From 2df992faf3d2a6c845b6bbe302fb956b77307c50 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Tue, 12 May 2020 22:27:12 +0900 Subject: [PATCH] Deprecate the default values for password parameters Currently puppet-swift provides default values for some password parameters, but this is not ideal from security perspective and we should expect operators to set their own password explicitly. This patch deprecates the usage of these default values and adds warning message which appears for missing password defined, so that we can remove current default values in next cycle. Change-Id: I6e7721d04ae2bf2e2a2ea3f02ebfcbded58692e2 --- manifests/keymaster.pp | 4 ++++ manifests/keystone/auth.pp | 12 ++++++++++-- manifests/proxy/authtoken.pp | 12 ++++++++++-- manifests/proxy/ceilometer.pp | 12 ++++++++++-- manifests/proxy/s3token.pp | 11 +++++++++-- ...deprecate-default-password-4458163e3580d6fb.yaml | 13 +++++++++++++ spec/classes/swift_proxy_ceilometer_spec.rb | 5 +++-- 7 files changed, 59 insertions(+), 10 deletions(-) create mode 100644 releasenotes/notes/deprecate-default-password-4458163e3580d6fb.yaml diff --git a/manifests/keymaster.pp b/manifests/keymaster.pp index 45bc5725..a6e7b229 100644 --- a/manifests/keymaster.pp +++ b/manifests/keymaster.pp @@ -80,6 +80,10 @@ class swift::keymaster( include swift::deps + if $password == undef { + warning('password parameter is missing') + } + swift_keymaster_config { 'kms_keymaster/api_class': value => $api_class; 'kms_keymaster/key_id': value => $key_id; diff --git a/manifests/keystone/auth.pp b/manifests/keystone/auth.pp index ea25153a..cccfd232 100644 --- a/manifests/keystone/auth.pp +++ b/manifests/keystone/auth.pp @@ -89,7 +89,7 @@ # class swift::keystone::auth( $auth_name = 'swift', - $password = 'swift_password', + $password = undef, $tenant = 'services', $email = 'swift@localhost', $region = 'RegionOne', @@ -112,6 +112,14 @@ class swift::keystone::auth( include swift::deps + if $password == undef { + warning('Usage of the default password is deprecated and will be removed in a future release. \ +Please set password parameter') + $password_real = 'swift_password' + } else { + $password_real = $password + } + if $service_name == $service_name_s3 { fail('swift::keystone::auth parameters service_name and service_name_s3 must be different.') } @@ -134,7 +142,7 @@ class swift::keystone::auth( service_description => $service_description, region => $region, auth_name => $auth_name, - password => $password, + password => $password_real, email => $email, tenant => $tenant, public_url => $public_url, diff --git a/manifests/proxy/authtoken.pp b/manifests/proxy/authtoken.pp index b2f031c0..0c3af7ab 100644 --- a/manifests/proxy/authtoken.pp +++ b/manifests/proxy/authtoken.pp @@ -94,7 +94,7 @@ class swift::proxy::authtoken( $user_domain_id = 'default', $project_name = 'services', $username = 'swift', - $password = 'password', + $password = undef, $region_name = $::os_service_default, $include_service_catalog = false, $service_token_roles = $::os_service_default, @@ -103,6 +103,14 @@ class swift::proxy::authtoken( include swift::deps + if $password == undef { + warning('Usage of the default password is deprecated and will be removed in a future release. \ +Please set password parameter') + $password_real = 'password' + } else { + $password_real = $password + } + if ($::os_package_type != 'debian') { file { $signing_dir: ensure => directory, @@ -127,7 +135,7 @@ class swift::proxy::authtoken( 'filter:authtoken/user_domain_id': value => $user_domain_id; 'filter:authtoken/project_name': value => $project_name; 'filter:authtoken/username': value => $username; - 'filter:authtoken/password': value => $password, secret => true; + 'filter:authtoken/password': value => $password_real, secret => true; 'filter:authtoken/region_name': value => $region_name; 'filter:authtoken/delay_auth_decision': value => $delay_auth_decision; 'filter:authtoken/cache': value => $cache; diff --git a/manifests/proxy/ceilometer.pp b/manifests/proxy/ceilometer.pp index 9a276096..330b6230 100644 --- a/manifests/proxy/ceilometer.pp +++ b/manifests/proxy/ceilometer.pp @@ -133,7 +133,7 @@ class swift::proxy::ceilometer( $user_domain_name = 'Default', $project_name = 'services', $username = 'swift', - $password = 'password', + $password = undef, $region_name = $::os_service_default, $notification_ssl_ca_file = $::os_service_default, $notification_ssl_cert_file = $::os_service_default, @@ -169,6 +169,14 @@ class swift::proxy::ceilometer( warning('The swift::proxy::ceilometer::auth_uri parameter was deperecated, and has no effect') } + if $password == undef { + warning('Usage of the default password is deprecated and will be removed in a future release. \ +Please set password parameter') + $password_real = 'password' + } else { + $password_real = $password + } + swift_proxy_config { 'filter:ceilometer/topic': value => $topic; 'filter:ceilometer/driver': value => $driver; @@ -183,7 +191,7 @@ class swift::proxy::ceilometer( 'filter:ceilometer/user_domain_name': value => $user_domain_name; 'filter:ceilometer/project_name': value => $project_name; 'filter:ceilometer/username': value => $username; - 'filter:ceilometer/password': value => $password, secret => true; + 'filter:ceilometer/password': value => $password_real, secret => true; 'filter:ceilometer/region_name': value => $region_name; } diff --git a/manifests/proxy/s3token.pp b/manifests/proxy/s3token.pp index c3c854a2..86edcc6c 100644 --- a/manifests/proxy/s3token.pp +++ b/manifests/proxy/s3token.pp @@ -101,7 +101,7 @@ class swift::proxy::s3token( $auth_url = 'http://127.0.0.1:5000', $auth_type = 'password', $username = 'swift', - $password = 'password', + $password = undef, $project_name = 'services', $project_domain_id = 'default', $user_domain_id = 'default' @@ -116,6 +116,13 @@ class swift::proxy::s3token( $auth_uri_real = $auth_uri } + if $password == undef { + warning('Usage of the default password is deprecated and will be removed in a future release. \ +Please set password parameter') + $password_real = 'password' + } else { + $password_real = $password + } swift_proxy_config { 'filter:s3token/use': value => 'egg:swift#s3token'; @@ -127,7 +134,7 @@ class swift::proxy::s3token( 'filter:s3token/auth_url': value => $auth_url; 'filter:s3token/auth_type': value => $auth_type; 'filter:s3token/username': value => $username; - 'filter:s3token/password': value => $password, secret => true; + 'filter:s3token/password': value => $password_real, secret => true; 'filter:s3token/project_name': value => $project_name; 'filter:s3token/project_domain_id': value => $project_domain_id; 'filter:s3token/user_domain_id': value => $user_domain_id; diff --git a/releasenotes/notes/deprecate-default-password-4458163e3580d6fb.yaml b/releasenotes/notes/deprecate-default-password-4458163e3580d6fb.yaml new file mode 100644 index 00000000..62835e8c --- /dev/null +++ b/releasenotes/notes/deprecate-default-password-4458163e3580d6fb.yaml @@ -0,0 +1,13 @@ +--- +deprecations: + - | + The following password parameters currently use the default value when the + parameters are not set in manifests, but this behavior has been deprecated. + Please set actual password explicitly to avoid failure before the default + values are removed. + + - swift::keymaster::password + - swift::keystone::auth::password + - swift::proxy::authtoken::password + - swift::proxy::ceilometer::password + - swift::proxy::s3token::password diff --git a/spec/classes/swift_proxy_ceilometer_spec.rb b/spec/classes/swift_proxy_ceilometer_spec.rb index afa3461f..40f9269c 100644 --- a/spec/classes/swift_proxy_ceilometer_spec.rb +++ b/spec/classes/swift_proxy_ceilometer_spec.rb @@ -16,6 +16,7 @@ describe 'swift::proxy::ceilometer' do } end + it { is_expected.to contain_swift_proxy_config('filter:ceilometer/password').with_value('password').with_secret(true) } it { is_expected.to contain_swift_proxy_config('filter:ceilometer/paste.filter_factory').with_value('ceilometermiddleware.swift:filter_factory') } it { is_expected.to contain_swift_proxy_config('filter:ceilometer/url').with_value('rabbit://user_1:user_1_passw@1.1.1.1:5673/rabbit').with_secret(true) } it { is_expected.to contain_swift_proxy_config('filter:ceilometer/nonblocking_notify').with_value('false') } @@ -38,7 +39,7 @@ describe 'swift::proxy::ceilometer' do :user_domain_name => 'Default', :project_name => 'services', :username => 'swift', - :password => 'password', + :password => 'mypassword', :region_name => 'region2' } end @@ -58,7 +59,7 @@ describe 'swift::proxy::ceilometer' do it { is_expected.to contain_swift_proxy_config('filter:ceilometer/user_domain_name').with_value('Default') } it { is_expected.to contain_swift_proxy_config('filter:ceilometer/project_name').with_value('services') } it { is_expected.to contain_swift_proxy_config('filter:ceilometer/username').with_value('swift') } - it { is_expected.to contain_swift_proxy_config('filter:ceilometer/password').with_value('password').with_secret(true) } + it { is_expected.to contain_swift_proxy_config('filter:ceilometer/password').with_value('mypassword').with_secret(true) } it { is_expected.to contain_swift_proxy_config('filter:ceilometer/region_name').with_value('region2') } end