openstack
/
puppet-nova
Code Issues Proposed changes

Set correct ownership for nova keytab 

Nova user's keytab is now owned by root, making it impossible
for the nova user to read when contacting IPA through novajoin.

Change-Id: I3ee7cb9b396301ec8714a3cf0c8ab169750c1857
This commit is contained in:
Ade Lee 2017-01-18 14:53:37 -05:00
parent da49892975
commit 861cf4fd57
2 changed files with 13 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
manifests/metadata/novajoin/api.pp
View File

@ -103,7 +103,7 @@ class nova::metadata::novajoin::api (
$ipa_domain = undef,
$join_listen_port = $::os_service_default,
$keystone_auth_url = 'http://127.0.0.1:35357/',
$keytab = $::os_service_default,
$keytab = '/etc/nova/krb5.keytab',
$log_dir = '/var/log/novajoin',
$manage_service = true,
$nova_user = 'nova',
@ -187,11 +187,13 @@ class nova::metadata::novajoin::api (
exec { 'get-service-user-keytab':
command => "/usr/bin/kinit -kt /etc/krb5.keytab && ipa-getkeytab -s `grep xmlrpc_uri /etc/ipa/default.conf | cut -d/ -f3` \
-p nova/${::fqdn} -k /etc/nova/krb5.keytab",
creates => '/etc/nova/krb5.keytab',
-p nova/${::fqdn} -k ${keytab}",
creates => $keytab,
require => Package['python-novajoin']
}
ensure_resource('file', $keytab, { owner => $nova_user, require => Exec['get-service-user-keytab'] })
Novajoin_config<||> ~> Service<| title == 'nova-api'|>
Exec['get-service-user-keytab'] ~> Service['novajoin-server']
Exec['get-service-user-keytab'] ~> Service['novajoin-notify']

10
spec/classes/nova_metadata_novajoin_api_spec.rb
View File

@ -25,7 +25,7 @@ describe 'nova::metadata::novajoin::api' do
:enable_ipa_client_install => true,
:ensure_package => 'present',
:join_listen_port => '<SERVICE DEFAULT>',
:keytab => '<SERVICE DEFAULT>',
:keytab => '/etc/nova/krb5.keytab',
:log_dir => '/var/log/novajoin',
:manage_service => true,
:nova_user => 'nova',
@ -121,9 +121,15 @@ describe 'nova::metadata::novajoin::api' do
it 'is_expected.to get service user keytab' do
is_expected.to contain_exec('get-service-user-keytab').with(
'command' => "/usr/bin/kinit -kt /etc/krb5.keytab && ipa-getkeytab -s `grep xmlrpc_uri /etc/ipa/default.conf | cut -d/ -f3` \
-p nova/undercloud.example.com -k /etc/nova/krb5.keytab",
-p nova/undercloud.example.com -k #{param_hash[:keytab]}",
)
end
it { is_expected.to contain_file("#{param_hash[:keytab]}").with(
'owner' => "#{param_hash[:nova_user]}",
'require' => 'Exec[get-service-user-keytab]',
)}
end
end