Created
May 17, 2017 14:41
-
-
Save christopherwood/90752942b3ce3fe9010a7fb1e7d078ba to your computer and use it in GitHub Desktop.
activemq.xml.erb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<beans | |
xmlns="http://www.springframework.org/schema/beans" | |
xmlns:amq="http://activemq.apache.org/schema/core" | |
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd | |
http://activemq.apache.org/schema/core http://activemq.apache.org/schema/core/activemq-core.xsd | |
http://activemq.apache.org/camel/schema/spring http://activemq.apache.org/camel/schema/spring/camel-spring.xsd"> | |
<bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"> | |
<!-- <property name="locations"> | |
<value>file:${activemq.base}/conf/credentials.properties</value> | |
</property> --> | |
</bean> | |
<!-- | |
For more information about what MCollective requires in this file, | |
see http://docs.puppetlabs.com/mcollective/deploy/middleware/activemq.html | |
--> | |
<!-- | |
WARNING: The elements that are direct children of <broker> MUST BE IN | |
ALPHABETICAL ORDER. This is fixed in ActiveMQ 5.6.0, but affects | |
previous versions back to 5.4. | |
https://issues.apache.org/jira/browse/AMQ-3570 | |
--> | |
<broker xmlns="http://activemq.apache.org/schema/core" brokerName="<%= @fqdn %>" useJmx="true" schedulePeriodForDestinationPurge="60000" persistent="false" networkConnectorStartAsync="true"> | |
<!-- | |
MCollective generally expects producer flow control to be turned off. | |
It will also generate a limitless number of single-use reply queues, | |
which should be garbage-collected after about five minutes to conserve | |
memory. | |
For more information, see: | |
http://activemq.apache.org/producer-flow-control.html | |
--> | |
<destinationPolicy> | |
<policyMap> | |
<policyEntries> | |
<policyEntry topic=">" producerFlowControl="false" usePrefetchExtension="false"> | |
<messageEvictionStrategy> | |
<oldestMessageEvictionStrategy/> | |
</messageEvictionStrategy> | |
<pendingMessageLimitStrategy> | |
<constantPendingMessageLimitStrategy limit="0"/> | |
</pendingMessageLimitStrategy> | |
</policyEntry> | |
<policyEntry queue="*.reply.>" gcInactiveDestinations="true" inactiveTimoutBeforeGC="300000" /> | |
</policyEntries> | |
</policyMap> | |
</destinationPolicy> | |
<managementContext> | |
<managementContext createConnector="false"/> | |
</managementContext> | |
<plugins> | |
<statisticsBrokerPlugin/> | |
<!-- | |
This configures the users and groups used by this broker. Groups | |
are referenced below, in the write/read/admin attributes | |
of each authorizationEntry element. | |
--> | |
<simpleAuthenticationPlugin> | |
<users> | |
<authenticationUser username="<%= @plugin_activemq_pool_1_user %>" password="<%= @plugin_activemq_pool_1_password %>" groups="mcollective,everyone"/> | |
<authenticationUser username="amq" password="<%= @amq_password %>" groups="mcollective,everyone"/> | |
<authenticationUser username="admin" password="secret" groups="mcollective,admins,everyone"/> | |
</users> | |
</simpleAuthenticationPlugin> | |
<!-- | |
Configure which users are allowed to read and write where. Permissions | |
are organized by group; groups are configured above, in the | |
authentication plugin. | |
With the rules below, both servers and admin users belong to group | |
mcollective, which can both issue and respond to commands. For an | |
example that splits permissions and doesn't allow servers to issue | |
commands, see: | |
http://docs.puppetlabs.com/mcollective/deploy/middleware/activemq.html#detailed-restrictions | |
--> | |
<authorizationPlugin> | |
<map> | |
<authorizationMap> | |
<authorizationEntries> | |
<authorizationEntry queue=">" write="admins" read="admins" admin="admins" /> | |
<authorizationEntry topic=">" write="admins" read="admins" admin="admins" /> | |
<authorizationEntry topic="mcollective.>" write="mcollective" read="mcollective" admin="mcollective" /> | |
