Allow to use Keystone via 'keystone/api' network
Restrict access to Keystone API from network with 'keystone/api' role, so from outside a cloud it could be reached only via public VIP. Change-Id: I6e2004e53591e0cc0b2a5b43a83532d3de9aef9a Closes-bug: #1489057
This commit is contained in:
parent
47819aa7b0
commit
919f4f6157
@ -43,6 +43,7 @@ class openstack::firewall (
|
||||
$ceilometer_port = 8777,
|
||||
$mongodb_port = 27017,
|
||||
$vxlan_udp_port = 4789,
|
||||
$keystone_network = '0.0.0.0/0',
|
||||
) {
|
||||
|
||||
# file {"iptables":
|
||||
@ -102,6 +103,8 @@ class openstack::firewall (
|
||||
port => [$keystone_public_port,$keystone_admin_port],
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
source => "${keystone_network}",
|
||||
destination => "${keystone_network}",
|
||||
}
|
||||
|
||||
firewall {'103 swift':
|
||||
|
@ -38,4 +38,5 @@ prepare_network_config(hiera_hash('network_scheme'))
|
||||
class { 'openstack::firewall' :
|
||||
nova_vnc_ip_range => get_network_role_property('nova/api', 'network'),
|
||||
libvirt_network => get_network_role_property('management', 'network'),
|
||||
keystone_network => get_network_role_property('keystone/api', 'network'),
|
||||
}
|
||||
|
@ -2,9 +2,24 @@ require 'spec_helper'
|
||||
require 'shared-examples'
|
||||
manifest = 'firewall/firewall.pp'
|
||||
|
||||
network_scheme = Noop.hiera('network_scheme', {})
|
||||
keystone_network = '0.0.0.0/0'
|
||||
|
||||
describe manifest do
|
||||
shared_examples 'catalog' do
|
||||
|
||||
let(:scope) { PuppetlabsSpec::PuppetInternals.scope }
|
||||
|
||||
before(:each) do
|
||||
scope.stubs(:lookupvar).with('l3_fqdn_hostname').returns('host.foo.com')
|
||||
Puppet::Parser::Functions.autoloader.load 'get_network_role_property'.to_sym
|
||||
Puppet::Parser::Functions.autoloader.load 'prepare_network_config'.to_sym
|
||||
scope.send 'function_prepare_network_config'.to_sym, [network_scheme]
|
||||
keystone_network = scope.send "function_get_network_role_property".to_sym, ['keystone/api', 'network']
|
||||
end
|
||||
|
||||
it 'should properly restrict rabbitmq admin traffic' do
|
||||
|
||||
should contain_firewall('005 local rabbitmq admin').with(
|
||||
'sport' => [ 15672 ],
|
||||
'iniface' => 'lo',
|
||||
@ -17,6 +32,15 @@ describe manifest do
|
||||
'action' => 'drop'
|
||||
)
|
||||
end
|
||||
it 'should accept connections to keystone API using network with keystone/api role' do
|
||||
should contain_firewall('102 keystone').with(
|
||||
'port' => [ 5000, 35357 ],
|
||||
'proto' => 'tcp',
|
||||
'action' => 'accept',
|
||||
'source' => keystone_network,
|
||||
'destination' => keystone_network,
|
||||
)
|
||||
end
|
||||
end
|
||||
|
||||
test_ubuntu_and_centos manifest
|
||||
|
Loading…
Reference in New Issue
Block a user