Apply SSH security settings from UI
This commit change restriction for SSH access only from networks provided on UI instead of all local networks by default. DocImpact Depends-On: I34c9907d781b81253ed6942c67b16f8480de3bb5 Change-Id: Ifca70a377c74d233fbca50de7245bce01079ad56 Closes-Bug: #1419657 Signed-off-by: Maksim Malchuk <mmalchuk@mirantis.com>
This commit is contained in:
parent
cbd5a99e0d
commit
498eaa85d4
|
@ -5,6 +5,7 @@ class osnailyfacter::firewall::firewall {
|
|||
$network_scheme = hiera_hash('network_scheme', {})
|
||||
$network_metadata = hiera_hash('network_metadata')
|
||||
$ironic_hash = hiera_hash('ironic', {})
|
||||
$ssh_hash = hiera_hash('ssh', {})
|
||||
$roles = hiera('roles')
|
||||
$storage_hash = hiera('storage', {})
|
||||
|
||||
|
@ -108,11 +109,19 @@ class osnailyfacter::firewall::firewall {
|
|||
action => 'accept',
|
||||
}
|
||||
|
||||
$all_networks = concat($admin_nets, $management_nets, $storage_nets)
|
||||
|
||||
if $ssh_hash['security_enabled'] {
|
||||
$ssh_networks = pick($ssh_hash['security_networks'], $all_networks)
|
||||
} else {
|
||||
$ssh_networks = $all_networks
|
||||
}
|
||||
|
||||
openstack::firewall::multi_net {'020 ssh':
|
||||
port => $ssh_port,
|
||||
proto => 'tcp',
|
||||
action => 'accept',
|
||||
source_nets => concat($admin_nets, $management_nets, $storage_nets),
|
||||
source_nets => $ssh_networks,
|
||||
}
|
||||
|
||||
openstack::firewall::multi_net {'109 iscsi':
|
||||
|
@ -488,10 +497,10 @@ class osnailyfacter::firewall::firewall {
|
|||
if $storage_hash['objects_ceph'] {
|
||||
if member($roles, 'primary-controller') or member($roles, 'controller') {
|
||||
firewall {'012 RadosGW allow':
|
||||
chain => 'INPUT',
|
||||
dport => [ $radosgw_port, $swift_proxy_port ],
|
||||
proto => 'tcp',
|
||||
action => accept,
|
||||
chain => 'INPUT',
|
||||
dport => [ $radosgw_port, $swift_proxy_port ],
|
||||
proto => 'tcp',
|
||||
action => accept,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -23,6 +23,10 @@ describe manifest do
|
|||
Noop.puppet_function 'prepare_network_config', network_scheme
|
||||
end
|
||||
|
||||
let(:admin_nets) do
|
||||
Noop.puppet_function 'get_routable_networks_for_network_role', network_scheme, 'fw-admin'
|
||||
end
|
||||
|
||||
let(:management_nets) do
|
||||
Noop.puppet_function 'get_routable_networks_for_network_role', network_scheme, 'management'
|
||||
end
|
||||
|
@ -55,6 +59,24 @@ describe manifest do
|
|||
roles = network_metadata['nodes'][node_name]['node_roles']
|
||||
mongodb_port = Noop.hiera('mongodb_port', '27017')
|
||||
|
||||
ssh_hash = Noop.hiera_hash 'ssh', {}
|
||||
|
||||
it 'should accept connections to the SSH service only from specified networks' do
|
||||
|
||||
if ssh_hash['security_enabled']
|
||||
ssh_networks = Noop.puppet_function 'pick', ssh_hash['security_networks'], Noop.puppet_function, 'concat', admin_nets, management_nets, storage_nets
|
||||
else
|
||||
ssh_networks = Noop.puppet_function 'concat', admin_nets, management_nets, storage_nets
|
||||
end
|
||||
|
||||
should contain_openstack__firewall__multi_net('020 ssh').with(
|
||||
'port' => [ 22 ],
|
||||
'proto' => 'tcp',
|
||||
'action' => 'accept',
|
||||
'source_nets' => ssh_networks,
|
||||
)
|
||||
end
|
||||
|
||||
if Noop.puppet_function 'member', roles, 'primary-controller' or Noop.puppet_function 'member', roles, 'controller'
|
||||
it 'should properly restrict rabbitmq admin traffic' do
|
||||
should contain_firewall('005 local rabbitmq admin').with(
|
||||
|
|
Loading…
Reference in New Issue