Hide secrets from puppet logs
Currently secrets like rabbit_password, admin_password or database connection are laked in puppet logs when changed. This commit changes neutron_*_config and neutron_*_ini types adding a new parameter that triggers obfuscation the values in puppet logs. Change-Id: I7dc59ce9580bfb1d4afdfbced668d0cb2979458a Closes-Bug: #1328448
This commit is contained in:
Sebastien Badia
@@ -14,5 +14,30 @@ Puppet::Type.newtype(:neutron_api_config) do
|
||||
value.capitalize! if value =~ /^(true|false)$/i
|
||||
value
|
||||
end
|
||||
|
||||
def is_to_s( currentvalue )
|
||||
if resource.secret?
|
||||
return '[old secret redacted]'
|
||||
else
|
||||
return currentvalue
|
||||
end
|
||||
end
|
||||
|
||||
def should_to_s( newvalue )
|
||||
if resource.secret?
|
||||
return '[new secret redacted]'
|
||||
else
|
||||
return newvalue
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
newparam(:secret, :boolean => true) do
|
||||
desc 'Whether to hide the value from Puppet logs. Defaults to `false`.'
|
||||
|
||||
newvalues(:true, :false)
|
||||
|
||||
defaultto false
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
@@ -14,6 +14,30 @@ Puppet::Type.newtype(:neutron_config) do
|
||||
value.capitalize! if value =~ /^(true|false)$/i
|
||||
value
|
||||
end
|
||||
|
||||
def is_to_s( currentvalue )
|
||||
if resource.secret?
|
||||
return '[old secret redacted]'
|
||||
else
|
||||
return currentvalue
|
||||
end
|
||||
end
|
||||
|
||||
def should_to_s( newvalue )
|
||||
if resource.secret?
|
||||
return '[new secret redacted]'
|
||||
else
|
||||
return newvalue
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
newparam(:secret, :boolean => true) do
|
||||
desc 'Whether to hide the value from Puppet logs. Defaults to `false`.'
|
||||
|
||||
newvalues(:true, :false)
|
||||
|
||||
defaultto false
|
||||
end
|
||||
|
||||
def create
|
||||
|
||||
@@ -14,5 +14,30 @@ Puppet::Type.newtype(:neutron_metadata_agent_config) do
|
||||
value.capitalize! if value =~ /^(true|false)$/i
|
||||
value
|
||||
end
|
||||
|
||||
def is_to_s( currentvalue )
|
||||
if resource.secret?
|
||||
return '[old secret redacted]'
|
||||
else
|
||||
return currentvalue
|
||||
end
|
||||
end
|
||||
|
||||
def should_to_s( newvalue )
|
||||
if resource.secret?
|
||||
return '[new secret redacted]'
|
||||
else
|
||||
return newvalue
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
newparam(:secret, :boolean => true) do
|
||||
desc 'Whether to hide the value from Puppet logs. Defaults to `false`.'
|
||||
|
||||
newvalues(:true, :false)
|
||||
|
||||
defaultto false
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
@@ -18,5 +18,30 @@ Puppet::Type.newtype(:neutron_plugin_cisco) do
|
||||
value.capitalize! if value =~ /^(true|false)$/i
|
||||
value
|
||||
end
|
||||
|
||||
def is_to_s( currentvalue )
|
||||
if resource.secret?
|
||||
return '[old secret redacted]'
|
||||
else
|
||||
return currentvalue
|
||||
end
|
||||
end
|
||||
|
||||
def should_to_s( newvalue )
|
||||
if resource.secret?
|
||||
return '[new secret redacted]'
|
||||
else
|
||||
return newvalue
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
newparam(:secret, :boolean => true) do
|
||||
desc 'Whether to hide the value from Puppet logs. Defaults to `false`.'
|
||||
|
||||
newvalues(:true, :false)
|
||||
|
||||
defaultto false
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
@@ -18,5 +18,30 @@ Puppet::Type.newtype(:neutron_plugin_cisco_credentials) do
|
||||
value.capitalize! if value =~ /^(true|false)$/i
|
||||
value
|
||||
end
|
||||
|
||||
def is_to_s( currentvalue )
|
||||
if resource.secret?
|
||||
return '[old secret redacted]'
|
||||
else
|
||||
return currentvalue
|
||||
end
|
||||
end
|
||||
|
||||
def should_to_s( newvalue )
|
||||
if resource.secret?