<authorizationEntry queue="mcollective.>" write="mcollective" read="mcollective" admin="mcollective" /> | |
<authorizationEntry topic="ca.>" write="mcollective" read="mcollective" admin="mcollective" /> | |
<authorizationEntry queue="ca.>" write="mcollective" read="mcollective" admin="mcollective" /> | |
<% | |
list = {} | |
@qf.values.each do |h| | |
if h['owner'] | |
owner = h['owner'] | |
list[owner] = 1 | |
end | |
if h['datacenter'] | |
datacenter = h['datacenter'] | |
list[datacenter] = 1 | |
end | |
end | |
-%> | |
<% list.keys.sort.each do |item| -%> | |
<authorizationEntry topic="<%= item %>.>" write="mcollective" read="mcollective" admin="mcollective" /> | |
<authorizationEntry queue="<%= item %>.>" write="mcollective" read="mcollective" admin="mcollective" /> | |
<% end -%> | |
<!-- | |
The advisory topics are part of ActiveMQ, and all users need access to them. | |
The "everyone" group is not special; you need to ensure every user is a member. | |
--> | |
<authorizationEntry topic="ActiveMQ.Advisory.>" read="everyone" write="everyone" admin="everyone"/> | |
</authorizationEntries> | |
</authorizationMap> | |
</map> | |
</authorizationPlugin> | |
</plugins> | |
<sslContext> | |
<sslContext | |
keyStore="keystore.jks" keyStorePassword="puppet" | |
trustStore="truststore.jks" trustStorePassword="puppet" | |
/> | |
</sslContext> | |
<!-- | |
The systemUsage controls the maximum amount of space the broker will | |
use for messages. For more information, see: | |
http://docs.puppetlabs.com/mcollective/deploy/middleware/activemq.html#memory-and-temp-usage-for-messages-systemusage | |
--> | |
<systemUsage> | |
<systemUsage> | |
<memoryUsage> | |
<memoryUsage limit="6 gb"/> | |
</memoryUsage> | |
<storeUsage> | |
<storeUsage limit="2 gb" name="foo"/> | |
</storeUsage> | |
<tempUsage> | |
<tempUsage limit="2 gb"/> | |
</tempUsage> | |
</systemUsage> | |
</systemUsage> | |
<networkConnectors> | |
<% @clusterwith.each do |partner| -%> | |
<networkConnector | |
name="<%= @fqdn %>-<%= partner %>-topics" | |
uri="static:(ssl://<%= partner %>:61617)?useExponentialBackOff=false&initialReconnectDelay=60000&jms.prefetchPolicy.all=0" | |
userName="amq" | |
password="<%= @amq_password %>" | |
duplex="true" | |
decreaseNetworkConsumerPriority="true" | |
networkTTL="2" | |
dynamicOnly="true"> | |
<excludedDestinations> | |
<queue physicalName=">" /> | |
</excludedDestinations> | |
</networkConnector> | |
<networkConnector | |
name="<%= @fqdn %>-<%= partner %>-queues" | |
uri="static:(ssl://<%= partner %>:61617)?useExponentialBackOff=false&initialReconnectDelay=60000&jms.prefetchPolicy.all=0" | |
userName="amq" | |
password="<%= @amq_password %>" | |
duplex="true" | |
decreaseNetworkConsumerPriority="true" | |
networkTTL="2" | |
dynamicOnly="true" | |
conduitSubscriptions="false"> | |
<excludedDestinations> | |
<topic physicalName=">" /> | |
</excludedDestinations> | |
</networkConnector> | |
<% end -%> | |
</networkConnectors> | |
<!-- | |
The transport connectors allow ActiveMQ to listen for connections over | |
a given protocol. MCollective uses Stomp, and other ActiveMQ brokers | |
use OpenWire. You'll need different URLs depending on whether you are | |
using TLS. For more information, see: | |
http://docs.puppetlabs.com/mcollective/deploy/middleware/activemq.html#transport-connectors | |
--> | |
<transportConnectors> | |
<transportConnector name="stomp+nio+ssl" uri="stomp+nio+ssl://0.0.0.0:61614?needClientAuth=true&transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2&transport.hbGracePeriodMultiplier=5"/> | |
<transportConnector name="openwire+nio+ssl" uri="nio+ssl://0.0.0.0:61617?needClientAuth=true&transport.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2"/> | |
</transportConnectors> | |
</broker> | |
</beans> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment