openstack/puppet-swift
Code Issues Proposed changes

Deprecate the default values for password parameters

Browse Source 
Currently puppet-swift provides default values for some password
parameters, but this is not ideal from security perspective and we
should expect operators to set their own password explicitly.

This patch deprecates the usage of these default values and adds
warning message which appears for missing password defined, so that
we can remove current default values in next cycle.

Change-Id: I6e7721d04ae2bf2e2a2ea3f02ebfcbded58692e2
This commit is contained in:
Takashi Kajinami 2020-05-12 22:27:12 +09:00
parent de443f28fc
commit 2df992faf3
7 changed files with 59 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
manifests/keymaster.pp
View File

@ -80,6 +80,10 @@ class swift::keymaster(
include swift::deps
if $password == undef {
warning('password parameter is missing')
}
swift_keymaster_config {
'kms_keymaster/api_class': value => $api_class;
'kms_keymaster/key_id': value => $key_id;

12
manifests/keystone/auth.pp
View File

@ -89,7 +89,7 @@
#
class swift::keystone::auth(
$auth_name = 'swift',
$password = 'swift_password',
$password = undef,
$tenant = 'services',
$email = 'swift@localhost',
$region = 'RegionOne',
@ -112,6 +112,14 @@ class swift::keystone::auth(
include swift::deps
if $password == undef {
warning('Usage of the default password is deprecated and will be removed in a future release. \
Please set password parameter')
$password_real = 'swift_password'
} else {
$password_real = $password
}
if $service_name == $service_name_s3 {
fail('swift::keystone::auth parameters service_name and service_name_s3 must be different.')
}
@ -134,7 +142,7 @@ class swift::keystone::auth(
service_description => $service_description,
region => $region,
auth_name => $auth_name,
password => $password,
password => $password_real,
email => $email,
tenant => $tenant,
public_url => $public_url,

12
manifests/proxy/authtoken.pp
View File

@ -94,7 +94,7 @@ class swift::proxy::authtoken(
$user_domain_id = 'default',
$project_name = 'services',
$username = 'swift',
$password = 'password',
$password = undef,
$region_name = $::os_service_default,
$include_service_catalog = false,
$service_token_roles = $::os_service_default,
@ -103,6 +103,14 @@ class swift::proxy::authtoken(
include swift::deps
if $password == undef {
warning('Usage of the default password is deprecated and will be removed in a future release. \
Please set password parameter')
$password_real = 'password'
} else {
$password_real = $password
}
if ($::os_package_type != 'debian') {
file { $signing_dir:
ensure => directory,
@ -127,7 +135,7 @@ class swift::proxy::authtoken(
'filter:authtoken/user_domain_id': value => $user_domain_id;
'filter:authtoken/project_name': value => $project_name;
'filter:authtoken/username': value => $username;
'filter:authtoken/password': value => $password, secret => true;
'filter:authtoken/password': value => $password_real, secret => true;
'filter:authtoken/region_name': value => $region_name;
'filter:authtoken/delay_auth_decision': value => $delay_auth_decision;
'filter:authtoken/cache': value => $cache;

12
manifests/proxy/ceilometer.pp
View File

@ -133,7 +133,7 @@ class swift::proxy::ceilometer(
$user_domain_name = 'Default',
$project_name = 'services',
$username = 'swift',
$password = 'password',
$password = undef,
$region_name = $::os_service_default,
$notification_ssl_ca_file = $::os_service_default,
$notification_ssl_cert_file = $::os_service_default,
@ -169,6 +169,14 @@ class swift::proxy::ceilometer(
warning('The swift::proxy::ceilometer::auth_uri parameter was deperecated, and has no effect')
}
if $password == undef {
warning('Usage of the default password is deprecated and will be removed in a future release. \
Please set password parameter')
$password_real = 'password'
} else {
$password_real = $password
}
swift_proxy_config {
'filter:ceilometer/topic': value => $topic;
'filter:ceilometer/driver': value => $driver;
@ -183,7 +191,7 @@ class swift::proxy::ceilometer(
'filter:ceilometer/user_domain_name': value => $user_domain_name;
'filter:ceilometer/project_name': value => $project_name;
'filter:ceilometer/username': value => $username;
'filter:ceilometer/password': value => $password, secret => true;
'filter:ceilometer/password': value => $password_real, secret => true;
'filter:ceilometer/region_name': value => $region_name;
}

