Fix default signing_dir for Debian
Under Debian, /var/cache/swift is set with unix rights 0755. This is a problem when using it as signing dir. Instead, it's much better to use /var/lib/swift, which is using 0750. This patch changes the default value to be stored in params.pp, and which now depends on the OS package type. It also fixes the matching tests. Change-Id: I4a73f8fc10a2bb9f62c9597b50d0ea3abe69f36e
This commit is contained in:
parent
82503a419f
commit
4d997af2cd
|
@ -40,6 +40,11 @@ class swift::params {
|
|||
$account_reaper_service_name = 'swift-account-reaper'
|
||||
$account_replicator_service_name = 'swift-account-replicator'
|
||||
$swift3 = 'swift-plugin-s3'
|
||||
if ($::os_package_type == 'debian') {
|
||||
$signing_dir = '/var/lib/swift'
|
||||
}else{
|
||||
$signing_dir = '/var/cache/swift'
|
||||
}
|
||||
}
|
||||
'RedHat': {
|
||||
$package_name = 'openstack-swift'
|
||||
|
@ -66,6 +71,7 @@ class swift::params {
|
|||
$account_reaper_service_name = 'openstack-swift-account-reaper'
|
||||
$account_replicator_service_name = 'openstack-swift-account-replicator'
|
||||
$swift3 = 'openstack-swift-plugin-swift3'
|
||||
$signing_dir = '/var/cache/swift'
|
||||
}
|
||||
default: {
|
||||
fail("Unsupported osfamily: ${::osfamily} for os ${::operatingsystem}")
|
||||
|
|
|
@ -11,7 +11,7 @@
|
|||
#
|
||||
# [*signing_dir*]
|
||||
# The cache directory for signing certificates.
|
||||
# Defaults to '/var/cache/swift'
|
||||
# Defaults to $::swift::params::signing_dir
|
||||
#
|
||||
# [*cache*]
|
||||
# The cache backend to use
|
||||
|
@ -87,7 +87,7 @@
|
|||
#
|
||||
class swift::proxy::authtoken(
|
||||
$delay_auth_decision = 1,
|
||||
$signing_dir = '/var/cache/swift',
|
||||
$signing_dir = $::swift::params::signing_dir,
|
||||
$cache = 'swift.cache',
|
||||
$auth_uri = 'http://127.0.0.1:5000',
|
||||
$auth_url = 'http://127.0.0.1:5000',
|
||||
|
@ -104,7 +104,7 @@ class swift::proxy::authtoken(
|
|||
$admin_password = undef,
|
||||
$identity_uri = undef,
|
||||
$admin_token = undef,
|
||||
) {
|
||||
) inherits swift::params {
|
||||
|
||||
include ::swift::deps
|
||||
|
||||
|
@ -133,16 +133,19 @@ class swift::proxy::authtoken(
|
|||
$project_name_real = pick($admin_tenant_name, $project_name)
|
||||
$password_real = pick($admin_password, $password)
|
||||
|
||||
file { $signing_dir:
|
||||
ensure => directory,
|
||||
mode => '0700',
|
||||
owner => 'swift',
|
||||
group => 'swift',
|
||||
selinux_ignore_defaults => true,
|
||||
require => Anchor['swift::config::begin'],
|
||||
before => Anchor['swift::config::end'],
|
||||
if ($::os_package_type != 'debian') {
|
||||
file { $signing_dir:
|
||||
ensure => directory,
|
||||
mode => '0700',
|
||||
owner => 'swift',
|
||||
group => 'swift',
|
||||
selinux_ignore_defaults => true,
|
||||
require => Anchor['swift::config::begin'],
|
||||
before => Anchor['swift::config::end'],
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
swift_proxy_config {
|
||||
'filter:authtoken/log_name': value => 'swift';
|
||||
'filter:authtoken/signing_dir': value => $signing_dir;
|
||||
|
|
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
prelude: >
|
||||
The default signing_dir is changed to /var/lib/swift for Debian. For all
|
||||
other OSes, /var/cache/swift is kept. This is due to the fact that the
|
||||
Debian sysv-init / systemd scripts are setting /var/cache/swift with the
|
||||
unix rights 0755, which isn't safe for this OS.
|
|
@ -19,7 +19,7 @@ describe 'swift::proxy::authtoken' do
|
|||
|
||||
describe "when using default parameters" do
|
||||
it { is_expected.to contain_swift_proxy_config('filter:authtoken/log_name').with_value('swift') }
|
||||
it { is_expected.to contain_swift_proxy_config('filter:authtoken/signing_dir').with_value('/var/cache/swift') }
|
||||
it { is_expected.to contain_swift_proxy_config('filter:authtoken/signing_dir').with_value(platform_params[:default_signing_dir]) }
|
||||
it { is_expected.to contain_swift_proxy_config('filter:authtoken/paste.filter_factory').with_value('keystonemiddleware.auth_token:filter_factory') }
|
||||
it { is_expected.to contain_swift_proxy_config('filter:authtoken/www_authenticate_uri').with_value('http://127.0.0.1:5000') }
|
||||
it { is_expected.to contain_swift_proxy_config('filter:authtoken/auth_url').with_value('http://127.0.0.1:5000') }
|
||||
|
@ -101,6 +101,19 @@ describe 'swift::proxy::authtoken' do
|
|||
facts.merge(OSDefaults.get_facts())
|
||||
end
|
||||
|
||||
let(:platform_params) do
|
||||
case facts[:osfamily]
|
||||
when 'Debian'
|
||||
if facts[:os_package_type] == 'debian'
|
||||
{ :default_signing_dir => '/var/lib/swift' }
|
||||
else
|
||||
{ :default_signing_dir => '/var/cache/swift' }
|
||||
end
|
||||
when 'RedHat'
|
||||
{ :default_signing_dir => '/var/cache/swift' }
|
||||
end
|
||||
end
|
||||
|
||||
it_configures 'swift::proxy::authtoken'
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue