Allow to use Keystone via 'keystone/api' network

Restrict access to Keystone API from network with 'keystone/api' role, so from outside a cloud it could be reached only via public VIP. Change-Id: I6e2004e53591e0cc0b2a5b43a83532d3de9aef9a Closes-bug: #1489057
2015-08-31 16:20:25 +03:00 · 2015-08-31 16:20:25 +03:00 · 919f4f6157
parent 47819aa7b0
commit 919f4f6157
3 changed files with 31 additions and 3 deletions
--- a/deployment/puppet/openstack/manifests/firewall.pp
+++ b/deployment/puppet/openstack/manifests/firewall.pp
@ -43,6 +43,7 @@ class openstack::firewall (
  $ceilometer_port              = 8777,
  $mongodb_port                 = 27017,
  $vxlan_udp_port               = 4789,
+  $keystone_network             = '0.0.0.0/0',
 ) {

 #  file {"iptables":
@ -99,9 +100,11 @@ class openstack::firewall (
  }

  firewall {'102 keystone':
-    port   => [$keystone_public_port,$keystone_admin_port],
-    proto  => 'tcp',
-    action => 'accept',
+    port        => [$keystone_public_port,$keystone_admin_port],
+    proto       => 'tcp',
+    action      => 'accept',
+    source      => "${keystone_network}",
+    destination => "${keystone_network}",
  }

  firewall {'103 swift':
--- a/deployment/puppet/osnailyfacter/modular/firewall/firewall.pp
+++ b/deployment/puppet/osnailyfacter/modular/firewall/firewall.pp
@ -38,4 +38,5 @@ prepare_network_config(hiera_hash('network_scheme'))
 class { 'openstack::firewall' :
  nova_vnc_ip_range => get_network_role_property('nova/api', 'network'),
  libvirt_network   => get_network_role_property('management', 'network'),
+  keystone_network  => get_network_role_property('keystone/api', 'network'),
 }
--- a/tests/noop/spec/hosts/firewall/firewall_spec.rb
+++ b/tests/noop/spec/hosts/firewall/firewall_spec.rb
@ -2,9 +2,24 @@ require 'spec_helper'
 require 'shared-examples'
 manifest = 'firewall/firewall.pp'

+network_scheme = Noop.hiera('network_scheme', {})
+keystone_network = '0.0.0.0/0'
+
 describe manifest do
  shared_examples 'catalog' do
+
+    let(:scope) { PuppetlabsSpec::PuppetInternals.scope }
+
+    before(:each) do
+      scope.stubs(:lookupvar).with('l3_fqdn_hostname').returns('host.foo.com')
+      Puppet::Parser::Functions.autoloader.load 'get_network_role_property'.to_sym
+      Puppet::Parser::Functions.autoloader.load 'prepare_network_config'.to_sym
+      scope.send 'function_prepare_network_config'.to_sym, [network_scheme]
+      keystone_network = scope.send "function_get_network_role_property".to_sym, ['keystone/api', 'network']
+    end
+
    it 'should properly restrict rabbitmq admin traffic' do
+
      should contain_firewall('005 local rabbitmq admin').with(
        'sport'   => [ 15672 ],
        'iniface' => 'lo',
@ -17,6 +32,15 @@ describe manifest do
        'action'  => 'drop'
      )
    end
+    it 'should accept connections to keystone API using network with keystone/api role' do
+      should contain_firewall('102 keystone').with(
+        'port'       => [ 5000, 35357 ],
+        'proto'       => 'tcp',
+        'action'      => 'accept',
+        'source'      => keystone_network,
+        'destination' => keystone_network,
+      )
+    end
  end

  test_ubuntu_and_centos manifest