|
||||
return '[new secret redacted]'
|
||||
else
|
||||
return newvalue
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
newparam(:secret, :boolean => true) do
|
||||
desc 'Whether to hide the value from Puppet logs. Defaults to `false`.'
|
||||
|
||||
newvalues(:true, :false)
|
||||
|
||||
defaultto false
|
||||
|
||||
end
|
||||
end
|
||||
|
||||
@@ -14,5 +14,30 @@ Puppet::Type.newtype(:neutron_plugin_nvp) do
|
||||
value.capitalize! if value =~ /^(true|false)$/i
|
||||
value
|
||||
end
|
||||
|
||||
def is_to_s( currentvalue )
|
||||
if resource.secret?
|
||||
return '[old secret redacted]'
|
||||
else
|
||||
return currentvalue
|
||||
end
|
||||
end
|
||||
|
||||
def should_to_s( newvalue )
|
||||
if resource.secret?
|
||||
return '[new secret redacted]'
|
||||
else
|
||||
return newvalue
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
newparam(:secret, :boolean => true) do
|
||||
desc 'Whether to hide the value from Puppet logs. Defaults to `false`.'
|
||||
|
||||
newvalues(:true, :false)
|
||||
|
||||
defaultto false
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
@@ -92,7 +92,7 @@ class neutron::agents::metadata (
|
||||
'DEFAULT/auth_region': value => $auth_region;
|
||||
'DEFAULT/admin_tenant_name': value => $auth_tenant;
|
||||
'DEFAULT/admin_user': value => $auth_user;
|
||||
'DEFAULT/admin_password': value => $auth_password;
|
||||
'DEFAULT/admin_password': value => $auth_password, secret => true;
|
||||
'DEFAULT/nova_metadata_ip': value => $metadata_ip;
|
||||
'DEFAULT/nova_metadata_port': value => $metadata_port;
|
||||
'DEFAULT/metadata_proxy_shared_secret': value => $shared_secret;
|
||||
|
||||
@@ -341,7 +341,7 @@ class neutron (
|
||||
|
||||
neutron_config {
|
||||
'DEFAULT/rabbit_userid': value => $rabbit_user;
|
||||
'DEFAULT/rabbit_password': value => $rabbit_password;
|
||||
'DEFAULT/rabbit_password': value => $rabbit_password, secret => true;
|
||||
'DEFAULT/rabbit_virtual_host': value => $rabbit_virtual_host;
|
||||
'DEFAULT/rabbit_use_ssl': value => $rabbit_use_ssl;
|
||||
}
|
||||
@@ -369,7 +369,7 @@ class neutron (
|
||||
'DEFAULT/qpid_hostname': value => $qpid_hostname;
|
||||
'DEFAULT/qpid_port': value => $qpid_port;
|
||||
'DEFAULT/qpid_username': value => $qpid_username;
|
||||
'DEFAULT/qpid_password': value => $qpid_password;
|
||||
'DEFAULT/qpid_password': value => $qpid_password, secret => true;
|
||||
'DEFAULT/qpid_heartbeat': value => $qpid_heartbeat;
|
||||
'DEFAULT/qpid_protocol': value => $qpid_protocol;
|
||||
'DEFAULT/qpid_tcp_nodelay': value => $qpid_tcp_nodelay;
|
||||
|
||||
@@ -164,7 +164,7 @@ class neutron::plugins::cisco(
|
||||
|
||||
neutron_plugin_cisco_credentials {
|
||||
'keystone/username': value => $keystone_username;
|
||||
'keystone/password': value => $keystone_password;
|
||||
'keystone/password': value => $keystone_password, secret => true;
|
||||
'keystone/auth_url': value => $keystone_auth_url;
|
||||
'keystone/tenant' : value => $keystone_tenant;
|
||||
}
|
||||
|
||||
@@ -48,7 +48,7 @@ class neutron::plugins::nvp (
|
||||
'DEFAULT/default_tz_uuid': value => $default_tz_uuid;
|
||||
'DEFAULT/nvp_controllers': value => join($nvp_controllers, ',');
|
||||
'DEFAULT/nvp_user': value => $nvp_user;
|
||||
'DEFAULT/nvp_password': value => $nvp_password;
|
||||
'DEFAULT/nvp_password': value => $nvp_password, secret => true;
|
||||
'nvp/metadata_mode': value => 'access_network';
|
||||
}
|
||||
|
||||
|
||||
@@ -271,7 +271,7 @@ class neutron::server (
|
||||
