openstack/puppet-swift
Code Issues Proposed changes

Set appropriate ownership/permission to config files

Browse Source 
... to avoid making any config files world readable.

Also swift processes do not need write access to these files, thus
write access can be blocked.

Closes-Bug: #2068898
Change-Id: I8b11fbdb0ea0ca814b962dd72b5c1cb4cd201c24
This commit is contained in:
Takashi Kajinami
2024-06-10 22:05:44 +09:00
parent 7f1a945550
commit b0e59971b8
18 changed files with 153 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
manifests/containerreconciler.pp
View File

@@ -138,6 +138,16 @@ class swift::containerreconciler(
purge => $purge_config, purge => $purge_config,
} }
file { '/etc/swift/container-reconciler.conf':
ensure => 'file',
owner => 'root',
group => $::swift::params::group,
mode => '0640',
require => Anchor['swift::config::begin'],
before => Anchor['swift::config::end']
}
File['/etc/swift/container-reconciler.conf'] -> Swift_container_reconciler_config<||>
# only add memcache servers if 'cache' is included in the pipeline # only add memcache servers if 'cache' is included in the pipeline
if !empty(grep(any2array($pipeline), 'cache')) { if !empty(grep(any2array($pipeline), 'cache')) {

11
manifests/internal_client.pp
View File

@@ -65,6 +65,7 @@ class swift::internal_client (
) inherits swift::params { ) inherits swift::params {
include swift::deps include swift::deps
include swift::params
if $pipeline[-1] != 'proxy-server' { if $pipeline[-1] != 'proxy-server' {
fail('proxy-server must be the last element in pipeline') fail('proxy-server must be the last element in pipeline')
@@ -74,6 +75,16 @@ class swift::internal_client (
purge => $purge_config, purge => $purge_config,
} }
file { '/etc/swift/internal-client.conf':
ensure => 'file',
owner => 'root',
group => $::swift::params::group,
mode => '0640',
require => Anchor['swift::config::begin'],
before => Anchor['swift::config::end']
}
File['/etc/swift/internal-client.conf'] -> Swift_internal_client_config<||>
swift_internal_client_config { swift_internal_client_config {
'DEFAULT/user': value => $user; 'DEFAULT/user': value => $user;
'pipeline:main/pipeline': value => join($pipeline, ' '); 'pipeline:main/pipeline': value => join($pipeline, ' ');

11
manifests/keymaster.pp
View File

@@ -84,6 +84,17 @@ class swift::keymaster(
) { ) {
include swift::deps include swift::deps
include swift::params
file { '/etc/swift/keymaster.conf':
ensure => 'file',
owner => 'root',
group => $::swift::params::group,
mode => '0640',
require => Anchor['swift::config::begin'],
before => Anchor['swift::config::end']
}
File['/etc/swift/keymaster.conf'] -> Swift_keymaster_config<||>
swift_keymaster_config { swift_keymaster_config {
'kms_keymaster/api_class': value => $api_class; 'kms_keymaster/api_class': value => $api_class;

7
manifests/memcache.pp
View File

@@ -85,11 +85,14 @@ class swift::memcache (
} }
file { '/etc/swift/memcache.conf': file { '/etc/swift/memcache.conf':
ensure => file, ensure => 'file',
owner => $::swift::params::user, owner => 'root',
group => $::swift::params::group, group => $::swift::params::group,
mode => '0640', mode => '0640',
require => Anchor['swift::config::begin'],
before => Anchor['swift::config::end']
} }
File['/etc/swift/memcache.conf'] -> Swift_memcache_config<||>
swift_memcache_config { swift_memcache_config {
'memcache/memcache_servers': value => join(any2array($memcache_servers), ','); 'memcache/memcache_servers': value => join(any2array($memcache_servers), ',');

10
manifests/objectexpirer.pp
View File

@@ -152,6 +152,16 @@ class swift::objectexpirer(
purge => $purge_config, purge => $purge_config,
} }
file { '/etc/swift/object-expirer.conf':
ensure => 'file',
owner => 'root',
group => $::swift::params::group,
mode => '0640',
require => Anchor['swift::config::begin'],
before => Anchor['swift::config::end']
}
File['/etc/swift/object-expirer.conf'] -> Swift_object_expirer_config<||>
if $pipeline[-1] != 'proxy-server' { if $pipeline[-1] != 'proxy-server' {
fail('proxy-server must be the last element in pipeline') fail('proxy-server must be the last element in pipeline')
} }

