Merge "Implements management of `/etc/login.defs`"

2017-12-01 05:29:20 +00:00 · 2017-12-01 05:29:20 +00:00 · 3d992e3086
parent 12361c6b39 502fde7a64
commit 3d992e3086
24 changed files with 107 additions and 1 deletions
--- a/capabilities-map.yaml
+++ b/capabilities-map.yaml
@ -531,6 +531,11 @@ topics:
        environments:
          - file: environments/securetty.yaml
            title: SecureTTY Values
+      - title: login.defs values
+        description: Set values within /etc/login.defs
+        environments:
+          - file: environments/login-defs.yaml
+            title: login.defs Values

  - title: Additional Services
    description:
@ -642,3 +647,4 @@ topics:
            description:
            requires:
              - overcloud-resource-registry-puppet.yaml
+
--- a/ci/environments/scenario001-multinode-containers.yaml
+++ b/ci/environments/scenario001-multinode-containers.yaml
@ -36,6 +36,7 @@ parameter_defaults:
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Kernel
    - OS::TripleO::Services::Keystone
+    - OS::TripleO::Services::LoginDefs
    - OS::TripleO::Services::GlanceApi
    - OS::TripleO::Services::HeatApi
    - OS::TripleO::Services::HeatApiCfn
--- a/environments/hyperconverged-ceph.yaml
+++ b/environments/hyperconverged-ceph.yaml
@ -52,3 +52,5 @@ parameter_defaults:
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::OVNController
    - OS::TripleO::Services::RsyslogSidecar
+    - OS::TripleO::Services::LoginDefs
+
--- a/environments/login-defs.yaml
+++ b/environments/login-defs.yaml
@ -0,0 +1,9 @@
+resource_registry:
+  OS::TripleO::Services::LoginDefs: ../puppet/services/login-defs.yaml
+
+parameter_defaults:
+  PasswordMaxDays: 60
+  PasswordMinDays: 1
+  PasswordMinLen: 5
+  PasswordWarnAge: 7
+  FailDelay: 4
--- a/overcloud-resource-registry-puppet.j2.yaml
+++ b/overcloud-resource-registry-puppet.j2.yaml
@ -302,6 +302,7 @@ resource_registry:
  OS::TripleO::Services::VRTSHyperScale: OS::Heat::None
  OS::TripleO::Services::SkydiveAgent: OS::Heat::None
  OS::TripleO::Services::SkydiveAnalyzer: OS::Heat::None
+  OS::TripleO::Services::LoginDefs: OS::Heat::None

  # Logging
  OS::TripleO::Services::Logging::BarbicanApi: docker/services/logging/files/barbican-api.yaml
--- a/puppet/services/login-defs.yaml
+++ b/puppet/services/login-defs.yaml
@ -0,0 +1,66 @@
+heat_template_version: pike
+
+description: >
+  Configure login.defs values
+
+parameters:
+  ServiceData:
+    default: {}
+    description: Dictionary packing service data
+    type: json
+  ServiceNetMap:
+    default: {}
+    description: Mapping of service_name -> network name. Typically set
+                 via parameter_defaults in the resource registry.  This
+                 mapping overrides those in ServiceNetMapDefaults.
+    type: json
+  DefaultPasswords:
+    default: {}
+    type: json
+  RoleName:
+    default: ''
+    description: Role name on which the service is applied
+    type: string
+  RoleParameters:
+    default: {}
+    description: Parameters specific to the role
+    type: json
+  EndpointMap:
+    default: {}
+    description: Mapping of service endpoint -> protocol. Typically set
+                 via parameter_defaults in the resource registry.