'DEFAULT/api_workers': value => $api_workers;
|
||||
'DEFAULT/agent_down_time': value => $agent_down_time;
|
||||
'DEFAULT/router_scheduler_driver': value => $router_scheduler_driver;
|
||||
'database/connection': value => $database_connection_real;
|
||||
'database/connection': value => $database_connection_real, secret => true;
|
||||
'database/idle_timeout': value => $database_idle_timeout_real;
|
||||
'database/retry_interval': value => $database_retry_interval_real;
|
||||
'database/max_retries': value => $database_max_retries_real;
|
||||
@@ -302,7 +302,7 @@ class neutron::server (
|
||||
'keystone_authtoken/auth_protocol': value => $auth_protocol;
|
||||
'keystone_authtoken/admin_tenant_name': value => $auth_tenant;
|
||||
'keystone_authtoken/admin_user': value => $auth_user;
|
||||
'keystone_authtoken/admin_password': value => $auth_password;
|
||||
'keystone_authtoken/admin_password': value => $auth_password, secret => true;
|
||||
}
|
||||
|
||||
neutron_api_config {
|
||||
@@ -311,7 +311,7 @@ class neutron::server (
|
||||
'filter:authtoken/auth_protocol': value => $auth_protocol;
|
||||
'filter:authtoken/admin_tenant_name': value => $auth_tenant;
|
||||
'filter:authtoken/admin_user': value => $auth_user;
|
||||
'filter:authtoken/admin_password': value => $auth_password;
|
||||
'filter:authtoken/admin_password': value => $auth_password, secret => true;
|
||||
}
|
||||
|
||||
if $auth_admin_prefix {
|
||||
|
||||
@@ -91,7 +91,7 @@ class neutron::server::notifications (
|
||||
'DEFAULT/nova_url': value => $nova_url;
|
||||
'DEFAULT/nova_admin_auth_url': value => $nova_admin_auth_url;
|
||||
'DEFAULT/nova_admin_username': value => $nova_admin_username;
|
||||
'DEFAULT/nova_admin_password': value => $nova_admin_password;
|
||||
'DEFAULT/nova_admin_password': value => $nova_admin_password, secret => true;
|
||||
'DEFAULT/nova_region_name': value => $nova_region_name;
|
||||
}
|
||||
|
||||
|
||||
@@ -55,6 +55,7 @@ describe 'neutron::agents::metadata' do
|
||||
should contain_neutron_metadata_agent_config('DEFAULT/admin_tenant_name').with(:value => params[:auth_tenant])
|
||||
should contain_neutron_metadata_agent_config('DEFAULT/admin_user').with(:value => params[:auth_user])
|
||||
should contain_neutron_metadata_agent_config('DEFAULT/admin_password').with(:value => params[:auth_password])
|
||||
should contain_neutron_metadata_agent_config('DEFAULT/admin_password').with_secret( true )
|
||||
should contain_neutron_metadata_agent_config('DEFAULT/nova_metadata_ip').with(:value => params[:metadata_ip])
|
||||
should contain_neutron_metadata_agent_config('DEFAULT/nova_metadata_port').with(:value => params[:metadata_port])
|
||||
should contain_neutron_metadata_agent_config('DEFAULT/metadata_workers').with(:value => params[:metadata_workers])
|
||||
|
||||
@@ -97,6 +97,7 @@ describe 'neutron' do
|
||||
it 'configures credentials for rabbit' do
|
||||
should contain_neutron_config('DEFAULT/rabbit_userid').with_value( params[:rabbit_user] )
|
||||
should contain_neutron_config('DEFAULT/rabbit_password').with_value( params[:rabbit_password] )
|
||||
should contain_neutron_config('DEFAULT/rabbit_password').with_secret( true )
|
||||
should contain_neutron_config('DEFAULT/rabbit_virtual_host').with_value( params[:rabbit_virtual_host] )
|
||||
end
|
||||
|
||||
|
||||
@@ -105,6 +105,7 @@ describe 'neutron::plugins::cisco' do
|
||||
with_value(params[:keystone_username])
|
||||
should contain_neutron_plugin_cisco_credentials('keystone/password').\
|
||||
with_value(params[:keystone_password])
