Don't use admin user for OS services.

Generate special front end user and use it instead of admin.

Change-Id: I901da00321d5316215bf10b4627e1dd4c25de6ce
This commit is contained in:
alexey-mr 2016-08-10 14:44:16 +03:00
parent 18c7be145d
commit 72b63c4c2f
4 changed files with 28 additions and 5 deletions

View File

@ -16,10 +16,17 @@ if $scaleio['metadata']['enabled'] {
true => $scaleio['gateway_ip'],
default => hiera('management_vip')
}
$password = $scaleio['password']
if $scaleio['existing_cluster'] {
$client_password = $password
} else {
$client_password_str = base64('encode', pw_hash($password, 'SHA-512', 'scaleio.client.access'))
$client_password = inline_template('Sio-<%= @client_password_str[33..40] %>-<%= @client_password_str[41..48] %>')
}
class {'::scaleio_openstack::cinder':
ensure => present,
gateway_user => $::gateway_user,
gateway_password => $scaleio['password'],
gateway_password => $client_password,
gateway_ip => $gateway_ip,
gateway_port => $::gateway_port,
protection_domains => $scaleio['protection_domain'],

View File

@ -319,6 +319,8 @@ if $scaleio['metadata']['enabled'] {
} else {
$capacity_critical_alert_threshold = undef
}
$client_password_str = base64('encode', pw_hash($password, 'SHA-512', 'scaleio.client.access'))
$client_password = inline_template('Sio-<%= @client_password_str[33..40] %>-<%= @client_password_str[41..48] %>')
notify {"Configure cluster MDM: ${master_mdm}": } ->
scaleio::login {'Normal':
password => $password,
@ -391,6 +393,7 @@ if $scaleio['metadata']['enabled'] {
rfcache_devices => $rfcache_devices,
sds_devices_config => $sds_devices_config,
require => Protection_domain_ensure[$protection_domain_array],
before => Scaleio::Cluster['Create scaleio client user'],
}
if $capacity_high_alert_threshold and $capacity_critical_alert_threshold {
scaleio::cluster {'Configure alerts':
@ -398,6 +401,7 @@ if $scaleio['metadata']['enabled'] {
capacity_high_alert_threshold => $capacity_high_alert_threshold,
capacity_critical_alert_threshold => $capacity_critical_alert_threshold,
require => Protection_domain_ensure[$protection_domain_array],
before => Scaleio::Cluster['Create scaleio client user'],
}
}
# Apply high performance profile to SDC-es
@ -406,8 +410,14 @@ if $scaleio['metadata']['enabled'] {
scaleio::sdc {'Set performance settings for all available SDCs':
ip => $sdc_nodes_ips[0],
require => Protection_domain_ensure[$protection_domain_array],
before => Scaleio::Cluster['Create scaleio client user'],
}
}
scaleio::cluster {'Create scaleio client user':
ensure => 'present',
client_password => $client_password,
require => [Protection_domain_ensure[$protection_domain_array], Sds_ensure[$to_add_sds_names]],
}
} else {
notify {"Not Master MDM IP ${master_mdm}": }
}
@ -426,7 +436,6 @@ if $scaleio['metadata']['enabled'] {
match => '^SCALEIO_discovery_allowed=',
line => 'SCALEIO_discovery_allowed=no',
}
} else {
fail('Empty MDM IPs configuration')
}

View File

@ -153,10 +153,10 @@ if $scaleio['metadata']['enabled'] {
fact => 'ips',
value => $ctrl_ips
} ->
env_fact{'Environment fact: role gateway, user: admin':
env_fact{'Environment fact: role gateway, user: scaleio_client':
role => 'gateway',
fact => 'user',
value => 'admin'
value => 'scaleio_client'
} ->
env_fact{'Environment fact: role gateway, port: 4443':
role => 'gateway',

View File

@ -16,10 +16,17 @@ if $scaleio['metadata']['enabled'] {
true => $scaleio['gateway_ip'],
default => hiera('management_vip')
}
$password = $scaleio['password']
if $scaleio['existing_cluster'] {
$client_password = $password
} else {
$client_password_str = base64('encode', pw_hash($password, 'SHA-512', 'scaleio.client.access'))
$client_password = inline_template('Sio-<%= @client_password_str[33..40] %>-<%= @client_password_str[41..48] %>')
}
class {'::scaleio_openstack::nova':
ensure => present,
gateway_user => $::gateway_user,
gateway_password => $scaleio['password'],
gateway_password => $client_password,
gateway_ip => $gateway_ip,
gateway_port => $::gateway_port,
protection_domains => $scaleio['protection_domain'],