openstack
/
puppet-nova
Code Issues Proposed changes

Allow to hide config values from Puppet logs 

Hide configuration value from Puppet logs if the secret parameter
is set to true.

Fixes: bug #1173322
Change-Id: I0815c3a1b84201fc7c39d221ff7f07fbd22fbcd4
This commit is contained in:
Mathieu Gagné 2013-05-28 18:00:50 -04:00
parent a7c0720bfa
commit 1c7fa0d695
9 changed files with 65 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
lib/puppet/type/nova_config.rb
View File

@ -18,6 +18,30 @@ Puppet::Type.newtype(:nova_config) do
value
end
newvalues(/^[\S ]*$/)
def is_to_s( currentvalue )
if resource.secret?
return '[old secret redacted]'
else
return currentvalue
end
end
def should_to_s( newvalue )
if resource.secret?
return '[new secret redacted]'
else
return newvalue
end
end
end
newparam(:secret, :boolean => true) do
desc 'Whether to hide the value from Puppet logs. Defaults to `false`.'
newvalues(:true, :false)
defaultto false
end
validate do

24
lib/puppet/type/nova_paste_api_ini.rb
View File

@ -14,6 +14,30 @@ Puppet::Type.newtype(:nova_paste_api_ini) do
value.capitalize! if value =~ /^(true|false)$/i
value
end
def is_to_s( currentvalue )
if resource.secret?
return '[old secret redacted]'
else
return currentvalue
end
end
def should_to_s( newvalue )
if resource.secret?
return '[new secret redacted]'
else
return newvalue
end
end
end
newparam(:secret, :boolean => true) do
desc 'Whether to hide the value from Puppet logs. Defaults to `false`.'
newvalues(:true, :false)
defaultto false
end
end

2
manifests/api.pp
View File

@ -88,7 +88,7 @@ class nova::api(
'filter:authtoken/auth_protocol': value => $auth_protocol;
'filter:authtoken/admin_tenant_name': value => $admin_tenant_name;
'filter:authtoken/admin_user': value => $admin_user;
'filter:authtoken/admin_password': value => $admin_password;
'filter:authtoken/admin_password': value => $admin_password, secret => true;
}
if $auth_admin_prefix {

8
manifests/init.pp
View File

@ -152,7 +152,9 @@ class nova(
} else {
fail("Invalid db connection ${sql_connection}")
}
nova_config { 'DEFAULT/sql_connection': value => $sql_connection }
nova_config {
'DEFAULT/sql_connection': value => $sql_connection, secret => true,
}
}
nova_config { 'DEFAULT/image_service': value => $image_service }
@ -168,7 +170,7 @@ class nova(
if $rpc_backend == 'nova.openstack.common.rpc.impl_kombu' {
# I may want to support exporting and collecting these
nova_config {
'DEFAULT/rabbit_password': value => $rabbit_password;
'DEFAULT/rabbit_password': value => $rabbit_password, secret => true;
'DEFAULT/rabbit_userid': value => $rabbit_userid;
'DEFAULT/rabbit_virtual_host': value => $rabbit_virtual_host;
}
@ -193,7 +195,7 @@ class nova(
'DEFAULT/qpid_hostname': value => $qpid_hostname;
'DEFAULT/qpid_port': value => $qpid_port;
'DEFAULT/qpid_username': value => $qpid_username;
'DEFAULT/qpid_password': value => $qpid_password;
'DEFAULT/qpid_password': value => $qpid_password, secret => true;
'DEFAULT/qpid_reconnect': value => $qpid_reconnect;
'DEFAULT/qpid_reconnect_timeout': value => $qpid_reconnect_timeout;
'DEFAULT/qpid_reconnect_limit': value => $qpid_reconnect_limit;

2
manifests/network/quantum.pp
View File

@ -64,7 +64,7 @@ class nova::network::quantum (
'DEFAULT/quantum_admin_tenant_name': value => $quantum_admin_tenant_name;
'DEFAULT/quantum_region_name': value => $quantum_region_name;
'DEFAULT/quantum_admin_username': value => $quantum_admin_username;
'DEFAULT/quantum_admin_password': value => $quantum_admin_password;
'DEFAULT/quantum_admin_password': value => $quantum_admin_password, secret => true;
'DEFAULT/quantum_admin_auth_url': value => $quantum_admin_auth_url;
'DEFAULT/security_group_api': value => $security_group_api;
'DEFAULT/firewall_driver': value => $firewall_driver;

2
manifests/volume/san.pp
View File

@ -24,7 +24,7 @@ class nova::volume::san (
} else {
nova_config {
'DEFAULT/san_login': value => $san_login;
'DEFAULT/san_password': value => $san_password;
'DEFAULT/san_password': value => $san_password, secret => true;
}
}

4
spec/classes/nova_api_spec.rb
View File

@ -59,7 +59,7 @@ describe 'nova::api' do
should contain_nova_paste_api_ini(
'filter:authtoken/admin_user').with_value('nova')
should contain_nova_paste_api_ini(
'filter:authtoken/admin_password').with_value('passw0rd')
'filter:authtoken/admin_password').with_value('passw0rd').with_secret(true)
end
it { should contain_nova_config('DEFAULT/ec2_listen').with('value' => '0.0.0.0') }
it { should contain_nova_config('DEFAULT/osapi_compute_listen').with('value' => '0.0.0.0') }
@ -107,7 +107,7 @@ describe 'nova::api' do
should contain_nova_paste_api_ini(
'filter:authtoken/admin_user').with_value('nova2')
should contain_nova_paste_api_ini(
'filter:authtoken/admin_password').with_value('passw0rd2')
'filter:authtoken/admin_password').with_value('passw0rd2').with_secret(true)
end
it { should contain_nova_config('DEFAULT/ec2_listen').with('value' => '192.168.56.210') }
it { should contain_nova_config('DEFAULT/osapi_compute_listen').with('value' => '192.168.56.210') }

