 +0800
Subject: [PATCH] Configure RabbitMQ user tags in nova-cell role

The RabbitMQ 'openstack' user has the 'administrator' tag assigned via
the RabbitMQ definitions.json file.

Since the Train release, the nova-cell role also configures the RabbitMQ
user, but omits the tag. This causes the tag to be removed from the
user, which prevents it from accessing the management UI and API.

This change adds support for configuring user tags to the
service-rabbitmq role, and sets the administrator tag by default.

Change-Id: I7a5d6fe324dd133e0929804d431583e5b5c1853d
Closes-Bug: #1875786
---
 ansible/roles/nova-cell/defaults/main.yml                  | 5 +++++
 ansible/roles/service-rabbitmq/defaults/main.yml           | 1 +
 ansible/roles/service-rabbitmq/tasks/main.yml              | 1 +
 .../notes/fix-rabbitmq-user-tags-8c9d626b28ff5d51.yaml     | 7 +++++++
 4 files changed, 14 insertions(+)
 create mode 100644 releasenotes/notes/fix-rabbitmq-user-tags-8c9d626b28ff5d51.yaml

diff --git a/ansible/roles/nova-cell/defaults/main.yml b/ansible/roles/nova-cell/defaults/main.yml
index 9d52b5647..7aaa1b826 100644
--- a/ansible/roles/nova-cell/defaults/main.yml
+++ b/ansible/roles/nova-cell/defaults/main.yml
@@ -161,6 +161,8 @@ nova_cell_rpc_port: "{{ om_rpc_port }}"
 nova_cell_rpc_group_name: "{{ om_rpc_group }}"
 nova_cell_rpc_transport: "{{ om_rpc_transport }}"
 nova_cell_rpc_vhost: "{{ 'nova_' ~ nova_cell_name if nova_cell_name else om_rpc_vhost }}"
+nova_cell_rpc_tags:
+  - "administrator"
 
 nova_cell_notify_user: "{{ nova_cell_rpc_user }}"
 nova_cell_notify_password: "{{ nova_cell_rpc_password }}"
@@ -168,6 +170,7 @@ nova_cell_notify_port: "{{ nova_cell_rpc_port }}"
 nova_cell_notify_group_name: "{{ nova_cell_rpc_group_name }}"
 nova_cell_notify_transport: "{{ nova_cell_rpc_transport }}"
 nova_cell_notify_vhost: "{{ nova_cell_rpc_vhost }}"
+nova_cell_notify_tags: "{{ nova_cell_rpc_tags }}"
 
 # External Rabbit users should override these
 nova_cell_rpc_transport_url: "{{ nova_cell_rpc_transport }}://{% for host in groups[nova_cell_rpc_group_name] %}{{ nova_cell_rpc_user }}:{{ nova_cell_rpc_password }}@{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:{{ nova_cell_rpc_port }}{% if not loop.last %},{% endif %}{% endfor %}/{{ nova_cell_rpc_vhost }}"
@@ -178,10 +181,12 @@ nova_cell_rpc_rabbitmq_users:
   - user: "{{ nova_cell_rpc_user }}"
     password: "{{ nova_cell_rpc_password }}"
     vhost: "{{ nova_cell_rpc_vhost }}"
+    tags: "{{ nova_cell_rpc_tags }}"
 nova_cell_notify_rabbitmq_users:
   - user: "{{ nova_cell_notify_user }}"
     password: "{{ nova_cell_notify_password }}"
     vhost: "{{ nova_cell_notify_vhost }}"
+    tags: "{{ nova_cell_notify_tags }}"
 
 ####################
 # Docker
diff --git a/ansible/roles/service-rabbitmq/defaults/main.yml b/ansible/roles/service-rabbitmq/defaults/main.yml
index df99fac87..291430c86 100644
--- a/ansible/roles/service-rabbitmq/defaults/main.yml
+++ b/ansible/roles/service-rabbitmq/defaults/main.yml
@@ -21,5 +21,6 @@ service_rabbitmq_delay: 10
 # 'user'
 # 'password'
 # 'vhost'
+# 'tags'
 # Virtual hosts in this list will also be created.
 service_rabbitmq_users: []
diff --git a/ansible/roles/service-rabbitmq/tasks/main.yml b/ansible/roles/service-rabbitmq/tasks/main.yml
index 45f8f021e..ae8f87a74 100644
--- a/ansible/roles/service-rabbitmq/tasks/main.yml
+++ b/ansible/roles/service-rabbitmq/tasks/main.yml
@@ -22,6 +22,7 @@
           vhost: "{{ item.vhost }}"
           configure_priv: ".*"
           read_priv: ".*"
+          tags: "{{ item.tags | default([]) | join(',') }}"
           write_priv: ".*"
         user: rabbitmq
       loop: "{{ service_rabbitmq_users }}"
diff --git a/releasenotes/notes/fix-rabbitmq-user-tags-8c9d626b28ff5d51.yaml b/releasenotes/notes/fix-rabbitmq-user-tags-8c9d626b28ff5d51.yaml
new file mode 100644
index 000000000..ec6c1a848
--- /dev/null
+++ b/releasenotes/notes/fix-rabbitmq-user-tags-8c9d626b28ff5d51.yaml
@@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    Fixes an issue with RabbitMQ where tags would be removed from the
+    ``openstack`` user after deploying Nova. This prevents the user from
+    accessing the RabbitMQ management UI. `LP#1875786
+    <https://launchpad.net/bugs/1875786>`__
-- 
GitLab