Hide secrets from puppet logs
Currently secrets like rabbit_password or admin_password are laked puppet logs when changed. This commit changes heat_*_config and heat_*_ini types adding a new parameter that triggers obfuscation the values in puppet logs. Change-Id: Ib06a0f967dd5d5f8cc1c4dc7257c0e196786e8ae Closes-Bug: #1328448
This commit is contained in:
parent
b2eec2883c
commit
6a89a44f9d
|
@ -14,6 +14,30 @@ Puppet::Type.newtype(:heat_config) do
|
|||
value.capitalize! if value =~ /^(true|false)$/i
|
||||
value
|
||||
end
|
||||
|
||||
def is_to_s( currentvalue )
|
||||
if resource.secret?
|
||||
return '[old secret redacted]'
|
||||
else
|
||||
return currentvalue
|
||||
end
|
||||
end
|
||||
|
||||
def should_to_s( newvalue )
|
||||
if resource.secret?
|
||||
return '[new secret redacted]'
|
||||
else
|
||||
return newvalue
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
newparam(:secret, :boolean => true) do
|
||||
desc 'Whether to hide the value from Puppet logs. Defaults to `false`.'
|
||||
|
||||
newvalues(:true, :false)
|
||||
|
||||
defaultto false
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
@ -214,7 +214,7 @@ class heat(
|
|||
|
||||
heat_config {
|
||||
'DEFAULT/rabbit_userid' : value => $rabbit_userid;
|
||||
'DEFAULT/rabbit_password' : value => $rabbit_password;
|
||||
'DEFAULT/rabbit_password' : value => $rabbit_password, secret => true;
|
||||
'DEFAULT/rabbit_virtual_host' : value => $rabbit_virtual_host;
|
||||
'DEFAULT/rabbit_use_ssl' : value => $rabbit_use_ssl;
|
||||
'DEFAULT/amqp_durable_queues' : value => $amqp_durable_queues;
|
||||
|
@ -244,7 +244,7 @@ class heat(
|
|||
'DEFAULT/qpid_hostname' : value => $qpid_hostname;
|
||||
'DEFAULT/qpid_port' : value => $qpid_port;
|
||||
'DEFAULT/qpid_username' : value => $qpid_username;
|
||||
'DEFAULT/qpid_password' : value => $qpid_password;
|
||||
'DEFAULT/qpid_password' : value => $qpid_password, secret => true;
|
||||
'DEFAULT/qpid_heartbeat' : value => $qpid_heartbeat;
|
||||
'DEFAULT/qpid_protocol' : value => $qpid_protocol;
|
||||
'DEFAULT/qpid_tcp_nodelay' : value => $qpid_tcp_nodelay;
|
||||
|
@ -323,7 +323,7 @@ class heat(
|
|||
}
|
||||
|
||||
heat_config {
|
||||
'database/connection': value => $sql_connection;
|
||||
'database/connection': value => $sql_connection, secret => true;
|
||||
'database/idle_timeout': value => $database_idle_timeout;
|
||||
}
|
||||
|
||||
|
|
|
@ -159,6 +159,7 @@ describe 'heat' do
|
|||
it 'configures rabbit' do
|
||||
should contain_heat_config('DEFAULT/rabbit_userid').with_value( params[:rabbit_userid] )
|
||||
should contain_heat_config('DEFAULT/rabbit_password').with_value( params[:rabbit_password] )
|
||||
should contain_heat_config('DEFAULT/rabbit_password').with_secret( true )
|
||||
should contain_heat_config('DEFAULT/rabbit_virtual_host').with_value( params[:rabbit_virtual_host] )
|
||||
should contain_heat_config('DEFAULT/rabbit_use_ssl').with_value(false)
|
||||
should contain_heat_config('DEFAULT/kombu_ssl_ca_certs').with_ensure('absent')
|
||||
|
@ -176,6 +177,7 @@ describe 'heat' do
|
|||
shared_examples_for 'rabbit without HA support (without backward compatibility)' do
|
||||
it 'configures rabbit' do
|
||||
should contain_heat_config('DEFAULT/rabbit_userid').with_value( params[:rabbit_userid] )
|
||||
should contain_heat_config('DEFAULT/rabbit_password').with_secret( true )
|
||||
should contain_heat_config('DEFAULT/rabbit_password').with_value( params[:rabbit_password] )
|
||||
should contain_heat_config('DEFAULT/rabbit_virtual_host').with_value( params[:rabbit_virtual_host] )
|
||||
should contain_heat_config('DEFAULT/rabbit_use_ssl').with_value(false)
|
||||
|
@ -195,6 +197,7 @@ describe 'heat' do
|
|||
it 'configures rabbit' do
|
||||
should contain_heat_config('DEFAULT/rabbit_userid').with_value( params[:rabbit_userid] )
|
||||
should contain_heat_config('DEFAULT/rabbit_password').with_value( params[:rabbit_password] )
|
||||
should contain_heat_config('DEFAULT/rabbit_password').with_secret( true )
|
||||
should contain_heat_config('DEFAULT/rabbit_virtual_host').with_value( params[:rabbit_virtual_host] )
|
||||
should contain_heat_config('DEFAULT/rabbit_use_ssl').with_value(false)
|
||||
should contain_heat_config('DEFAULT/kombu_ssl_ca_certs').with_ensure('absent')
|
||||
|
@ -230,6 +233,7 @@ describe 'heat' do
|
|||
it { should contain_heat_config('DEFAULT/qpid_port').with_value( params[:qpid_port] ) }
|
||||
it { should contain_heat_config('DEFAULT/qpid_username').with_value( params[:qpid_username]) }
|
||||
it { should contain_heat_config('DEFAULT/qpid_password').with_value(params[:qpid_password]) }
|
||||
it { should contain_heat_config('DEFAULT/qpid_password').with_secret( true ) }
|
||||
end
|
||||
|
||||
context("failing if the rpc_backend is not present") do
|
||||
|
|
Loading…
Reference in New Issue