10
spec/classes/nova_init_spec.rb
View File

@ -62,9 +62,9 @@ describe 'nova' do
it { should contain_nova_config('DEFAULT/auth_strategy').with_value('keystone') }
it { should_not contain_nova_config('DEFAULT/use_deprecated_auth').with_value('false') }
it { should contain_nova_config('DEFAULT/rpc_backend').with_value('nova.openstack.common.rpc.impl_kombu') }
it { should contain_nova_config('DEFAULT/rpc_backend').with_value('nova.openstack.common.rpc.impl_kombu') }
it { should contain_nova_config('DEFAULT/rabbit_host').with_value('localhost') }
it { should contain_nova_config('DEFAULT/rabbit_password').with_value('guest') }
it { should contain_nova_config('DEFAULT/rabbit_password').with_value('guest').with_secret(true) }
it { should contain_nova_config('DEFAULT/rabbit_port').with_value('5672') }
it { should contain_nova_config('DEFAULT/rabbit_hosts').with_value('localhost:5672') }
it { should contain_nova_config('DEFAULT/rabbit_ha_queues').with_value('false') }
@ -103,7 +103,7 @@ describe 'nova' do
it { should contain_package('nova-common').with('ensure' => '2012.1.1-15.el6') }
it { should contain_package('python-nova').with('ensure' => '2012.1.1-15.el6') }
it { should contain_nova_config('DEFAULT/sql_connection').with_value('mysql://user:pass@db/db') }
it { should contain_nova_config('DEFAULT/sql_connection').with_value('mysql://user:pass@db/db').with_secret(true) }
it { should contain_nova_config('DEFAULT/image_service').with_value('nova.image.local.LocalImageService') }
it { should_not contain_nova_config('DEFAULT/glance_api_servers') }
@ -112,7 +112,7 @@ describe 'nova' do
it { should_not contain_nova_config('DEFAULT/use_deprecated_auth').with_value(true) }
it { should contain_nova_config('DEFAULT/rpc_backend').with_value('nova.openstack.common.rpc.impl_kombu') }
it { should contain_nova_config('DEFAULT/rabbit_host').with_value('rabbit') }
it { should contain_nova_config('DEFAULT/rabbit_password').with_value('password') }
it { should contain_nova_config('DEFAULT/rabbit_password').with_value('password').with_secret(true) }
it { should contain_nova_config('DEFAULT/rabbit_port').with_value('5673') }
it { should contain_nova_config('DEFAULT/rabbit_userid').with_value('rabbit_user') }
it { should contain_nova_config('DEFAULT/rabbit_virtual_host').with_value('/') }
@ -175,7 +175,7 @@ describe 'nova' do
it { should contain_nova_config('DEFAULT/qpid_hostname').with_value('localhost') }
it { should contain_nova_config('DEFAULT/qpid_port').with_value('5672') }
it { should contain_nova_config('DEFAULT/qpid_username').with_value('guest') }
it { should contain_nova_config('DEFAULT/qpid_password').with_value('guest') }
it { should contain_nova_config('DEFAULT/qpid_password').with_value('guest').with_secret(true) }
it { should contain_nova_config('DEFAULT/qpid_reconnect').with_value('true') }
it { should contain_nova_config('DEFAULT/qpid_reconnect_timeout').with_value('0') }
it { should contain_nova_config('DEFAULT/qpid_reconnect_limit').with_value('0') }

4
spec/classes/nova_network_quantum_spec.rb
View File

@ -20,7 +20,7 @@ describe 'nova::network::quantum' do
context 'with required parameters' do
it 'configures quantum endpoint in nova.conf' do
should contain_nova_config('DEFAULT/quantum_admin_password').with_value(params[:quantum_admin_password])
should contain_nova_config('DEFAULT/quantum_admin_password').with_value(params[:quantum_admin_password]).with_secret(true)
should contain_nova_config('DEFAULT/network_api_class').with_value('nova.network.quantumv2.api.API')
should contain_nova_config('DEFAULT/quantum_auth_strategy').with_value(default_params[:quantum_auth_strategy])
should contain_nova_config('DEFAULT/quantum_url').with_value(default_params[:quantum_url])
@ -50,7 +50,7 @@ describe 'nova::network::quantum' do
it 'configures quantum endpoint in nova.conf' do
should contain_nova_config('DEFAULT/quantum_auth_strategy').with_value(default_params[:quantum_auth_strategy])
should contain_nova_config('DEFAULT/quantum_admin_password').with_value(params[:quantum_admin_password])
should contain_nova_config('DEFAULT/quantum_admin_password').with_value(params[:quantum_admin_password]).with_secret(true)
should contain_nova_config('DEFAULT/network_api_class').with_value('nova.network.quantumv2.api.API')
should contain_nova_config('DEFAULT/quantum_url').with_value(params[:quantum_url])
should contain_nova_config('DEFAULT/quantum_admin_tenant_name').with_value(params[:quantum_admin_tenant_name])