+    type: json
+  PasswordMaxDays:
+    default: {}
+    description: Set the maximum age allowed for passwords
+    type: number
+  PasswordMinDays:
+    default: {}
+    description: Set the minimum age allowed for passwords
+    type: number
+  PasswordWarnAge:
+    default: {}
+    description: Set the warning period for password expiration
+    type: number
+  PasswordMinLen:
+    default: {}
+    description: Set the minimum length allowed for passwords
+    type: number
+  FailDelay:
+    default: {}
+    description: The period of time between password retries
+    type: number
+
+outputs:
+  role_data:
+    description: Parameters for configuration of the login.defs file
+    value:
+      service_name: login_defs
+      config_settings:
+        tripleo::profile::base::login_defs::password_max_days: {get_param: PasswordMaxDays}
+        tripleo::profile::base::login_defs::password_min_days: {get_param: PasswordMinDays}
+        tripleo::profile::base::login_defs::password_warn_age: {get_param: PasswordWarnAge}
+        tripleo::profile::base::login_defs::password_min_len: {get_param: PasswordMinLen}
+        tripleo::profile::base::login_defs::fail_delay: {get_param: FailDelay}
+      step_config: |
+        include ::tripleo::profile::base::login_defs
--- a/roles/BlockStorage.yaml
+++ b/roles/BlockStorage.yaml
@ -19,6 +19,7 @@
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
+    - OS::TripleO::Services::LoginDefs
    - OS::TripleO::Services::MySQLClient
    - OS::TripleO::Services::Ntp
    - OS::TripleO::Services::ContainersLogrotateCrond
--- a/roles/CephStorage.yaml
+++ b/roles/CephStorage.yaml
@ -16,6 +16,7 @@
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::Kernel
+    - OS::TripleO::Services::LoginDefs
    - OS::TripleO::Services::MySQLClient
    - OS::TripleO::Services::Ntp
    - OS::TripleO::Services::ContainersLogrotateCrond
--- a/roles/Compute.yaml
+++ b/roles/Compute.yaml
@ -36,6 +36,7 @@
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
+    - OS::TripleO::Services::LoginDefs
    - OS::TripleO::Services::MySQLClient
    - OS::TripleO::Services::NeutronBgpVpnBagpipe
    - OS::TripleO::Services::NeutronLinuxbridgeAgent
--- a/roles/ComputeHCI.yaml
+++ b/roles/ComputeHCI.yaml
@ -27,6 +27,7 @@
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
+    - OS::TripleO::Services::LoginDefs
    - OS::TripleO::Services::MySQLClient
    - OS::TripleO::Services::NeutronBgpVpnBagpipe
    - OS::TripleO::Services::NeutronLinuxbridgeAgent
--- a/roles/ComputeOvsDpdk.yaml
+++ b/roles/ComputeOvsDpdk.yaml
@ -27,6 +27,7 @@
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
+    - OS::TripleO::Services::LoginDefs
    - OS::TripleO::Services::MySQLClient
    - OS::TripleO::Services::NeutronBgpVpnBagpipe
    - OS::TripleO::Services::NovaCompute
--- a/roles/ComputeSriov.yaml
+++ b/roles/ComputeSriov.yaml
@ -27,6 +27,7 @@
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
+    - OS::TripleO::Services::LoginDefs
    - OS::TripleO::Services::MySQLClient
    - OS::TripleO::Services::NeutronBgpVpnBagpipe
    - OS::TripleO::Services::NeutronSriovAgent
--- a/roles/Controller.yaml
+++ b/roles/Controller.yaml
@ -76,6 +76,7 @@
    - OS::TripleO::Services::Keepalived
    - OS::TripleO::Services::Kernel
    - OS::TripleO::Services::Keystone
+    - OS::TripleO::Services::LoginDefs
    - OS::TripleO::Services::ManilaApi
    - OS::TripleO::Services::ManilaBackendCephFs
    - OS::TripleO::Services::ManilaBackendIsilon
--- a/roles/ControllerOpenstack.yaml
+++ b/roles/ControllerOpenstack.yaml
@ -61,6 +61,7 @@
    - OS::TripleO::Services::Keepalived
    - OS::TripleO::Services::Kernel
    - OS::TripleO::Services::Keystone
+    - OS::TripleO::Services::LoginDefs
    - OS::TripleO::Services::ManilaApi
    - OS::TripleO::Services::ManilaBackendCephFs
    - OS::TripleO::Services::ManilaBackendIsilon
@ -118,4 +119,3 @@
    - OS::TripleO::Services::Tuned
    - OS::TripleO::Services::Vpp
    - OS::TripleO::Services::Zaqar
-
--- a/roles/Database.yaml
+++ b/roles/Database.yaml
@ -16,6 +16,7 @@
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::Kernel
+    - OS::TripleO::Services::LoginDefs
    - OS::TripleO::Services::MySQL