12
manifests/proxy.pp
View File

@@ -225,11 +225,21 @@ class swift::proxy(
purge => $purge_config, purge => $purge_config,
} }
file { '/etc/swift/proxy-server.conf':
ensure => 'file',
owner => 'root',
group => $::swift::params::group,
mode => '0640',
require => Anchor['swift::config::begin'],
before => Anchor['swift::config::end']
}
File['/etc/swift/proxy-server.conf'] -> Swift_proxy_config<||>
swift_proxy_config { swift_proxy_config {
'DEFAULT/bind_port': value => $port; 'DEFAULT/bind_port': value => $port;
'DEFAULT/bind_ip': value => $proxy_local_net_ip; 'DEFAULT/bind_ip': value => $proxy_local_net_ip;
'DEFAULT/workers': value => $workers; 'DEFAULT/workers': value => $workers;
'DEFAULT/user': value => 'swift'; 'DEFAULT/user': value => $::swift::params::user;
'DEFAULT/log_name': value => $log_name; 'DEFAULT/log_name': value => $log_name;
'DEFAULT/log_facility': value => $log_facility; 'DEFAULT/log_facility': value => $log_facility;
'DEFAULT/log_level': value => $log_level; 'DEFAULT/log_level': value => $log_level;

4
manifests/proxy/ceilometer.pp
View File

@@ -215,8 +215,8 @@ class swift::proxy::ceilometer(
} }
file { '/etc/swift/ceilometer.conf': file { '/etc/swift/ceilometer.conf':
ensure => present, ensure => 'file',
owner => $::swift::params::user, owner => 'root',
group => $::swift::params::group, group => $::swift::params::group,
mode => '0640', mode => '0640',
require => Anchor['swift::config::begin'], require => Anchor['swift::config::begin'],

11
manifests/storage/drive_audit.pp
View File

@@ -130,6 +130,17 @@ class swift::storage::drive_audit(
purge => $purge_config, purge => $purge_config,
} }
file { '/etc/swift/drive-audit.conf':
ensure => 'file',
owner => 'root',
group => $::swift::params::group,
mode => '0640',
require => Anchor['swift::config::begin'],
before => Anchor['swift::config::end']
}
File['/etc/swift/drive-audit.conf'] -> Swift_drive_audit_config<||>
swift_drive_audit_config { swift_drive_audit_config {
'drive-audit/log_name' : value => $log_name; 'drive-audit/log_name' : value => $log_name;
'drive-audit/log_facility': value => $log_facility; 'drive-audit/log_facility': value => $log_facility;

13
manifests/storage/server.pp
View File

@@ -407,8 +407,8 @@ define swift::storage::server(
%>"), ',') %>"), ',')
file { $config_file_full_path: file { $config_file_full_path:
ensure => present, ensure => 'file',
owner => pick($owner, $::swift::params::user), owner => 'root',
group => pick($group, $::swift::params::group), group => pick($group, $::swift::params::group),
mode => '0640', mode => '0640',
tag => 'swift-config-file', tag => 'swift-config-file',
@@ -553,6 +553,15 @@ define swift::storage::server(
'container-sharder/log_name' => {'ensure' => absent}, 'container-sharder/log_name' => {'ensure' => absent},
} }
} }
file { '/etc/swift/container-sync-realms.conf':
ensure => 'file',
owner => 'root',
group => pick($group, $::swift::params::group),
mode => '0640',
tag => 'swift-config-file',
}
File['/etc/swift/container-sync-realms.conf'] -> Swift_container_sync_realms_config<||>
} }
'object': { 'object': {
$type_opts = { $type_opts = {

7
spec/classes/swift_containerreconciler_spec.rb
View File

@@ -12,6 +12,13 @@ describe 'swift::containerreconciler' do
shared_examples 'swift::container::reconciler' do shared_examples 'swift::container::reconciler' do
context 'with defaults' do context 'with defaults' do
it { is_expected.to contain_file('/etc/swift/container-reconciler.conf').with(
:ensure => 'file',
:owner => 'root',
:group => 'swift',
:mode => '0640',
)}
it 'configures container-reconciler.conf' do it 'configures container-reconciler.conf' do
is_expected.to contain_swift_container_reconciler_config( is_expected.to contain_swift_container_reconciler_config(
'pipeline:main/pipeline').with_value('catch_errors proxy-logging cache proxy-server') 'pipeline:main/pipeline').with_value('catch_errors proxy-logging cache proxy-server')

7
spec/classes/swift_internal_client_spec.rb
View File

@@ -12,6 +12,13 @@ describe 'swift::internal_client' do
end end
context 'with defaults' do context 'with defaults' do
it { is_expected.to contain_file('/etc/swift/internal-client.conf').with(
:ensure => 'file',
:owner => 'root',
:group => 'swift',
:mode => '0640',
)}
it 'should configure default values' do it 'should configure default values' do
should contain_swift_internal_client_config('DEFAULT/user').with_value('swift') should contain_swift_internal_client_config('DEFAULT/user').with_value('swift')
should contain_swift_internal_client_config('pipeline:main/pipeline').with_value('catch_errors proxy-logging cache proxy-server') should contain_swift_internal_client_config('pipeline:main/pipeline').with_value('catch_errors proxy-logging cache proxy-server')

7
spec/classes/swift_keymaster_spec.rb
View File

@@ -9,6 +9,13 @@ describe 'swift::keymaster' do
end end
context "when using default parameters" do context "when using default parameters" do
it { is_expected.to contain_file('/etc/swift/keymaster.conf').with(
:ensure => 'file',
:owner => 'root',
:group => 'swift',
:mode => '0640',
)}
it 'configures keymaster options' do it 'configures keymaster options' do
is_expected.to contain_swift_keymaster_config('kms_keymaster/api_class').with_value('barbican') is_expected.to contain_swift_keymaster_config('kms_keymaster/api_class').with_value('barbican')
is_expected.to contain_swift_keymaster_config('kms_keymaster/key_id').with_value('<SERVICE DEFAULT>') is_expected.to contain_swift_keymaster_config('kms_keymaster/key_id').with_value('<SERVICE DEFAULT>')

12
spec/classes/swift_memcache_spec.rb
View File

@@ -4,17 +4,11 @@ describe 'swift::memcache' do
shared_examples 'swift::memcache' do shared_examples 'swift::memcache' do
describe 'when using default parameters' do describe 'when using default parameters' do
it { is_expected.to contain_file('/etc/swift/memcache.conf').with(
let :file_defaults do :ensure => 'file',
{ :owner => 'root',
:owner => 'swift',
:group => 'swift', :group => 'swift',
:mode => '0640', :mode => '0640',
}
end
it {is_expected.to contain_file('/etc/swift/memcache.conf').with(
{:ensure => 'file'}.merge(file_defaults)
)} )}
it { is_expected.to contain_swift_memcache_config( it { is_expected.to contain_swift_memcache_config(

7
spec/classes/swift_objectexpirer_spec.rb
View File

@@ -12,6 +12,13 @@ describe 'swift::objectexpirer' do
shared_examples 'swift::objectexpirer' do shared_examples 'swift::objectexpirer' do
context 'with defaults' do context 'with defaults' do
it { is_expected.to contain_file('/etc/swift/object-expirer.conf').with(
:ensure => 'file',
:owner => 'root',
:group => 'swift',
:mode => '0640',
)}
it 'configures object-expirer.conf' do it 'configures object-expirer.conf' do
is_expected.to contain_swift_object_expirer_config( is_expected.to contain_swift_object_expirer_config(
'pipeline:main/pipeline').with_value('catch_errors proxy-logging cache proxy-server') 'pipeline:main/pipeline').with_value('catch_errors proxy-logging cache proxy-server')

4
spec/classes/swift_proxy_ceilometer_spec.rb
View File

@@ -34,8 +34,8 @@ describe 'swift::proxy::ceilometer' do
)} )}
it { is_expected.to contain_file('/etc/swift/ceilometer.conf').with( it { is_expected.to contain_file('/etc/swift/ceilometer.conf').with(
:ensure => 'present', :ensure => 'file',
:owner => 'swift', :owner => 'root',
:group => 'swift', :group => 'swift',
:mode => '0640', :mode => '0640',
)} )}

