From 4d997af2cdebc0a177ce3f6e44933e539064dea3 Mon Sep 17 00:00:00 2001 From: Thomas Goirand Date: Tue, 23 Oct 2018 10:55:05 +0200 Subject: [PATCH] Fix default signing_dir for Debian Under Debian, /var/cache/swift is set with unix rights 0755. This is a problem when using it as signing dir. Instead, it's much better to use /var/lib/swift, which is using 0750. This patch changes the default value to be stored in params.pp, and which now depends on the OS package type. It also fixes the matching tests. Change-Id: I4a73f8fc10a2bb9f62c9597b50d0ea3abe69f36e --- manifests/params.pp | 6 +++++ manifests/proxy/authtoken.pp | 25 +++++++++++-------- .../notes/signing-dir-543b814469e76728.yaml | 6 +++++ spec/classes/swift_proxy_authtoken_spec.rb | 15 ++++++++++- 4 files changed, 40 insertions(+), 12 deletions(-) create mode 100644 releasenotes/notes/signing-dir-543b814469e76728.yaml diff --git a/manifests/params.pp b/manifests/params.pp index 584bd58b..e72e6a49 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -40,6 +40,11 @@ class swift::params { $account_reaper_service_name = 'swift-account-reaper' $account_replicator_service_name = 'swift-account-replicator' $swift3 = 'swift-plugin-s3' + if ($::os_package_type == 'debian') { + $signing_dir = '/var/lib/swift' + }else{ + $signing_dir = '/var/cache/swift' + } } 'RedHat': { $package_name = 'openstack-swift' @@ -66,6 +71,7 @@ class swift::params { $account_reaper_service_name = 'openstack-swift-account-reaper' $account_replicator_service_name = 'openstack-swift-account-replicator' $swift3 = 'openstack-swift-plugin-swift3' + $signing_dir = '/var/cache/swift' } default: { fail("Unsupported osfamily: ${::osfamily} for os ${::operatingsystem}") diff --git a/manifests/proxy/authtoken.pp b/manifests/proxy/authtoken.pp index a4d9e389..e4cb973d 100644 --- a/manifests/proxy/authtoken.pp +++ b/manifests/proxy/authtoken.pp @@ -11,7 +11,7 @@ # # [*signing_dir*] # The cache directory for signing certificates. -# Defaults to '/var/cache/swift' +# Defaults to $::swift::params::signing_dir # # [*cache*] # The cache backend to use @@ -87,7 +87,7 @@ # class swift::proxy::authtoken( $delay_auth_decision = 1, - $signing_dir = '/var/cache/swift', + $signing_dir = $::swift::params::signing_dir, $cache = 'swift.cache', $auth_uri = 'http://127.0.0.1:5000', $auth_url = 'http://127.0.0.1:5000', @@ -104,7 +104,7 @@ class swift::proxy::authtoken( $admin_password = undef, $identity_uri = undef, $admin_token = undef, -) { +) inherits swift::params { include ::swift::deps @@ -133,16 +133,19 @@ class swift::proxy::authtoken( $project_name_real = pick($admin_tenant_name, $project_name) $password_real = pick($admin_password, $password) - file { $signing_dir: - ensure => directory, - mode => '0700', - owner => 'swift', - group => 'swift', - selinux_ignore_defaults => true, - require => Anchor['swift::config::begin'], - before => Anchor['swift::config::end'], + if ($::os_package_type != 'debian') { + file { $signing_dir: + ensure => directory, + mode => '0700', + owner => 'swift', + group => 'swift', + selinux_ignore_defaults => true, + require => Anchor['swift::config::begin'], + before => Anchor['swift::config::end'], + } } + swift_proxy_config { 'filter:authtoken/log_name': value => 'swift'; 'filter:authtoken/signing_dir': value => $signing_dir; diff --git a/releasenotes/notes/signing-dir-543b814469e76728.yaml b/releasenotes/notes/signing-dir-543b814469e76728.yaml new file mode 100644 index 00000000..aaa77857 --- /dev/null +++ b/releasenotes/notes/signing-dir-543b814469e76728.yaml @@ -0,0 +1,6 @@ +--- +prelude: > + The default signing_dir is changed to /var/lib/swift for Debian. For all + other OSes, /var/cache/swift is kept. This is due to the fact that the + Debian sysv-init / systemd scripts are setting /var/cache/swift with the + unix rights 0755, which isn't safe for this OS. diff --git a/spec/classes/swift_proxy_authtoken_spec.rb b/spec/classes/swift_proxy_authtoken_spec.rb index 36e59dd8..980d40a9 100644 --- a/spec/classes/swift_proxy_authtoken_spec.rb +++ b/spec/classes/swift_proxy_authtoken_spec.rb @@ -19,7 +19,7 @@ describe 'swift::proxy::authtoken' do describe "when using default parameters" do it { is_expected.to contain_swift_proxy_config('filter:authtoken/log_name').with_value('swift') } - it { is_expected.to contain_swift_proxy_config('filter:authtoken/signing_dir').with_value('/var/cache/swift') } + it { is_expected.to contain_swift_proxy_config('filter:authtoken/signing_dir').with_value(platform_params[:default_signing_dir]) } it { is_expected.to contain_swift_proxy_config('filter:authtoken/paste.filter_factory').with_value('keystonemiddleware.auth_token:filter_factory') } it { is_expected.to contain_swift_proxy_config('filter:authtoken/www_authenticate_uri').with_value('http://127.0.0.1:5000') } it { is_expected.to contain_swift_proxy_config('filter:authtoken/auth_url').with_value('http://127.0.0.1:5000') } @@ -101,6 +101,19 @@ describe 'swift::proxy::authtoken' do facts.merge(OSDefaults.get_facts()) end + let(:platform_params) do + case facts[:osfamily] + when 'Debian' + if facts[:os_package_type] == 'debian' + { :default_signing_dir => '/var/lib/swift' } + else + { :default_signing_dir => '/var/cache/swift' } + end + when 'RedHat' + { :default_signing_dir => '/var/cache/swift' } + end + end + it_configures 'swift::proxy::authtoken' end end