From 72b63c4c2ffd4434c57ee9320bf39a6152bbb304 Mon Sep 17 00:00:00 2001 From: alexey-mr Date: Wed, 10 Aug 2016 14:44:16 +0300 Subject: [PATCH] Don't use admin user for OS services. Generate special front end user and use it instead of admin. Change-Id: I901da00321d5316215bf10b4627e1dd4c25de6ce --- deployment_scripts/puppet/manifests/cinder.pp | 9 ++++++++- deployment_scripts/puppet/manifests/cluster.pp | 11 ++++++++++- deployment_scripts/puppet/manifests/environment.pp | 4 ++-- deployment_scripts/puppet/manifests/nova.pp | 9 ++++++++- 4 files changed, 28 insertions(+), 5 deletions(-) diff --git a/deployment_scripts/puppet/manifests/cinder.pp b/deployment_scripts/puppet/manifests/cinder.pp index 8c2d0de..1b922bf 100644 --- a/deployment_scripts/puppet/manifests/cinder.pp +++ b/deployment_scripts/puppet/manifests/cinder.pp @@ -16,10 +16,17 @@ if $scaleio['metadata']['enabled'] { true => $scaleio['gateway_ip'], default => hiera('management_vip') } + $password = $scaleio['password'] + if $scaleio['existing_cluster'] { + $client_password = $password + } else { + $client_password_str = base64('encode', pw_hash($password, 'SHA-512', 'scaleio.client.access')) + $client_password = inline_template('Sio-<%= @client_password_str[33..40] %>-<%= @client_password_str[41..48] %>') + } class {'::scaleio_openstack::cinder': ensure => present, gateway_user => $::gateway_user, - gateway_password => $scaleio['password'], + gateway_password => $client_password, gateway_ip => $gateway_ip, gateway_port => $::gateway_port, protection_domains => $scaleio['protection_domain'], diff --git a/deployment_scripts/puppet/manifests/cluster.pp b/deployment_scripts/puppet/manifests/cluster.pp index 765c339..1b167a5 100644 --- a/deployment_scripts/puppet/manifests/cluster.pp +++ b/deployment_scripts/puppet/manifests/cluster.pp @@ -319,6 +319,8 @@ if $scaleio['metadata']['enabled'] { } else { $capacity_critical_alert_threshold = undef } + $client_password_str = base64('encode', pw_hash($password, 'SHA-512', 'scaleio.client.access')) + $client_password = inline_template('Sio-<%= @client_password_str[33..40] %>-<%= @client_password_str[41..48] %>') notify {"Configure cluster MDM: ${master_mdm}": } -> scaleio::login {'Normal': password => $password, @@ -391,6 +393,7 @@ if $scaleio['metadata']['enabled'] { rfcache_devices => $rfcache_devices, sds_devices_config => $sds_devices_config, require => Protection_domain_ensure[$protection_domain_array], + before => Scaleio::Cluster['Create scaleio client user'], } if $capacity_high_alert_threshold and $capacity_critical_alert_threshold { scaleio::cluster {'Configure alerts': @@ -398,6 +401,7 @@ if $scaleio['metadata']['enabled'] { capacity_high_alert_threshold => $capacity_high_alert_threshold, capacity_critical_alert_threshold => $capacity_critical_alert_threshold, require => Protection_domain_ensure[$protection_domain_array], + before => Scaleio::Cluster['Create scaleio client user'], } } # Apply high performance profile to SDC-es @@ -406,8 +410,14 @@ if $scaleio['metadata']['enabled'] { scaleio::sdc {'Set performance settings for all available SDCs': ip => $sdc_nodes_ips[0], require => Protection_domain_ensure[$protection_domain_array], + before => Scaleio::Cluster['Create scaleio client user'], } } + scaleio::cluster {'Create scaleio client user': + ensure => 'present', + client_password => $client_password, + require => [Protection_domain_ensure[$protection_domain_array], Sds_ensure[$to_add_sds_names]], + } } else { notify {"Not Master MDM IP ${master_mdm}": } } @@ -426,7 +436,6 @@ if $scaleio['metadata']['enabled'] { match => '^SCALEIO_discovery_allowed=', line => 'SCALEIO_discovery_allowed=no', } - } else { fail('Empty MDM IPs configuration') } diff --git a/deployment_scripts/puppet/manifests/environment.pp b/deployment_scripts/puppet/manifests/environment.pp index 1ea9aa0..02db1e4 100644 --- a/deployment_scripts/puppet/manifests/environment.pp +++ b/deployment_scripts/puppet/manifests/environment.pp @@ -153,10 +153,10 @@ if $scaleio['metadata']['enabled'] { fact => 'ips', value => $ctrl_ips } -> - env_fact{'Environment fact: role gateway, user: admin': + env_fact{'Environment fact: role gateway, user: scaleio_client': role => 'gateway', fact => 'user', - value => 'admin' + value => 'scaleio_client' } -> env_fact{'Environment fact: role gateway, port: 4443': role => 'gateway', diff --git a/deployment_scripts/puppet/manifests/nova.pp b/deployment_scripts/puppet/manifests/nova.pp index fba9640..800c40f 100644 --- a/deployment_scripts/puppet/manifests/nova.pp +++ b/deployment_scripts/puppet/manifests/nova.pp @@ -16,10 +16,17 @@ if $scaleio['metadata']['enabled'] { true => $scaleio['gateway_ip'], default => hiera('management_vip') } + $password = $scaleio['password'] + if $scaleio['existing_cluster'] { + $client_password = $password + } else { + $client_password_str = base64('encode', pw_hash($password, 'SHA-512', 'scaleio.client.access')) + $client_password = inline_template('Sio-<%= @client_password_str[33..40] %>-<%= @client_password_str[41..48] %>') + } class {'::scaleio_openstack::nova': ensure => present, gateway_user => $::gateway_user, - gateway_password => $scaleio['password'], + gateway_password => $client_password, gateway_ip => $gateway_ip, gateway_port => $::gateway_port, protection_domains => $scaleio['protection_domain'],