openstack/puppet-swift
Code Issues Proposed changes
Files
b0e59971b871c5432c93bbcddfb11edf60c15812
puppet-swift/manifests/keymaster.pp
Takashi Kajinami b0e59971b8 Set appropriate ownership/permission to config files 
... to avoid making any config files world readable.

Also swift processes do not need write access to these files, thus
write access can be blocked.

Closes-Bug: #2068898
Change-Id: I8b11fbdb0ea0ca814b962dd72b5c1cb4cd201c24
2024-06-11 12:03:47 +09:00

115 lines
4.2 KiB
Puppet
Raw Blame History

# Configure keymaster configuration file
#
# == Parameters
#
# [*password*]
# (Required) String. The password to go with the Keystone username.
#
# [*api_class*]
# (Required) String. The api_class tells Castellan which key manager to
# use to access the external key management system. The default value that
# accesses Barbican is 'barbican', which resolve to
# castellan.key_manager.barbican_key_manager.BarbicanKeyManager.
#
# [*key_id*]
# (Required) String. The key_id is the identifier of the root secret stored
# in the KMS. The key_id is the final part of the secret href returned in the
# output of an 'openstack secret order get' command after an order to store
# or create a key has been successfully completed.
#
# [*username*]
# (Required) String. The Keystone username of the user used to access the key
# from the KMS. The username shall be set to match an existing user.
# Defaults to swift.
#
# [*project_name*]
# (Optional) String. The Keystone project name. For security reasons,
# it is recommended to set the project_name to a project separate from the
# service project used by other OpenStack services. Thereby, if another
# service is compromised, it will not have access to the Swift root
# encryption secret. It is recommended that the swift user is the only one
# that has a role in this project.
# Defaults to service.
#
# [*project_id*]
# (Optional) String. Instead of the project name, the project id may also
# be used.
#
# [*auth_endpoint*]
# (Required) String. The Keystone URL to authenticate to. The value of
# auth_url may be set according to the value of auth_uri in
# [filter:authtoken] in proxy-server.conf.
#
# [*project_domain_name*]
# (Optional) String. The project domain name may optionally be specified.
#
# [*user_domain_name*]
# (Optional) String. The user domain name may optionally be specified.
#
# [*project_domain_id*]
# (Optional) String. Instead of the project domain name, the project domain
# id may also be specified.
# Defaults to 'default' (note the capitalization).
#
# [*user_domain_id*]
# (Optional) String. Instead of the user domain name, the user domain
# id may also be specified.
# Defaults to 'default' (note the capitalization).
#
# [*meta_version_to_write*]
# (Optional) Int. The version of crypto metadata to write.
# Defaults to $facts['os_service_default']
#
# == Dependencies
#
# None
#
# == Authors
#
# Thiago da Silva thiago@redhat.com
#
class swift::keymaster(
String[1] $password,
$api_class = 'barbican',
$key_id = $facts['os_service_default'],
$username = 'swift',
$project_name = 'services',
$project_id = $facts['os_service_default'],
$auth_endpoint = $facts['os_service_default'],
$project_domain_name = $facts['os_service_default'],
$user_domain_name = $facts['os_service_default'],
$project_domain_id = 'default',
$user_domain_id = 'default',
$meta_version_to_write = $facts['os_service_default'],
) {
include swift::deps
include swift::params
file { '/etc/swift/keymaster.conf':
ensure => 'file',
owner => 'root',
group => $::swift::params::group,
mode => '0640',
require => Anchor['swift::config::begin'],
before => Anchor['swift::config::end']
}
File['/etc/swift/keymaster.conf'] -> Swift_keymaster_config<||>
swift_keymaster_config {
'kms_keymaster/api_class': value => $api_class;
'kms_keymaster/key_id': value => $key_id;
'kms_keymaster/username': value => $username;
'kms_keymaster/password': value => $password, secret => true;
'kms_keymaster/project_name': value => $project_name;
'kms_keymaster/project_id': value => $project_id;
'kms_keymaster/auth_endpoint': value => $auth_endpoint;
'kms_keymaster/project_domain_name': value => $project_domain_name;
'kms_keymaster/user_domain_name': value => $user_domain_name;
'kms_keymaster/project_domain_id': value => $project_domain_id;
'kms_keymaster/user_domain_id': value => $user_domain_id;
'kms_keymaster/meta_version_to_write': value => $meta_version_to_write;
}
}
View Git Blame Copy Permalink