Add support for oslo privilege separator management
Add oslo::privsep define to configure privsep_${entrypoint} section of given config resource. Change-Id: If4d52487f2a97fd6e26edf9c0d5dbc2300c09482
This commit is contained in:
parent
e3e5e416b0
commit
f808902b73
|
@ -0,0 +1,59 @@
|
|||
# == Define: oslo::privsep
|
||||
#
|
||||
# Configure oslo_privsep options
|
||||
#
|
||||
# This resource configures Oslo privilege separator resources for an OpenStack service.
|
||||
# It will manage the [privsep_${entrypoint}] section in the given config resource.
|
||||
#
|
||||
# === Parameters:
|
||||
#
|
||||
# [*entrypoint*]
|
||||
# (Required) Privsep entrypoint. (string value)
|
||||
# Defaults to $name.
|
||||
#
|
||||
# [*config*]
|
||||
# (Required) Configuration file to manage. (string value)
|
||||
#
|
||||
# [*user*]
|
||||
# (Optional) User that the privsep daemon should run as. (string value)
|
||||
# Defaults to $::os_service_default.
|
||||
#
|
||||
# [*group*]
|
||||
# (Optional) Group that the privsep daemon should run as. (string value)
|
||||
# Defaults to $::os_service_default.
|
||||
#
|
||||
# [*capabilities*]
|
||||
# (Optional) List of Linux capabilities retained by the privsep daemon. (list value)
|
||||
# Defaults to $::os_service_default.
|
||||
#
|
||||
# [*helper_command*]
|
||||
# (Optional) Command to invoke to start the privsep daemon if not using the "fork" method.
|
||||
# If not specified, a default is generated using "sudo privsep-helper" and arguments designed to
|
||||
# recreate the current configuration. This command must accept suitable --privsep_context
|
||||
# and --privsep_sock_path arguments.
|
||||
# Defaults to $::os_service_default.
|
||||
#
|
||||
# == Examples
|
||||
#
|
||||
# oslo::privsep { 'osbrick':
|
||||
# config => 'nova_config'
|
||||
# }
|
||||
#
|
||||
define oslo::privsep (
|
||||
$config,
|
||||
$entrypoint = $name,
|
||||
$user = $::os_service_default,
|
||||
$group = $::os_service_default,
|
||||
$capabilities = $::os_service_default,
|
||||
$helper_command = $::os_service_default,
|
||||
) {
|
||||
|
||||
$privsep_options = {
|
||||
"privsep_${entrypoint}/user" => { value => $user },
|
||||
"privsep_${entrypoint}/group" => { value => $group },
|
||||
"privsep_${entrypoint}/capabilities" => { value => $capabilities },
|
||||
"privsep_${entrypoint}/helper_command" => { value => $helper_command },
|
||||
}
|
||||
|
||||
create_resources($config, $privsep_options)
|
||||
}
|
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
features:
|
||||
- Add oslo::privsep define to configure privsep_${entrypoint} section
|
||||
of given config resource.
|
|
@ -0,0 +1,53 @@
|
|||
require 'spec_helper'
|
||||
|
||||
describe 'oslo::privsep' do
|
||||
|
||||
let (:title) { 'osbrick' }
|
||||
|
||||
let :params do
|
||||
{ :config => 'keystone_config' }
|
||||
end
|
||||
|
||||
shared_examples 'oslo-privsep' do
|
||||
|
||||
context 'with default parameters' do
|
||||
it 'configure oslo_privsep default params' do
|
||||
is_expected.to contain_keystone_config('privsep_osbrick/user').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_keystone_config('privsep_osbrick/group').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_keystone_config('privsep_osbrick/capabilities').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_keystone_config('privsep_osbrick/helper_command').with_value('<SERVICE DEFAULT>')
|
||||
end
|
||||
end
|
||||
|
||||
context 'with overridden parameters' do
|
||||
before do
|
||||
params.merge!({
|
||||
:user => 'keystone',
|
||||
:group => 'keystone',
|
||||
:capabilities => [],
|
||||
:helper_command => 'sudo nova-rootwrap /etc/nova/rootwrap.conf privsep-helper --config-file /etc/nova/nova.conf',
|
||||
})
|
||||
end
|
||||
|
||||
it 'configures oslo_privsep section' do
|
||||
is_expected.to contain_keystone_config('privsep_osbrick/user').with_value('keystone')
|
||||
is_expected.to contain_keystone_config('privsep_osbrick/group').with_value('keystone')
|
||||
is_expected.to contain_keystone_config('privsep_osbrick/capabilities').with_value([])
|
||||
is_expected.to contain_keystone_config('privsep_osbrick/helper_command').with_value('sudo nova-rootwrap /etc/nova/rootwrap.conf privsep-helper --config-file /etc/nova/nova.conf')
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
on_supported_os({
|
||||
:supported_os => OSDefaults.get_supported_os
|
||||
}).each do |os,facts|
|
||||
context "on #{os}" do
|
||||
let (:facts) do
|
||||
facts.merge!(OSDefaults.get_facts())
|
||||
end
|
||||
|
||||
it_behaves_like 'oslo-privsep'
|
||||
end
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue