openstack/puppet-swift
Code Issues Proposed changes

Make sure storage server config files are not world-readable

Browse Source 
... instead of vaguely rely on the umask.

Change-Id: I685888c8368cea53c225c103c62e5147db2ee28b
This commit is contained in:
Takashi Kajinami 2024-04-22 21:21:45 +09:00
parent 3af1a20fe0
commit 003f4fe6ea
2 changed files with 30 additions and 6 deletions
manifests/storage
server.pp
spec/defines
swift_storage_server_spec.rb

12
manifests/storage/server.pp

@ -420,12 +420,12 @@ define swift::storage::server(
%>"), ',') %>"), ',')
file { $config_file_full_path: file { $config_file_full_path:
ensure => present, ensure => present,
owner => pick($owner, $::swift::params::user), owner => pick($owner, $::swift::params::user),
group => pick($group, $::swift::params::group), group => pick($group, $::swift::params::group),
replace => false, mode => '0640',
tag => 'swift-config-file', tag => 'swift-config-file',
before => $required_middlewares, before => $required_middlewares,
} }
resources { "swift_${type}_config": resources { "swift_${type}_config":

24
spec/defines/swift_storage_server_spec.rb

@ -57,6 +57,14 @@ describe 'swift::storage::server' do
:read_only => false, :read_only => false,
)} )}
it { is_expected.to contain_file('/etc/swift/account-server.conf').with(
:ensure => 'present',
:owner => 'swift',
:group => 'swift',
:mode => '0640',
:tag => 'swift-config-file'
)}
it { it {
is_expected.to contain_swift_account_config('DEFAULT/devices').with_value('/srv/node') is_expected.to contain_swift_account_config('DEFAULT/devices').with_value('/srv/node')
is_expected.to contain_swift_account_config('DEFAULT/bind_ip').with_value('10.0.0.1') is_expected.to contain_swift_account_config('DEFAULT/bind_ip').with_value('10.0.0.1')
@ -232,6 +240,14 @@ describe 'swift::storage::server' do
:read_only => false, :read_only => false,
)} )}
it { is_expected.to contain_file('/etc/swift/container-server.conf').with(
:ensure => 'present',
:owner => 'swift',
:group => 'swift',
:mode => '0640',
:tag => 'swift-config-file'
)}
it { it {
is_expected.to contain_swift_container_config('DEFAULT/devices').with_value('/srv/node') is_expected.to contain_swift_container_config('DEFAULT/devices').with_value('/srv/node')
is_expected.to contain_swift_container_config('DEFAULT/bind_ip').with_value('10.0.0.1') is_expected.to contain_swift_container_config('DEFAULT/bind_ip').with_value('10.0.0.1')
@ -418,6 +434,14 @@ describe 'swift::storage::server' do
:read_only => false, :read_only => false,
)} )}
it { is_expected.to contain_file('/etc/swift/object-server.conf').with(
:ensure => 'present',
:owner => 'swift',
:group => 'swift',
:mode => '0640',
:tag => 'swift-config-file'
)}
it { it {
is_expected.to contain_swift_object_config('DEFAULT/devices').with_value('/srv/node') is_expected.to contain_swift_object_config('DEFAULT/devices').with_value('/srv/node')
is_expected.to contain_swift_object_config('DEFAULT/bind_ip').with_value('10.0.0.1') is_expected.to contain_swift_object_config('DEFAULT/bind_ip').with_value('10.0.0.1')