    - OS::TripleO::Services::MySQLClient
    - OS::TripleO::Services::Ntp
--- a/roles/IronicConductor.yaml
+++ b/roles/IronicConductor.yaml
@ -15,6 +15,7 @@
    - OS::TripleO::Services::IronicConductor
    - OS::TripleO::Services::IronicPxe
    - OS::TripleO::Services::Kernel
+    - OS::TripleO::Services::LoginDefs
    - OS::TripleO::Services::MySQLClient
    - OS::TripleO::Services::Ntp
    - OS::TripleO::Services::ContainersLogrotateCrond
--- a/roles/Messaging.yaml
+++ b/roles/Messaging.yaml
@ -15,6 +15,7 @@
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::Kernel
+    - OS::TripleO::Services::LoginDefs
    - OS::TripleO::Services::Ntp
    - OS::TripleO::Services::ContainersLogrotateCrond
    - OS::TripleO::Services::Pacemaker
--- a/roles/Networker.yaml
+++ b/roles/Networker.yaml
@ -16,6 +16,7 @@
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::Kernel
+    - OS::TripleO::Services::LoginDefs
    - OS::TripleO::Services::MySQLClient
    - OS::TripleO::Services::NeutronDhcpAgent
    - OS::TripleO::Services::NeutronL2gwAgent
--- a/roles/ObjectStorage.yaml
+++ b/roles/ObjectStorage.yaml
@ -24,6 +24,7 @@
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::Kernel
+    - OS::TripleO::Services::LoginDefs
    - OS::TripleO::Services::MySQLClient
    - OS::TripleO::Services::Ntp
    - OS::TripleO::Services::ContainersLogrotateCrond
--- a/roles/Telemetry.yaml
+++ b/roles/Telemetry.yaml
@ -21,6 +21,7 @@
    - OS::TripleO::Services::GnocchiMetricd
    - OS::TripleO::Services::GnocchiStatsd
    - OS::TripleO::Services::Keystone
+    - OS::TripleO::Services::LoginDefs
    - OS::TripleO::Services::MySQL
    - OS::TripleO::Services::Ntp
    - OS::TripleO::Services::ContainersLogrotateCrond
--- a/roles/Undercloud.yaml
+++ b/roles/Undercloud.yaml
@ -23,6 +23,7 @@
    - OS::TripleO::Services::IronicPxe
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Keystone
+    - OS::TripleO::Services::LoginDefs
    - OS::TripleO::Services::Memcached
    - OS::TripleO::Services::MistralApi
    - OS::TripleO::Services::MistralEngine
--- a/roles/UndercloudLight.yaml
+++ b/roles/UndercloudLight.yaml
@ -19,6 +19,7 @@
    - OS::TripleO::Services::HeatApiCfn
    - OS::TripleO::Services::HeatEngine
    - OS::TripleO::Services::Keystone
+    - OS::TripleO::Services::LoginDefs
    - OS::TripleO::Services::Memcached
    - OS::TripleO::Services::MistralApi
    - OS::TripleO::Services::MistralEngine
--- a/roles_data.yaml
+++ b/roles_data.yaml
@ -79,6 +79,7 @@
    - OS::TripleO::Services::Keepalived
    - OS::TripleO::Services::Kernel
    - OS::TripleO::Services::Keystone
+    - OS::TripleO::Services::LoginDefs
    - OS::TripleO::Services::ManilaApi
    - OS::TripleO::Services::ManilaBackendCephFs
    - OS::TripleO::Services::ManilaBackendIsilon
@ -187,6 +188,7 @@
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
+    - OS::TripleO::Services::LoginDefs
    - OS::TripleO::Services::MySQLClient
    - OS::TripleO::Services::NeutronBgpVpnBagpipe
    - OS::TripleO::Services::NeutronLinuxbridgeAgent
@ -230,6 +232,7 @@
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Kernel
+    - OS::TripleO::Services::LoginDefs
    - OS::TripleO::Services::MySQLClient
    - OS::TripleO::Services::Ntp
    - OS::TripleO::Services::ContainersLogrotateCrond
@ -268,6 +271,7 @@
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::Kernel
+    - OS::TripleO::Services::LoginDefs
    - OS::TripleO::Services::MySQLClient
    - OS::TripleO::Services::Ntp
    - OS::TripleO::Services::ContainersLogrotateCrond
@ -300,6 +304,7 @@
    - OS::TripleO::Services::Docker
    - OS::TripleO::Services::Fluentd
    - OS::TripleO::Services::Kernel
+    - OS::TripleO::Services::LoginDefs
    - OS::TripleO::Services::MySQLClient
    - OS::TripleO::Services::Ntp
    - OS::TripleO::Services::ContainersLogrotateCrond
--- a/roles_data_undercloud.yaml
+++ b/roles_data_undercloud.yaml
@ -26,6 +26,7 @@
    - OS::TripleO::Services::IronicPxe
    - OS::TripleO::Services::Iscsid
    - OS::TripleO::Services::Keystone
+    - OS::TripleO::Services::LoginDefs
    - OS::TripleO::Services::Memcached
    - OS::TripleO::Services::MistralApi
    - OS::TripleO::Services::MistralEngine