openstack/puppet-swift
Code Issues Proposed changes

Expose hosts_allow/deny for rsyncd configuration.

Browse Source 
This introduces the hosts_allow parameter and the hosts_deny parameter
so that users can limit access to the rsync server.

Change-Id: I2bf7240f8c52aef8b4dd74ce5af12056377ab227
This commit is contained in:
David Hill
2023-06-05 08:10:28 -04:00
committed by Takashi Kajinami
parent 209a71a016
commit de05151b9c
4 changed files with 116 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
manifests/storage/all.pp
View File

@@ -56,6 +56,18 @@
# good for seeing errors if true # good for seeing errors if true
# Defaults to true. # Defaults to true.
# #
# [*max_connections*]
# (optional) maximum number of simultaneous connections allowed for rsync.
# Defaults to 25.
#
# [*hosts_allow*]
# (optional) List of patterns allowed to connect to this module
# Defaults to undef.
#
# [*hosts_deny*]
# (optional) List of patterns not allowed to connect to this module
# Defaults to undef.
#
# [*incoming_chmod*] Incoming chmod to set in the rsync server. # [*incoming_chmod*] Incoming chmod to set in the rsync server.
# Optional. Defaults to 'Du=rwx,g=rx,o=rx,Fu=rw,g=r,o=r' # Optional. Defaults to 'Du=rwx,g=rx,o=rx,Fu=rw,g=r,o=r'
# This mask translates to 0755 for directories and 0644 for files. # This mask translates to 0755 for directories and 0644 for files.
@@ -119,10 +131,6 @@
# version 3.0 or greater. # version 3.0 or greater.
# Default to $facts['os_service_default']. # Default to $facts['os_service_default'].
# #
# [*max_connections*]
# (optional) maximum number of simultaneous connections allowed for rsync.
# Defaults to 25.
#
# [*rsync_use_xinetd*] # [*rsync_use_xinetd*]
# (optional) Override whether to use xinetd to manage rsync service # (optional) Override whether to use xinetd to manage rsync service
# Defaults to swift::params::xinetd_available # Defaults to swift::params::xinetd_available
@@ -142,6 +150,9 @@ class swift::storage::all(
$log_udp_host = undef, $log_udp_host = undef,
$log_udp_port = undef, $log_udp_port = undef,
$log_requests = true, $log_requests = true,
$max_connections = 25,
$hosts_allow = undef,
$hosts_deny = undef,
$incoming_chmod = 'Du=rwx,g=rx,o=rx,Fu=rw,g=r,o=r', $incoming_chmod = 'Du=rwx,g=rx,o=rx,Fu=rw,g=r,o=r',
$outgoing_chmod = 'Du=rwx,g=rx,o=rx,Fu=rw,g=r,o=r', $outgoing_chmod = 'Du=rwx,g=rx,o=rx,Fu=rw,g=r,o=r',
$statsd_enabled = false, $statsd_enabled = false,
@@ -157,7 +168,6 @@ class swift::storage::all(
$rsync_timeout = $facts['os_service_default'], $rsync_timeout = $facts['os_service_default'],
$rsync_bwlimit = $facts['os_service_default'], $rsync_bwlimit = $facts['os_service_default'],
$splice = false, $splice = false,
$max_connections = 25,
$rsync_use_xinetd = $::swift::params::xinetd_available, $rsync_use_xinetd = $::swift::params::xinetd_available,
) inherits swift::params { ) inherits swift::params {
@@ -203,6 +213,8 @@ from 6002 to 6202 and will be changed in a later release")
log_statsd_sample_rate_factor => $log_statsd_sample_rate_factor, log_statsd_sample_rate_factor => $log_statsd_sample_rate_factor,
log_statsd_metric_prefix => $log_statsd_metric_prefix, log_statsd_metric_prefix => $log_statsd_metric_prefix,
max_connections => $max_connections, max_connections => $max_connections,
hosts_allow => $hosts_allow,
hosts_deny => $hosts_deny,
incoming_chmod => $incoming_chmod, incoming_chmod => $incoming_chmod,
outgoing_chmod => $outgoing_chmod, outgoing_chmod => $outgoing_chmod,
} }

