Fix default signing_dir for Debian

Under Debian, /var/cache/swift is set with unix rights 0755. This is a problem when using it as signing dir. Instead, it's much better to use /var/lib/swift, which is using 0750. This patch changes the default value to be stored in params.pp, and which now depends on the OS package type. It also fixes the matching tests. Change-Id: I4a73f8fc10a2bb9f62c9597b50d0ea3abe69f36e
2018-10-23 10:55:05 +02:00 · 2018-10-23 10:55:05 +02:00 · 4d997af2cd
parent 82503a419f
commit 4d997af2cd
4 changed files with 40 additions and 12 deletions
--- a/manifests/params.pp
+++ b/manifests/params.pp
@ -40,6 +40,11 @@ class swift::params {
      $account_reaper_service_name       = 'swift-account-reaper'
      $account_replicator_service_name   = 'swift-account-replicator'
      $swift3                            = 'swift-plugin-s3'
+      if ($::os_package_type == 'debian') {
+        $signing_dir = '/var/lib/swift'
+      }else{
+        $signing_dir = '/var/cache/swift'
+      }
    }
    'RedHat': {
      $package_name                      = 'openstack-swift'
@ -66,6 +71,7 @@ class swift::params {
      $account_reaper_service_name       = 'openstack-swift-account-reaper'
      $account_replicator_service_name   = 'openstack-swift-account-replicator'
      $swift3                            = 'openstack-swift-plugin-swift3'
+      $signing_dir                       = '/var/cache/swift'
    }
    default: {
        fail("Unsupported osfamily: ${::osfamily} for os ${::operatingsystem}")
--- a/manifests/proxy/authtoken.pp
+++ b/manifests/proxy/authtoken.pp
@ -11,7 +11,7 @@
 #
 # [*signing_dir*]
 #    The cache directory for signing certificates.
-#    Defaults to '/var/cache/swift'
+#    Defaults to $::swift::params::signing_dir
 #
 # [*cache*]
 #    The cache backend to use
@ -87,7 +87,7 @@
 #
 class swift::proxy::authtoken(
  $delay_auth_decision     = 1,
-  $signing_dir             = '/var/cache/swift',
+  $signing_dir             = $::swift::params::signing_dir,
  $cache                   = 'swift.cache',
  $auth_uri                = 'http://127.0.0.1:5000',
  $auth_url                = 'http://127.0.0.1:5000',
@ -104,7 +104,7 @@ class swift::proxy::authtoken(
  $admin_password          = undef,
  $identity_uri            = undef,
  $admin_token             = undef,
-) {
+) inherits swift::params {

  include ::swift::deps

@ -133,16 +133,19 @@ class swift::proxy::authtoken(
  $project_name_real = pick($admin_tenant_name, $project_name)
  $password_real = pick($admin_password, $password)

-  file { $signing_dir:
-    ensure                  => directory,
-    mode                    => '0700',
-    owner                   => 'swift',
-    group                   => 'swift',
-    selinux_ignore_defaults => true,
-    require                 => Anchor['swift::config::begin'],
-    before                  => Anchor['swift::config::end'],
+  if ($::os_package_type != 'debian') {
+    file { $signing_dir:
+      ensure                  => directory,
+      mode                    => '0700',
+      owner                   => 'swift',
+      group                   => 'swift',
+      selinux_ignore_defaults => true,
+      require                 => Anchor['swift::config::begin'],
+      before                  => Anchor['swift::config::end'],
+    }
  }

+
  swift_proxy_config {
    'filter:authtoken/log_name':                value => 'swift';
    'filter:authtoken/signing_dir':             value => $signing_dir;
--- a/releasenotes/notes/signing-dir-543b814469e76728.yaml
+++ b/releasenotes/notes/signing-dir-543b814469e76728.yaml
@ -0,0 +1,6 @@
+---
+prelude: >
+    The default signing_dir is changed to /var/lib/swift for Debian. For all
+    other OSes, /var/cache/swift is kept. This is due to the fact that the
+    Debian sysv-init / systemd scripts are setting /var/cache/swift with the
+    unix rights 0755, which isn't safe for this OS.
--- a/spec/classes/swift_proxy_authtoken_spec.rb
+++ b/spec/classes/swift_proxy_authtoken_spec.rb
@ -19,7 +19,7 @@ describe 'swift::proxy::authtoken' do

    describe "when using default parameters" do
      it { is_expected.to contain_swift_proxy_config('filter:authtoken/log_name').with_value('swift') }
-      it { is_expected.to contain_swift_proxy_config('filter:authtoken/signing_dir').with_value('/var/cache/swift') }
+      it { is_expected.to contain_swift_proxy_config('filter:authtoken/signing_dir').with_value(platform_params[:default_signing_dir]) }
      it { is_expected.to contain_swift_proxy_config('filter:authtoken/paste.filter_factory').with_value('keystonemiddleware.auth_token:filter_factory') }
      it { is_expected.to contain_swift_proxy_config('filter:authtoken/www_authenticate_uri').with_value('http://127.0.0.1:5000') }
      it { is_expected.to contain_swift_proxy_config('filter:authtoken/auth_url').with_value('http://127.0.0.1:5000') }
@ -101,6 +101,19 @@ describe 'swift::proxy::authtoken' do
        facts.merge(OSDefaults.get_facts())
      end

+      let(:platform_params) do
+        case facts[:osfamily]
+        when 'Debian'
+          if facts[:os_package_type] == 'debian'
+            { :default_signing_dir => '/var/lib/swift' }
+          else
+            { :default_signing_dir => '/var/cache/swift' }
+          end
+        when 'RedHat'
+          { :default_signing_dir => '/var/cache/swift' }
+        end
+      end
+
      it_configures 'swift::proxy::authtoken'
    end
  end