Add support for oslo privilege separator management

Add oslo::privsep define to configure privsep_${entrypoint}
section of given config resource.

Change-Id: If4d52487f2a97fd6e26edf9c0d5dbc2300c09482
changes/07/356007/6
iberezovskiy 6 years ago
parent e3e5e416b0
commit f808902b73
  1. 59
      manifests/privsep.pp
  2. 4
      releasenotes/notes/add_oslo_privsep-3f125445bce8b431.yaml
  3. 53
      spec/defines/oslo_privsep_spec.rb

@ -0,0 +1,59 @@
# == Define: oslo::privsep
#
# Configure oslo_privsep options
#
# This resource configures Oslo privilege separator resources for an OpenStack service.
# It will manage the [privsep_${entrypoint}] section in the given config resource.
#
# === Parameters:
#
# [*entrypoint*]
# (Required) Privsep entrypoint. (string value)
# Defaults to $name.
#
# [*config*]
# (Required) Configuration file to manage. (string value)
#
# [*user*]
# (Optional) User that the privsep daemon should run as. (string value)
# Defaults to $::os_service_default.
#
# [*group*]
# (Optional) Group that the privsep daemon should run as. (string value)
# Defaults to $::os_service_default.
#
# [*capabilities*]
# (Optional) List of Linux capabilities retained by the privsep daemon. (list value)
# Defaults to $::os_service_default.
#
# [*helper_command*]
# (Optional) Command to invoke to start the privsep daemon if not using the "fork" method.
# If not specified, a default is generated using "sudo privsep-helper" and arguments designed to
# recreate the current configuration. This command must accept suitable --privsep_context
# and --privsep_sock_path arguments.
# Defaults to $::os_service_default.
#
# == Examples
#
# oslo::privsep { 'osbrick':
# config => 'nova_config'
# }
#
define oslo::privsep (
$config,
$entrypoint = $name,
$user = $::os_service_default,
$group = $::os_service_default,
$capabilities = $::os_service_default,
$helper_command = $::os_service_default,
) {
$privsep_options = {
"privsep_${entrypoint}/user" => { value => $user },
"privsep_${entrypoint}/group" => { value => $group },
"privsep_${entrypoint}/capabilities" => { value => $capabilities },
"privsep_${entrypoint}/helper_command" => { value => $helper_command },
}
create_resources($config, $privsep_options)
}

@ -0,0 +1,4 @@
---
features:
- Add oslo::privsep define to configure privsep_${entrypoint} section
of given config resource.

@ -0,0 +1,53 @@
require 'spec_helper'
describe 'oslo::privsep' do
let (:title) { 'osbrick' }
let :params do
{ :config => 'keystone_config' }
end
shared_examples 'oslo-privsep' do
context 'with default parameters' do
it 'configure oslo_privsep default params' do
is_expected.to contain_keystone_config('privsep_osbrick/user').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('privsep_osbrick/group').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('privsep_osbrick/capabilities').with_value('<SERVICE DEFAULT>')
is_expected.to contain_keystone_config('privsep_osbrick/helper_command').with_value('<SERVICE DEFAULT>')
end
end
context 'with overridden parameters' do
before do
params.merge!({
:user => 'keystone',
:group => 'keystone',
:capabilities => [],
:helper_command => 'sudo nova-rootwrap /etc/nova/rootwrap.conf privsep-helper --config-file /etc/nova/nova.conf',
})
end
it 'configures oslo_privsep section' do
is_expected.to contain_keystone_config('privsep_osbrick/user').with_value('keystone')
is_expected.to contain_keystone_config('privsep_osbrick/group').with_value('keystone')
is_expected.to contain_keystone_config('privsep_osbrick/capabilities').with_value([])
is_expected.to contain_keystone_config('privsep_osbrick/helper_command').with_value('sudo nova-rootwrap /etc/nova/rootwrap.conf privsep-helper --config-file /etc/nova/nova.conf')
end
end
end
on_supported_os({
:supported_os => OSDefaults.get_supported_os
}).each do |os,facts|
context "on #{os}" do
let (:facts) do
facts.merge!(OSDefaults.get_facts())
end
it_behaves_like 'oslo-privsep'
end
end
end
Loading…
Cancel
Save