|
||||
should contain_neutron_plugin_cisco_credentials('keystone/password').with_secret( true )
|
||||
should contain_neutron_plugin_cisco_credentials('keystone/auth_url').\
|
||||
with_value(params[:keystone_auth_url])
|
||||
should contain_neutron_plugin_cisco_credentials('keystone/tenant').\
|
||||
|
||||
@@ -58,6 +58,7 @@ describe 'neutron::plugins::nvp' do
|
||||
should contain_neutron_plugin_nvp('DEFAULT/nvp_controllers').with_value(p[:nvp_controllers].join(','))
|
||||
should contain_neutron_plugin_nvp('DEFAULT/nvp_user').with_value(p[:nvp_user])
|
||||
should contain_neutron_plugin_nvp('DEFAULT/nvp_password').with_value(p[:nvp_password])
|
||||
should contain_neutron_plugin_nvp('DEFAULT/nvp_password').with_secret( true )
|
||||
should_not contain_neutron_plugin_nvp('DEFAULT/default_l3_gw_service_uuid').with_value(p[:default_l3_gw_service_uuid])
|
||||
end
|
||||
|
||||
|
||||
@@ -53,6 +53,7 @@ describe 'neutron::server::notifications' do
|
||||
should contain_neutron_config('DEFAULT/nova_admin_auth_url').with_value('http://127.0.0.1:35357/v2.0')
|
||||
should contain_neutron_config('DEFAULT/nova_admin_username').with_value('nova')
|
||||
should contain_neutron_config('DEFAULT/nova_admin_password').with_value('secrete')
|
||||
should contain_neutron_config('DEFAULT/nova_admin_password').with_secret( true )
|
||||
should contain_neutron_config('DEFAULT/nova_region_name').with_value('RegionOne')
|
||||
should contain_neutron_config('DEFAULT/nova_admin_tenant_id').with_value('UUID')
|
||||
end
|
||||
@@ -78,6 +79,7 @@ describe 'neutron::server::notifications' do
|
||||
should contain_neutron_config('DEFAULT/nova_admin_auth_url').with_value('http://keystone:35357/v2.0')
|
||||
should contain_neutron_config('DEFAULT/nova_admin_username').with_value('joe')
|
||||
should contain_neutron_config('DEFAULT/nova_admin_password').with_value('secrete')
|
||||
should contain_neutron_config('DEFAULT/nova_admin_password').with_secret( true )
|
||||
should contain_neutron_config('DEFAULT/nova_region_name').with_value('MyRegion')
|
||||
should contain_neutron_config('DEFAULT/nova_admin_tenant_id').with_value('UUID2')
|
||||
end
|
||||
|
||||
@@ -37,6 +37,7 @@ describe 'neutron::server' do
|
||||
|
||||
it 'should perform default database configuration of' do
|
||||
should contain_neutron_config('database/connection').with_value(p[:database_connection])
|
||||
should contain_neutron_config('database/connection').with_secret( true )
|
||||
should contain_neutron_config('database/max_retries').with_value(p[:database_max_retries])
|
||||
should contain_neutron_config('database/idle_timeout').with_value(p[:database_idle_timeout])
|
||||
should contain_neutron_config('database/retry_interval').with_value(p[:database_retry_interval])
|
||||
@@ -50,6 +51,7 @@ describe 'neutron::server' do
|
||||
should contain_neutron_api_config('filter:authtoken/admin_tenant_name').with_value(p[:auth_tenant]);
|
||||
should contain_neutron_api_config('filter:authtoken/admin_user').with_value(p[:auth_user]);
|
||||
should contain_neutron_api_config('filter:authtoken/admin_password').with_value(p[:auth_password]);
|
||||
should contain_neutron_api_config('filter:authtoken/admin_password').with_secret( true )
|
||||
should contain_neutron_api_config('filter:authtoken/auth_admin_prefix').with(:ensure => 'absent')
|
||||
should contain_neutron_api_config('filter:authtoken/auth_uri').with_value("http://localhost:5000/");
|
||||
end
|
||||
|
||||
Reference in New Issue
Block a user