Hide secrets from puppet logs

Currently secrets like rabbit_password or os_password are displayed in
puppet logs when changed. This commit changes ceilometer_config type
adding a new parameter that triggers obfuscation of the values in
puppet logs.

Change-Id: I9eb6504220c5337c154bf5ad86c7d22bea64df51
Closes-Bug: #1328448
This commit is contained in:
Stefano Zilli 2014-06-10 11:17:39 +02:00
parent c2f41fb1eb
commit b10f1af5b0
9 changed files with 58 additions and 9 deletions

View File

@ -4,7 +4,11 @@ Puppet::Type.newtype(:ceilometer_config) do
newparam(:name, :namevar => true) do
desc 'Section/setting name to manage from ceilometer.conf'
newvalues(/\S+\/\S+/)
validate do |value|
unless value =~ /\S+\/\S+/
fail("Invalid ceilometer_config #{value}, entries without sections are no longer supported, please add an explicit section (probably DEFAULT) to all ceilometer_config resources")
end
end
end
newproperty(:value) do
@ -14,6 +18,39 @@ Puppet::Type.newtype(:ceilometer_config) do
value.capitalize! if value =~ /^(true|false)$/i
value
end
newvalues(/^[\S ]*$/)
def is_to_s( currentvalue )
if resource.secret?
return '[old secret redacted]'
else
return currentvalue
end
end
def should_to_s( newvalue )
if resource.secret?
return '[new secret redacted]'
else
return newvalue
end
end
end
newparam(:secret, :boolean => true) do
desc 'Whether to hide the value from Puppet logs. Defaults to `false`.'
newvalues(:true, :false)
defaultto false
end
validate do
if self[:ensure] == :present
if self[:value].nil?
raise Puppet::Error, "Property value must be set for #{self[:name]} when ensure is present"
end
end
end
end

View File

@ -49,7 +49,7 @@ class ceilometer::agent::auth (
'service_credentials/os_auth_url' : value => $auth_url;
'service_credentials/os_region_name' : value => $auth_region;
'service_credentials/os_username' : value => $auth_user;
'service_credentials/os_password' : value => $auth_password;
'service_credentials/os_password' : value => $auth_password, secret => true;
'service_credentials/os_tenant_name' : value => $auth_tenant_name;
}

View File

@ -86,7 +86,7 @@ class ceilometer::api (
'keystone_authtoken/auth_protocol' : value => $keystone_protocol;
'keystone_authtoken/admin_tenant_name' : value => $keystone_tenant;
'keystone_authtoken/admin_user' : value => $keystone_user;
'keystone_authtoken/admin_password' : value => $keystone_password;
'keystone_authtoken/admin_password' : value => $keystone_password, secret => true;
'api/host' : value => $host;
'api/port' : value => $port;
}

View File

@ -65,7 +65,7 @@ class ceilometer::db (
}
ceilometer_config {
'database/connection': value => $database_connection;
'database/connection': value => $database_connection, secret => true;
}
Ceilometer_config['database/connection'] ~> Exec['ceilometer-dbsync']

View File

@ -183,7 +183,7 @@ class ceilometer(
ceilometer_config {
'DEFAULT/rabbit_userid' : value => $rabbit_userid;
'DEFAULT/rabbit_password' : value => $rabbit_password;
'DEFAULT/rabbit_password' : value => $rabbit_password, secret => true;
'DEFAULT/rabbit_virtual_host' : value => $rabbit_virtual_host;
'DEFAULT/rabbit_use_ssl' : value => $rabbit_use_ssl;
}
@ -212,7 +212,7 @@ class ceilometer(
'DEFAULT/qpid_hostname' : value => $qpid_hostname;
'DEFAULT/qpid_port' : value => $qpid_port;
'DEFAULT/qpid_username' : value => $qpid_username;
'DEFAULT/qpid_password' : value => $qpid_password;
'DEFAULT/qpid_password' : value => $qpid_password, secret => true;
'DEFAULT/qpid_heartbeat' : value => $qpid_heartbeat;
'DEFAULT/qpid_protocol' : value => $qpid_protocol;
'DEFAULT/qpid_tcp_nodelay' : value => $qpid_tcp_nodelay;
@ -229,7 +229,7 @@ class ceilometer(
# Once we got here, we can act as an honey badger on the rpc used.
ceilometer_config {
'DEFAULT/rpc_backend' : value => $rpc_backend;
'publisher/metering_secret' : value => $metering_secret;
'publisher/metering_secret' : value => $metering_secret, secret => true;
'DEFAULT/debug' : value => $debug;
'DEFAULT/verbose' : value => $verbose;
'DEFAULT/notification_topics' : value => join($notification_topics, ',');

