Adds Firewall rules for keystone access.

Allows connection to the keystone service only for the hosts that need to (basically every service). This patch is for keystone only, rules for the other services are being developed since the bug addresses the entire openstack installation. Fixes (partially): rhbz#1002063 Change-Id: I44cf008147bd1f0889e9cc78bda9d67889976c10
2013-09-20 17:36:08 -06:00
parent 1724ae8626
commit c96ccfdde4
2 changed files with 10 additions and 6 deletions
--- a/packstack/plugins/keystone_100.py
+++ b/packstack/plugins/keystone_100.py
@@ -10,6 +10,7 @@ from packstack.installer import basedefs
 from packstack.installer import utils

 from packstack.modules.ospluginutils import getManifestTemplate, appendManifestFile
+from packstack.installer.utils import host_iter

 # Controller object will be initialized from main flow
 controller = None
@@ -120,4 +121,13 @@ def initSequences(controller):
 def create_manifest(config):
    manifestfile = "%s_keystone.pp" % config['CONFIG_KEYSTONE_HOST']
    manifestdata = getManifestTemplate("keystone.pp")
+    hosts = set()
+    for key, value in host_iter(config):
+        if (key.find("MYSQL") != -1) or (key.find("QPID") != -1):
+            continue
+        hosts.add(value.strip())
+    config['FIREWALL_ALLOWED'] = ",".join(["'%s'" % i for i in hosts])
+    config['FIREWALL_SERVICE_NAME'] = "keystone"
+    config['FIREWALL_PORTS'] = "'5000', '35357'"
+    manifestdata += getManifestTemplate("firewall.pp")
    appendManifestFile(manifestfile, manifestdata)
--- a/packstack/puppet/templates/keystone.pp
+++ b/packstack/puppet/templates/keystone.pp
@@ -16,9 +16,3 @@ class {"keystone::endpoint":
    admin_address  => "%(CONFIG_KEYSTONE_HOST)s",
    internal_address  => "%(CONFIG_KEYSTONE_HOST)s",
 }
-
-firewall { '001 keystone incoming':
-    proto    => 'tcp',
-    dport    => ['5000', '35357'],
-    action   => 'accept',
-}