Merge "logging: teach fluentd.pp about fluentd_service_user"

manifests/profile/base/logging/fluentd.pp

@@ -73,6 +73,11 @@
 #   (Optional) String. Default log format if not otherwise specified
 #   in a log source definition.
 #
+# [*fluentd_service_user*]
+#   (Optional) String. Username that will run the fluentd service.
+#   This will be used to create a systemd drop-in for the fluentd
+#   service that sets User explicitly.
+#
 # [*service_names*]
 #   (Optional) List of services enabled on the current role. This is used
 #   to obtain per-service configuration information.
@@ -91,11 +96,28 @@ class tripleo::profile::base::logging::fluentd (
   $fluentd_path_transform = undef,
   $fluentd_pos_file_path = undef,
   $fluentd_default_format = undef,
+  $fluentd_service_user = undef,
   $service_names = hiera('service_names', [])
 ) {
-
   if $step >= 4 {
     include ::fluentd
+    include ::systemd::systemctl::daemon_reload
+
+    $_fluentd_service_user = pick($fluentd_service_user,
+                                  $::fluentd::config_owner,
+                                  'fluentd')
+
+    # don't manage groups for 'root'
+    $_fluentd_manage_groups = $_fluentd_service_user ? {
+      'root'  => false,
+      default => $fluentd_manage_groups,
+    }
+
+    ::systemd::dropin_file { 'fluentd_user.conf':
+      unit    => "${::fluentd::service_name}.service",
+      content => template('tripleo/fluentd/fluentd_user.conf.erb'),
+    }
+    ~> Service['fluentd']
 
     # Load per-service plugin configuration
     ::tripleo::profile::base::logging::fluentd::fluentd_service {
@@ -104,7 +126,7 @@ class tripleo::profile::base::logging::fluentd (
         default_format => $fluentd_default_format
     }
 
-    if $fluentd_manage_groups {
+    if $_fluentd_manage_groups {
       # compute a list of all the groups of which the fluentd user
       # should be a member.
       $_tmpgroups1 = $service_names.map |$srv| {
@@ -117,7 +139,7 @@ class tripleo::profile::base::logging::fluentd (
 
       if !empty($groups) {
         Package<| tag == 'openstack' |>
-        -> user { $::fluentd::config_owner:
+        -> user { $_fluentd_service_user:
           ensure     => present,
           groups     => $groups,
           membership => 'minimum',
@@ -129,7 +151,7 @@ class tripleo::profile::base::logging::fluentd (
     if $fluentd_pos_file_path {
       file { $fluentd_pos_file_path:
         ensure  => 'directory',
-        owner   => $::fluentd::config_owner,
+        owner   => $_fluentd_service_user,
         group   => $::fluentd::config_group,
         mode    => '0750',
         recurse =>  true,
@@ -208,7 +230,7 @@ class tripleo::profile::base::logging::fluentd (
 
         file {'/etc/fluentd/ca_cert.pem':
           content => $fluentd_ssl_certificate,
-          owner   => $::fluentd::config_owner,
+          owner   => $_fluentd_service_user,
           group   => $::fluentd::config_group,
           mode    => '0444',
         }

spec/classes/tripleo_profile_base_logging_fluentd_spec.rb

@@ -28,6 +28,7 @@ describe 'tripleo::profile::base::logging::fluentd' do
 
       it 'should do nothing' do
         is_expected.to_not contain_class('fluentd')
+	is_expected.to_not contain_class('systemd::systemctl::daemon_reload')
         is_expected.to_not contain_fluentd__plugin('rubygem-fluent-plugin-add')
       end
     end
@@ -36,6 +37,7 @@ describe 'tripleo::profile::base::logging::fluentd' do
       let(:params) { { :step => 4 } }
 
       it { is_expected.to contain_class('fluentd') }
+      it { is_expected.to contain_class('systemd::systemctl::daemon_reload') }
       it { is_expected.to contain_fluentd__plugin('rubygem-fluent-plugin-add').with(
         :plugin_provider => 'yum',
       ) }
@@ -54,6 +56,7 @@ describe 'tripleo::profile::base::logging::fluentd' do
       } }
 
       it { is_expected.to contain_class('fluentd') }
+      it { is_expected.to contain_class('systemd::systemctl::daemon_reload') }
       it { is_expected.to contain_fluentd__plugin('rubygem-fluent-plugin-add').with(
         :plugin_provider => 'yum',
       ) }
@@ -129,6 +132,55 @@ describe 'tripleo::profile::base::logging::fluentd' do
       ) }
     end
 
+    context 'fluentd user and managed groups' do
+      let(:params) { {
+        :step => 4,
+        :fluentd_service_user => 'fluentd',
+        :fluentd_manage_groups => true,
+        :fluentd_groups => [ 'fluentd' ]
+      } }
+
+      it { is_expected.to contain_class('fluentd') }
+      it { is_expected.to contain_class('systemd::systemctl::daemon_reload') }
+      it { is_expected.to contain_service('fluentd') }
+
+      it { is_expected.to contain_file('/etc/systemd/system/fluentd.service.d/fluentd_user.conf')
+      .with( {
+        :ensure  => 'file',
+        :content =>  [ "# This file is maintained by puppet.\n[Service]\nUser=fluentd\n" ]
+      } ) }
+
+      it { is_expected.to contain_service('fluentd') }
+      it { is_expected.to contain_user('fluentd').with(
+        :ensure =>'present',
+        :groups => [ 'fluentd','ceilometer' ],
+        :membership => 'minimum'
+      ) }
+    end
+
+    context 'root user, no matter about groups' do
+      let(:params) { {
+        :step => 4,
+        :fluentd_service_user => 'root',
+        :fluentd_manage_groups => true,
+        :fluentd_groups => [ 'fluentd' ]
+      } }
+
+      it { is_expected.to contain_class('fluentd') }
+      it { is_expected.to contain_class('systemd::systemctl::daemon_reload') }
+      it { is_expected.to contain_service('fluentd') }
+
+      it { is_expected.to contain_file('/etc/systemd/system/fluentd.service.d/fluentd_user.conf')
+      .with( {
+        :ensure  => 'file',
+        :content =>  [ "# This file is maintained by puppet.\n[Service]\nUser=root\n" ]
+      } ) }
+
+      it { is_expected.to contain_service('fluentd') }
+      it { is_expected.to_not contain_user('fluentd') }
+    end
+
+
   end
 
   on_supported_os.each do |os, facts|

templates/fluentd/fluentd_user.conf.erb

@@ -0,0 +1,3 @@
+# This file is maintained by puppet.
+[Service]
+User=<%= @_fluentd_service_user %>