From eaa1d8dbe90c92c9c32d7592cdaccbe036a721fb Mon Sep 17 00:00:00 2001 From: Matthew Mosesohn Date: Thu, 19 May 2016 14:36:14 +0300 Subject: [PATCH] Delete service_token from keystone on Fuel Master Deletes keystone service token after deploying keystone to minimize security risk. Change-Id: I776644f727ce086369954f383a09b48b60bf11a5 Depends-On: Idb7694b19792a6c43c2752867da7c34b995513d0 Closes-Bug: #1582893 (cherry picked from commit 4c884a0b566b598f84aea864b41302d4c3c4377e) --- deployment/puppet/fuel/examples/deploy.sh | 1 + .../fuel/examples/keystone_token_disable.pp | 3 ++ .../manifests/astute/service_token_off.pp | 2 +- .../master/keystone_token_disable_spec.rb | 30 +++++++++++++++++++ 4 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 deployment/puppet/fuel/examples/keystone_token_disable.pp create mode 100644 tests/noop/spec/hosts/master/keystone_token_disable_spec.rb diff --git a/deployment/puppet/fuel/examples/deploy.sh b/deployment/puppet/fuel/examples/deploy.sh index 1555f21f3d..afff4af6bd 100755 --- a/deployment/puppet/fuel/examples/deploy.sh +++ b/deployment/puppet/fuel/examples/deploy.sh @@ -23,6 +23,7 @@ rabbitmq mcollective astute keystone +keystone_token_disable nailgun ostf nginx_repo diff --git a/deployment/puppet/fuel/examples/keystone_token_disable.pp b/deployment/puppet/fuel/examples/keystone_token_disable.pp new file mode 100644 index 0000000000..755823838a --- /dev/null +++ b/deployment/puppet/fuel/examples/keystone_token_disable.pp @@ -0,0 +1,3 @@ +notice('MODULAR: keystone.pp') + +class { 'osnailyfacter::astute::service_token_off': } diff --git a/deployment/puppet/osnailyfacter/manifests/astute/service_token_off.pp b/deployment/puppet/osnailyfacter/manifests/astute/service_token_off.pp index f7cd859505..40da3866ae 100644 --- a/deployment/puppet/osnailyfacter/manifests/astute/service_token_off.pp +++ b/deployment/puppet/osnailyfacter/manifests/astute/service_token_off.pp @@ -8,7 +8,7 @@ class osnailyfacter::astute::service_token_off { $keystone_params_hash = hiera_hash('keystone', {}) - if $keystone_params_hash['service_token_off'] { + if str2bool($keystone_params_hash['service_token_off']) { include ::keystone::params include ::tweaks::apache_wrappers diff --git a/tests/noop/spec/hosts/master/keystone_token_disable_spec.rb b/tests/noop/spec/hosts/master/keystone_token_disable_spec.rb new file mode 100644 index 0000000000..ebb7393f87 --- /dev/null +++ b/tests/noop/spec/hosts/master/keystone_token_disable_spec.rb @@ -0,0 +1,30 @@ +# HIERA: master +# FACTS: master_centos7 + +require 'spec_helper' +require 'shared-examples' +manifest = 'master/keystone_token_disable.pp' + +describe manifest do + shared_examples 'catalog' do + + keystone_params = Noop.hiera_structure 'keystone' + disable_token = Noop.puppet_function('str2bool', keystone_params['service_token_off']) + + if disable_token + it 'should remove admin_token option' do + is_expected.to contain_keystone_config('DEFAULT/admin_token').with_ensure('absent') + end + + it 'should contain exec of remove AdminTokenAuthMiddleware from pipelines' do + paste_ini = '/etc/keystone/keystone-paste.ini' + is_expected.to contain_exec('remove_admin_token_auth_middleware').with( + :path => ['/bin', '/usr/bin'], + :command => "sed -i.dist 's/ admin_token_auth//' #{paste_ini}", + :onlyif => "fgrep -q ' admin_token_auth' #{paste_ini}", + ) + end + end + end + run_test manifest +end