7
spec/classes/swift_proxy_spec.rb
View File

@@ -46,6 +46,13 @@ describe 'swift::proxy' do
:tag => ['swift-service', 'swift-proxy-service'], :tag => ['swift-service', 'swift-proxy-service'],
)} )}
it { is_expected.to contain_file('/etc/swift/proxy-server.conf').with(
:ensure => 'file',
:owner => 'root',
:group => 'swift',
:mode => '0640',
)}
it { should contain_service('swift-proxy-server').that_subscribes_to('Anchor[swift::service::begin]') } it { should contain_service('swift-proxy-server').that_subscribes_to('Anchor[swift::service::begin]') }
it { should contain_service('swift-proxy-server').that_notifies('Anchor[swift::service::end]') } it { should contain_service('swift-proxy-server').that_notifies('Anchor[swift::service::end]') }
it { should contain_swift_proxy_config('DEFAULT/bind_port').with_value('8080') } it { should contain_swift_proxy_config('DEFAULT/bind_port').with_value('8080') }

14
spec/classes/swift_storage_driver_audit_spec.rb
View File

@@ -4,6 +4,13 @@ describe 'swift::storage::drive_audit' do
shared_examples 'swift::storage::drive_audit' do shared_examples 'swift::storage::drive_audit' do
context 'with defaults' do context 'with defaults' do
it { is_expected.to contain_file('/etc/swift/drive-audit.conf').with(
:ensure => 'file',
:owner => 'root',
:group => 'swift',
:mode => '0640',
)}
it 'should configure default values' do it 'should configure default values' do
should contain_swift_drive_audit_config('drive-audit/log_name').with_value('drive-audit') should contain_swift_drive_audit_config('drive-audit/log_name').with_value('drive-audit')
should contain_swift_drive_audit_config('drive-audit/log_facility').with_value('LOG_LOCAL2') should contain_swift_drive_audit_config('drive-audit/log_facility').with_value('LOG_LOCAL2')
@@ -52,6 +59,13 @@ describe 'swift::storage::drive_audit' do
} }
end end
it { is_expected.to contain_file('/etc/swift/drive-audit.conf').with(
:ensure => 'file',
:owner => 'root',
:group => 'swift',
:mode => '0640',
)}
it 'should configure the given values' do it 'should configure the given values' do
should contain_swift_drive_audit_config('drive-audit/user').with_value('alt_swift') should contain_swift_drive_audit_config('drive-audit/user').with_value('alt_swift')
should contain_swift_drive_audit_config('drive-audit/device_dir').with_value('/opt/swift') should contain_swift_drive_audit_config('drive-audit/device_dir').with_value('/opt/swift')

19
spec/defines/swift_storage_server_spec.rb
View File

@@ -58,8 +58,8 @@ describe 'swift::storage::server' do
)} )}
it { is_expected.to contain_file('/etc/swift/account-server.conf').with( it { is_expected.to contain_file('/etc/swift/account-server.conf').with(
:ensure => 'present', :ensure => 'file',
:owner => 'swift', :owner => 'root',
:group => 'swift', :group => 'swift',
:mode => '0640', :mode => '0640',
:tag => 'swift-config-file' :tag => 'swift-config-file'
@@ -241,8 +241,15 @@ describe 'swift::storage::server' do
)} )}
it { is_expected.to contain_file('/etc/swift/container-server.conf').with( it { is_expected.to contain_file('/etc/swift/container-server.conf').with(
:ensure => 'present', :ensure => 'file',
:owner => 'swift', :owner => 'root',
:group => 'swift',
:mode => '0640',
:tag => 'swift-config-file'
)}
it { is_expected.to contain_file('/etc/swift/container-sync-realms.conf').with(
:ensure => 'file',
:owner => 'root',
:group => 'swift', :group => 'swift',
:mode => '0640', :mode => '0640',
:tag => 'swift-config-file' :tag => 'swift-config-file'
@@ -435,8 +442,8 @@ describe 'swift::storage::server' do
)} )}
it { is_expected.to contain_file('/etc/swift/object-server.conf').with( it { is_expected.to contain_file('/etc/swift/object-server.conf').with(
:ensure => 'present', :ensure => 'file',
:owner => 'swift', :owner => 'root',
:group => 'swift', :group => 'swift',
:mode => '0640', :mode => '0640',
:tag => 'swift-config-file' :tag => 'swift-config-file'