Merge "Enable sudo rule creation"

manifests/profile/base/metrics/collectd/sensubility.pp

@@ -91,6 +91,19 @@
 #  (Optional) String. Password part of credentials used to authenticate
 #  to the AMQP 1.0 intermediary.
 #  Defaults to undef
+#
+# [*exec_user*]
+#  (Optional) String. User under which sensubility is executed via collectd-exec.
+#  Defaults to 'collectd'
+#
+# [*exec_group*]
+#  (Optional) String. Group under which sensubility is executed via collectd-exec.
+#  Defaults to 'collectd'
+#
+# [*exec_sudo_rule*]
+#  (Optional) String. Rule which will be saved in /etc/sudoers.d for user specified
+#  by parameter exec_user.
+#  Defaults to undef
 class tripleo::profile::base::metrics::collectd::sensubility (
   $ensure             = 'present',
   $config_path        = '/etc/collectd-sensubility.conf',
@@ -108,7 +121,10 @@ class tripleo::profile::base::metrics::collectd::sensubility (
   $amqp_host          = undef,
   $amqp_port          = undef,
   $amqp_user          = undef,
-  $amqp_password      = undef
+  $amqp_password      = undef,
+  $exec_user          = 'collectd',
+  $exec_group         = 'collectd',
+  $exec_sudo_rule     = undef
 ) {
   include collectd
   include collectd::plugin::exec
@@ -140,8 +156,25 @@ class tripleo::profile::base::metrics::collectd::sensubility (
   }
 
   collectd::plugin::exec::cmd { 'sensubility':
-    user  => 'collectd',
-    group => 'collectd',
+    user  => $exec_user,
+    group => $exec_group,
     exec  => ['collectd-sensubility'],
   }
+
+  if $exec_sudo_rule {
+    $sudoers_path = "/etc/sudoers.d/sensubility_${exec_user}"
+    file { $sudoers_path:
+      ensure  => $ensure,
+      mode    => '0440',
+      content => "${exec_user}  ${exec_sudo_rule}",
+      notify  => Exec["${exec_user}-sudo-syntax-check"]
+    }
+
+    exec { "${exec_user}-sudo-syntax-check":
+      path        => ['/usr/sbin/', '/usr/bin/'],
+      command     => "visudo -c -f '${sudoers_path}' || (rm -f '${sudoers_path}' && exit 1)",
+      refreshonly => true,
+    }
+  }
+
 }

spec/classes/tripleo_profile_base_metrics_collectd_sensubility_spec.rb

@@ -0,0 +1,43 @@
+#
+# Copyright (C) 2020 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+
+require 'spec_helper'
+
+describe 'tripleo::profile::base::metrics::collectd::sensubility' do
+  shared_examples_for 'tripleo::profile::base::metrics::collectd::sensubility' do
+    context 'with defaults and sudo rule defined' do
+      let(:params) do
+        {:exec_sudo_rule => 'ALL=(ALL)  NOPASSWD:ALL'}
+      end
+      it 'has sudoers file for appropriate user with relevant rule' do
+        is_expected.to compile.with_all_deps
+        is_expected.to contain_file('/etc/sudoers.d/sensubility_collectd').with_content('collectd  ALL=(ALL)  NOPASSWD:ALL')
+        is_expected.to contain_exec('collectd-sudo-syntax-check').with(
+          :command => "visudo -c -f '/etc/sudoers.d/sensubility_collectd' || (rm -f '/etc/sudoers.d/sensubility_collectd' && exit 1)",
+        )
+      end
+    end
+  end
+
+  on_supported_os.each do |os, facts|
+    context "on #{os}" do
+      let (:facts) {
+        facts
+      }
+      it_behaves_like 'tripleo::profile::base::metrics::collectd::sensubility'
+    end
+  end
+end

spec/fixtures/hieradata/default.yaml

@@ -177,3 +177,5 @@ neutron::plugins::ovs::opendaylight::odl_password: 'admin'
 swift_proxy_short_bootstrap_node_name: node
 # required for metrics::qdr_user
 ctlplane: '192.168.24.123'
+# required to avoid EPEL repo management when testing collectd::sensubility
+collectd::manage_repo: false