View File

@ -23,6 +23,7 @@ describe 'ceilometer::agent::auth' do
should contain_ceilometer_config('service_credentials/os_region_name').with_value('RegionOne')
should contain_ceilometer_config('service_credentials/os_username').with_value('ceilometer')
should contain_ceilometer_config('service_credentials/os_password').with_value('password')
should contain_ceilometer_config('service_credentials/os_password').with_value(params[:auth_password]).with_secret(true)
should contain_ceilometer_config('service_credentials/os_tenant_name').with_value('services')
should contain_ceilometer_config('service_credentials/os_cacert').with(:ensure => 'absent')
end

View File

@ -54,6 +54,7 @@ describe 'ceilometer::api' do
should contain_ceilometer_config('keystone_authtoken/admin_tenant_name').with_value( params[:keystone_tenant] )
should contain_ceilometer_config('keystone_authtoken/admin_user').with_value( params[:keystone_user] )
should contain_ceilometer_config('keystone_authtoken/admin_password').with_value( params[:keystone_password] )
should contain_ceilometer_config('keystone_authtoken/admin_password').with_value( params[:keystone_password] ).with_secret(true)
should contain_ceilometer_config('keystone_authtoken/auth_admin_prefix').with_ensure('absent')
should contain_ceilometer_config('keystone_authtoken/auth_uri').with_value( params[:keystone_protocol] + "://" + params[:keystone_host] + ":5000/" )
should contain_ceilometer_config('api/host').with_value( params[:host] )

View File

@ -20,6 +20,7 @@ describe 'ceilometer::db' do
:ensure => 'present',
:name => 'python-pymongo')
should contain_ceilometer_config('database/connection').with_value('mongodb://localhost:1234/ceilometer')
should contain_ceilometer_config('database/connection').with_value( params[:database_connection] ).with_secret(true)
end
it 'runs ceilometer-dbsync' do
@ -54,6 +55,7 @@ describe 'ceilometer::db' do
:ensure => 'present',
:name => 'python-pymongo')
should contain_ceilometer_config('database/connection').with_value('mongodb://localhost:1234/ceilometer')
should contain_ceilometer_config('database/connection').with_value( params[:database_connection] ).with_secret(true)
end
it 'runs ceilometer-dbsync' do
@ -121,6 +123,7 @@ describe 'ceilometer::db' do
:ensure => 'present',
:name => 'python-sqlite2')
should contain_ceilometer_config('database/connection').with_value('sqlite:///var/lib/ceilometer.db')
should contain_ceilometer_config('database/connection').with_value( params[:database_connection] ).with_secret(true)
end
it 'runs ceilometer-dbsync' do