11
manifests/proxy/s3token.pp
View File

@ -101,7 +101,7 @@ class swift::proxy::s3token(
$auth_url = 'http://127.0.0.1:5000',
$auth_type = 'password',
$username = 'swift',
$password = 'password',
$password = undef,
$project_name = 'services',
$project_domain_id = 'default',
$user_domain_id = 'default'
@ -116,6 +116,13 @@ class swift::proxy::s3token(
$auth_uri_real = $auth_uri
}
if $password == undef {
warning('Usage of the default password is deprecated and will be removed in a future release. \
Please set password parameter')
$password_real = 'password'
} else {
$password_real = $password
}
swift_proxy_config {
'filter:s3token/use': value => 'egg:swift#s3token';
@ -127,7 +134,7 @@ class swift::proxy::s3token(
'filter:s3token/auth_url': value => $auth_url;
'filter:s3token/auth_type': value => $auth_type;
'filter:s3token/username': value => $username;
'filter:s3token/password': value => $password, secret => true;
'filter:s3token/password': value => $password_real, secret => true;
'filter:s3token/project_name': value => $project_name;
'filter:s3token/project_domain_id': value => $project_domain_id;
'filter:s3token/user_domain_id': value => $user_domain_id;

13
releasenotes/notes/deprecate-default-password-4458163e3580d6fb.yaml Normal file
View File

@ -0,0 +1,13 @@
---
deprecations:
- |
The following password parameters currently use the default value when the
parameters are not set in manifests, but this behavior has been deprecated.
Please set actual password explicitly to avoid failure before the default
values are removed.
- swift::keymaster::password
- swift::keystone::auth::password
- swift::proxy::authtoken::password
- swift::proxy::ceilometer::password
- swift::proxy::s3token::password

5
spec/classes/swift_proxy_ceilometer_spec.rb
View File

@ -16,6 +16,7 @@ describe 'swift::proxy::ceilometer' do
}
end
it { is_expected.to contain_swift_proxy_config('filter:ceilometer/password').with_value('password').with_secret(true) }
it { is_expected.to contain_swift_proxy_config('filter:ceilometer/paste.filter_factory').with_value('ceilometermiddleware.swift:filter_factory') }
it { is_expected.to contain_swift_proxy_config('filter:ceilometer/url').with_value('rabbit://user_1:user_1_passw@1.1.1.1:5673/rabbit').with_secret(true) }
it { is_expected.to contain_swift_proxy_config('filter:ceilometer/nonblocking_notify').with_value('false') }
@ -38,7 +39,7 @@ describe 'swift::proxy::ceilometer' do
:user_domain_name => 'Default',
:project_name => 'services',
:username => 'swift',
:password => 'password',
:password => 'mypassword',
:region_name => 'region2'
}
end
@ -58,7 +59,7 @@ describe 'swift::proxy::ceilometer' do
it { is_expected.to contain_swift_proxy_config('filter:ceilometer/user_domain_name').with_value('Default') }
it { is_expected.to contain_swift_proxy_config('filter:ceilometer/project_name').with_value('services') }
it { is_expected.to contain_swift_proxy_config('filter:ceilometer/username').with_value('swift') }
it { is_expected.to contain_swift_proxy_config('filter:ceilometer/password').with_value('password').with_secret(true) }
it { is_expected.to contain_swift_proxy_config('filter:ceilometer/password').with_value('mypassword').with_secret(true) }
it { is_expected.to contain_swift_proxy_config('filter:ceilometer/region_name').with_value('region2') }
end