openstack
/
puppet-tripleo
Code Issues Proposed changes

Disable SSH login for nova_migration user when migration over ssh is disabled. 

If migration over ssh is enabled, and then later disabled, the ssh config
for the nova_migration user remains intact. This change clobbers the migration
SSH key to disable login when it is not necessary.

Change-Id: Icc6d5d4f4671b3525a731d334ca6fa7c5419dac3
Closes-Bug: #1688321
(cherry picked from commit fe8edab1f4)
This commit is contained in:
Oliver Walsh 2017-05-04 20:21:51 +01:00
parent 0c3e97a5ae
commit 3346f7f6e2
2 changed files with 84 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
manifests/profile/base/nova.pp
View File

@ -185,31 +185,42 @@ class tripleo::profile::base::nova (
notify => Service['sshd']
}
file { '/etc/nova/migration/authorized_keys':
content => $migration_ssh_key['public_key'],
mode => '0640',
owner => 'root',
group => 'nova_migration',
require => Package['openstack-nova-migration'],
}
# Client side
file { '/etc/nova/migration/identity':
content => $migration_ssh_key['private_key'],
mode => '0600',
owner => 'nova',
group => 'nova',
require => Package['openstack-nova-migration'],
}
$migration_pkg_ensure = installed
} else {
$migration_pkg_ensure = absent
$migration_authorized_keys = $migration_ssh_key['public_key']
$migration_identity = $migration_ssh_key['private_key']
$migration_user_shell = '/bin/bash'
}
else {
# Remove the keys and prevent login when migration over SSH is not enabled
$migration_authorized_keys = '# Migration over SSH disabled by TripleO'
$migration_identity = '# Migration over SSH disabled by TripleO'
$migration_user_shell = '/sbin/nologin'
}
package { 'openstack-nova-migration':
ensure => present,
tag => ['openstack', 'nova-package'],
}
file { '/etc/nova/migration/authorized_keys':
content => $migration_authorized_keys,
mode => '0640',
owner => 'root',
group => 'nova_migration',
require => Package['openstack-nova-migration']
}
file { '/etc/nova/migration/identity':
content => $migration_identity,
mode => '0600',
owner => 'nova',
group => 'nova',
require => Package['openstack-nova-migration']
}
user {'nova_migration':
shell => $migration_user_shell,
require => Package['openstack-nova-migration']
}
} else {
$migration_pkg_ensure = absent
}
package {'openstack-nova-migration':
ensure => $migration_pkg_ensure
}
}
}

60
spec/classes/tripleo_profile_base_nova_spec.rb
View File

@ -95,9 +95,8 @@ describe 'tripleo::profile::base::nova' do
is_expected.to contain_class('nova::cache')
is_expected.to contain_class('nova::placement')
is_expected.to_not contain_class('nova::migration::libvirt')
is_expected.to contain_package('openstack-nova-migration').with(
:ensure => 'absent'
)
is_expected.to_not contain_file('/etc/nova/migration/authorized_keys')
is_expected.to_not contain_file('/etc/nova/migration/identity')
}
end
@ -132,7 +131,22 @@ describe 'tripleo::profile::base::nova' do
:configure_nova => params[:nova_compute_enabled]
)
is_expected.to contain_package('openstack-nova-migration').with(
:ensure => 'absent'
:ensure => 'present'
)
is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
:content => '# Migration over SSH disabled by TripleO',
:mode => '0640',
:owner => 'root',
:group => 'nova_migration',
)
is_expected.to contain_file('/etc/nova/migration/identity').with(
:content => '# Migration over SSH disabled by TripleO',
:mode => '0600',
:owner => 'nova',
:group => 'nova',
)
is_expected.to contain_user('nova_migration').with(
:shell => '/sbin/nologin'
)
}
end
@ -169,7 +183,22 @@ describe 'tripleo::profile::base::nova' do
:configure_nova => params[:nova_compute_enabled],
)
is_expected.to contain_package('openstack-nova-migration').with(
:ensure => 'absent'
:ensure => 'present'
)
is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
:content => '# Migration over SSH disabled by TripleO',
:mode => '0640',
:owner => 'root',
:group => 'nova_migration',
)
is_expected.to contain_file('/etc/nova/migration/identity').with(
:content => '# Migration over SSH disabled by TripleO',
:mode => '0600',
:owner => 'nova',
:group => 'nova',
)
is_expected.to contain_user('nova_migration').with(
:shell => '/sbin/nologin'
)
}
end
@ -223,6 +252,9 @@ describe 'tripleo::profile::base::nova' do
}
)
is_expected.to_not contain_ssh__server__match_block('nova_migration deny')
is_expected.to contain_package('openstack-nova-migration').with(
:ensure => 'present'
)
is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
:content => 'ssh-rsa bar',
:mode => '0640',
@ -235,8 +267,8 @@ describe 'tripleo::profile::base::nova' do
:owner => 'nova',
:group => 'nova',
)
is_expected.to contain_package('openstack-nova-migration').with(
:ensure => 'installed'
is_expected.to contain_user('nova_migration').with(
:shell => '/bin/bash'
)
}
end
@ -297,6 +329,9 @@ describe 'tripleo::profile::base::nova' do
'DenyUsers' => 'nova_migration'
}
)
is_expected.to contain_package('openstack-nova-migration').with(
:ensure => 'present'
)
is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
:content => 'ssh-rsa bar',
:mode => '0640',
@ -309,8 +344,8 @@ describe 'tripleo::profile::base::nova' do
:owner => 'nova',
:group => 'nova',
)
is_expected.to contain_package('openstack-nova-migration').with(
:ensure => 'installed'
is_expected.to contain_user('nova_migration').with(
:shell => '/bin/bash'
)
}
end
@ -365,6 +400,9 @@ describe 'tripleo::profile::base::nova' do
}
)
is_expected.to_not contain_ssh__server__match_block('nova_migration deny')
is_expected.to contain_package('openstack-nova-migration').with(
:ensure => 'present'
)
is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
:content => 'ssh-rsa bar',
:mode => '0640',
@ -377,8 +415,8 @@ describe 'tripleo::profile::base::nova' do
:owner => 'nova',
:group => 'nova',
)
is_expected.to contain_package('openstack-nova-migration').with(
:ensure => 'installed'
is_expected.to contain_user('nova_migration').with(
:shell => '/bin/bash'
)
}
end