View File

@ -113,6 +113,7 @@ describe 'ceilometer' do
it 'configures required metering_secret' do
should contain_ceilometer_config('publisher/metering_secret').with_value('metering-s3cr3t')
should contain_ceilometer_config('publisher/metering_secret').with_value( params[:metering_secret] ).with_secret(true)
end
context 'without the required metering_secret' do
@ -174,6 +175,7 @@ describe 'ceilometer' do
it 'configures rabbit' do
should contain_ceilometer_config('DEFAULT/rabbit_userid').with_value( params[:rabbit_userid] )
should contain_ceilometer_config('DEFAULT/rabbit_password').with_value( params[:rabbit_password] )
should contain_ceilometer_config('DEFAULT/rabbit_password').with_value( params[:rabbit_password] ).with_secret(true)
should contain_ceilometer_config('DEFAULT/rabbit_virtual_host').with_value( params[:rabbit_virtual_host] )
end
@ -181,6 +183,7 @@ describe 'ceilometer' do
it { should contain_ceilometer_config('DEFAULT/rabbit_port').with_value( params[:rabbit_port] ) }
it { should contain_ceilometer_config('DEFAULT/rabbit_hosts').with_value( "#{params[:rabbit_host]}:#{params[:rabbit_port]}" ) }
it { should contain_ceilometer_config('DEFAULT/rabbit_ha_queues').with_value('false') }
end
shared_examples_for 'rabbit without HA support (without backward compatibility)' do
@ -188,6 +191,7 @@ describe 'ceilometer' do
it 'configures rabbit' do
should contain_ceilometer_config('DEFAULT/rabbit_userid').with_value( params[:rabbit_userid] )
should contain_ceilometer_config('DEFAULT/rabbit_password').with_value( params[:rabbit_password] )
should contain_ceilometer_config('DEFAULT/rabbit_password').with_value( params[:rabbit_password] ).with_secret(true)
should contain_ceilometer_config('DEFAULT/rabbit_virtual_host').with_value( params[:rabbit_virtual_host] )
end
@ -195,6 +199,7 @@ describe 'ceilometer' do
it { should contain_ceilometer_config('DEFAULT/rabbit_port').with_ensure('absent') }
it { should contain_ceilometer_config('DEFAULT/rabbit_hosts').with_value( params[:rabbit_hosts].join(',') ) }
it { should contain_ceilometer_config('DEFAULT/rabbit_ha_queues').with_value('false') }
end
shared_examples_for 'rabbit with HA support' do
@ -202,6 +207,7 @@ describe 'ceilometer' do
it 'configures rabbit' do
should contain_ceilometer_config('DEFAULT/rabbit_userid').with_value( params[:rabbit_userid] )
should contain_ceilometer_config('DEFAULT/rabbit_password').with_value( params[:rabbit_password] )
should contain_ceilometer_config('DEFAULT/rabbit_password').with_value( params[:rabbit_password] ).with_secret(true)
should contain_ceilometer_config('DEFAULT/rabbit_virtual_host').with_value( params[:rabbit_virtual_host] )
end
@ -209,6 +215,7 @@ describe 'ceilometer' do
it { should contain_ceilometer_config('DEFAULT/rabbit_port').with_ensure('absent') }
it { should contain_ceilometer_config('DEFAULT/rabbit_hosts').with_value( params[:rabbit_hosts].join(',') ) }
it { should contain_ceilometer_config('DEFAULT/rabbit_ha_queues').with_value('true') }
end
shared_examples_for 'rabbit with SSL support' do
@ -246,7 +253,6 @@ describe 'ceilometer' do
it_raises 'a Puppet::Error', /The kombu_ssl_ca_certs parameter is required when rabbit_use_ssl is set to true/
end
end
shared_examples_for 'qpid support' do
@ -268,6 +274,7 @@ describe 'ceilometer' do
it { should contain_ceilometer_config('DEFAULT/qpid_port').with_value( params[:qpid_port] ) }
it { should contain_ceilometer_config('DEFAULT/qpid_username').with_value( params[:qpid_username]) }
it { should contain_ceilometer_config('DEFAULT/qpid_password').with_value(params[:qpid_password]) }
it { should contain_ceilometer_config('DEFAULT/qpid_password').with_value( params[:qpid_password] ).with_secret(true) }
end
context("failing if the rpc_backend is not present") do