16
manifests/storage/server.pp
View File

@@ -39,6 +39,14 @@
# (optional) maximum number of simultaneous connections allowed. # (optional) maximum number of simultaneous connections allowed.
# Defaults to 25. # Defaults to 25.
# #
# [*hosts_allow*]
# (optional) List of patterns allowed to connect to this module
# Defaults to undef.
#
# [*hosts_deny*]
# (optional) List of patterns not allowed to connect to this module
# Defaults to undef.
#
# [*incoming_chmod*] Incoming chmod to set in the rsync server. # [*incoming_chmod*] Incoming chmod to set in the rsync server.
# Optional. Defaults to 'Du=rwx,g=rx,o=rx,Fu=rw,g=r,o=r' # Optional. Defaults to 'Du=rwx,g=rx,o=rx,Fu=rw,g=r,o=r'
# This mask translates to 0755 for directories and 0644 for files. # This mask translates to 0755 for directories and 0644 for files.
@@ -223,9 +231,11 @@ define swift::storage::server(
$device_names = [], $device_names = [],
$owner = undef, $owner = undef,
$group = undef, $group = undef,
$max_connections = 25,
$hosts_allow = undef,
$hosts_deny = undef,
$incoming_chmod = 'Du=rwx,g=rx,o=rx,Fu=rw,g=r,o=r', $incoming_chmod = 'Du=rwx,g=rx,o=rx,Fu=rw,g=r,o=r',
$outgoing_chmod = 'Du=rwx,g=rx,o=rx,Fu=rw,g=r,o=r', $outgoing_chmod = 'Du=rwx,g=rx,o=rx,Fu=rw,g=r,o=r',
$max_connections = 25,
$pipeline = ["${type}-server"], $pipeline = ["${type}-server"],
$mount_check = true, $mount_check = true,
$disable_fallocate = $facts['os_service_default'], $disable_fallocate = $facts['os_service_default'],
@@ -311,6 +321,8 @@ define swift::storage::server(
lock_file => "/var/lock/${type}_${device_name}.lock", lock_file => "/var/lock/${type}_${device_name}.lock",
uid => pick($owner, $::swift::params::user), uid => pick($owner, $::swift::params::user),
gid => pick($group, $::swift::params::group), gid => pick($group, $::swift::params::group),
hosts_allow => $hosts_allow,
hosts_deny => $hosts_deny,
incoming_chmod => $incoming_chmod, incoming_chmod => $incoming_chmod,
outgoing_chmod => $outgoing_chmod, outgoing_chmod => $outgoing_chmod,
max_connections => $max_connections, max_connections => $max_connections,
@@ -324,6 +336,8 @@ define swift::storage::server(
lock_file => "/var/lock/${type}.lock", lock_file => "/var/lock/${type}.lock",
uid => pick($owner, $::swift::params::user), uid => pick($owner, $::swift::params::user),
gid => pick($group, $::swift::params::group), gid => pick($group, $::swift::params::group),
hosts_allow => $hosts_allow,
hosts_deny => $hosts_deny,
incoming_chmod => $incoming_chmod, incoming_chmod => $incoming_chmod,
outgoing_chmod => $outgoing_chmod, outgoing_chmod => $outgoing_chmod,
max_connections => $max_connections, max_connections => $max_connections,

9
releasenotes/notes/hosts_allow-7795d5f8f9ccd24e.yaml Normal file
View File

@@ -0,0 +1,9 @@
---
features:
- |
The ``hosts_new`` parameter and the ``hosts_deny`` parameter have been
added to the following resources. These allows limiting access to the rsync
server.
- ``swift::storage::all`` class
- ``swift::storage::server`` defined resource type

75
spec/defines/swift_storage_server_spec.rb
View File

@@ -144,6 +144,31 @@ describe 'swift::storage::server' do
)} )}
it { is_expected.to contain_swift_account_config('account-replicator/rsync_module').with_value('{replication_ip}::account_{device}') } it { is_expected.to contain_swift_account_config('account-replicator/rsync_module').with_value('{replication_ip}::account_{device}') }
end end
context 'with rsync parameters' do
before do
params.merge!({
:max_connections => 100,
:hosts_allow => '192.0.2.0/25',
:hosts_deny => '192.0.2.128/25',
:incoming_chmod => '0644',
:outgoing_chmod => '0644',
})
end
it { is_expected.to contain_rsync__server__module('account').with(
:path => '/srv/node',
:lock_file => '/var/lock/account.lock',
:uid => 'swift',
:gid => 'swift',
:hosts_allow => '192.0.2.0/25',
:hosts_deny => '192.0.2.128/25',
:incoming_chmod => '0644',
:outgoing_chmod => '0644',
:max_connections => 100,
:read_only => false,
)}
end
end end
describe 'for type container' do describe 'for type container' do
@@ -272,6 +297,31 @@ describe 'swift::storage::server' do
)} )}
it { is_expected.to contain_swift_container_config('container-replicator/rsync_module').with_value('{replication_ip}::container_{device}') } it { is_expected.to contain_swift_container_config('container-replicator/rsync_module').with_value('{replication_ip}::container_{device}') }
end end
context 'with rsync parameters' do
before do
params.merge!({
:max_connections => 100,
:hosts_allow => '192.0.2.0/25',
:hosts_deny => '192.0.2.128/25',
:incoming_chmod => '0644',
:outgoing_chmod => '0644',
})
end
it { is_expected.to contain_rsync__server__module('container').with(
:path => '/srv/node',
:lock_file => '/var/lock/container.lock',
:uid => 'swift',
:gid => 'swift',
:hosts_allow => '192.0.2.0/25',
:hosts_deny => '192.0.2.128/25',
:incoming_chmod => '0644',
:outgoing_chmod => '0644',
:max_connections => 100,
:read_only => false,
)}
end
end end
describe 'for type object' do describe 'for type object' do
@@ -405,6 +455,31 @@ describe 'swift::storage::server' do
)} )}
it { is_expected.to contain_swift_object_config('object-replicator/rsync_module').with_value('{replication_ip}::object_{device}') } it { is_expected.to contain_swift_object_config('object-replicator/rsync_module').with_value('{replication_ip}::object_{device}') }
end end
context 'with rsync parameters' do
before do
params.merge!({
:max_connections => 100,
:hosts_allow => '192.0.2.0/25',
:hosts_deny => '192.0.2.128/25',
:incoming_chmod => '0644',
:outgoing_chmod => '0644',
})
end
it { is_expected.to contain_rsync__server__module('object').with(
:path => '/srv/node',
:lock_file => '/var/lock/object.lock',
:uid => 'swift',
:gid => 'swift',
:hosts_allow => '192.0.2.0/25',
:hosts_deny => '192.0.2.128/25',
:incoming_chmod => '0644',
:outgoing_chmod => '0644',
:max_connections => 100,
:read_only => false,
)}
end
end end
end end