Merge "Fix default signing_dir for Debian"

2018-11-07 19:53:34 +00:00 · 2018-11-07 19:53:34 +00:00 · 79f51081ce
commit 79f51081ce
parent 092615ff80 4d997af2cd
4 changed files with 40 additions and 12 deletions
--- a/manifests/params.pp
+++ b/manifests/params.pp
@ -41,6 +41,11 @@ class swift::params {
      $account_reaper_service_name       = 'swift-account-reaper'
      $account_replicator_service_name   = 'swift-account-replicator'
      $swift3                            = 'swift-plugin-s3'
+      if ($::os_package_type == 'debian') {
+        $signing_dir = '/var/lib/swift'
+      }else{
+        $signing_dir = '/var/cache/swift'
+      }
    }
    'RedHat': {
      $package_name                      = 'openstack-swift'
@ -67,6 +72,7 @@ class swift::params {
      $account_reaper_service_name       = 'openstack-swift-account-reaper'
      $account_replicator_service_name   = 'openstack-swift-account-replicator'
      $swift3                            = 'openstack-swift-plugin-swift3'
+      $signing_dir                       = '/var/cache/swift'
    }
    default: {
        fail("Unsupported osfamily: ${::osfamily} for os ${::operatingsystem}")
--- a/manifests/proxy/authtoken.pp
+++ b/manifests/proxy/authtoken.pp
@ -11,7 +11,7 @@
 #
 # [*signing_dir*]
 #    The cache directory for signing certificates.
-#    Defaults to '/var/cache/swift'
+#    Defaults to $::swift::params::signing_dir
 #
 # [*cache*]
 #    The cache backend to use
@ -87,7 +87,7 @@
 #
 class swift::proxy::authtoken(
  $delay_auth_decision     = 1,
-  $signing_dir             = '/var/cache/swift',
+  $signing_dir             = $::swift::params::signing_dir,
  $cache                   = 'swift.cache',
  $auth_uri                = 'http://127.0.0.1:5000',
  $auth_url                = 'http://127.0.0.1:5000',
@ -104,7 +104,7 @@ class swift::proxy::authtoken(
  $admin_password          = undef,
  $identity_uri            = undef,
  $admin_token             = undef,
-) {
+) inherits swift::params {

  include ::swift::deps

@ -133,16 +133,19 @@ class swift::proxy::authtoken(
  $project_name_real = pick($admin_tenant_name, $project_name)
  $password_real = pick($admin_password, $password)

-  file { $signing_dir:
-    ensure                  => directory,
-    mode                    => '0700',
-    owner                   => 'swift',
-    group                   => 'swift',
-    selinux_ignore_defaults => true,
-    require                 => Anchor['swift::config::begin'],
-    before                  => Anchor['swift::config::end'],
+  if ($::os_package_type != 'debian') {
+    file { $signing_dir:
+      ensure                  => directory,
+      mode                    => '0700',
+      owner                   => 'swift',
+      group                   => 'swift',
+      selinux_ignore_defaults => true,
+      require                 => Anchor['swift::config::begin'],
+      before                  => Anchor['swift::config::end'],
+    }
  }

+
  swift_proxy_config {
    'filter:authtoken/log_name':                value => 'swift';
    'filter:authtoken/signing_dir':             value => $signing_dir;
--- a/releasenotes/notes/signing-dir-543b814469e76728.yaml
+++ b/releasenotes/notes/signing-dir-543b814469e76728.yaml
@ -0,0 +1,6 @@
+---
+prelude: >
+    The default signing_dir is changed to /var/lib/swift for Debian. For all
+    other OSes, /var/cache/swift is kept. This is due to the fact that the
+    Debian sysv-init / systemd scripts are setting /var/cache/swift with the
+    unix rights 0755, which isn't safe for this OS.
--- a/spec/classes/swift_proxy_authtoken_spec.rb
+++ b/spec/classes/swift_proxy_authtoken_spec.rb
@ -19,7 +19,7 @@ describe 'swift::proxy::authtoken' do

    describe "when using default parameters" do
      it { is_expected.to contain_swift_proxy_config('filter:authtoken/log_name').with_value('swift') }
-      it { is_expected.to contain_swift_proxy_config('filter:authtoken/signing_dir').with_value('/var/cache/swift') }
+      it { is_expected.to contain_swift_proxy_config('filter:authtoken/signing_dir').with_value(platform_params[:default_signing_dir]) }
      it { is_expected.to contain_swift_proxy_config('filter:authtoken/paste.filter_factory').with_value('keystonemiddleware.auth_token:filter_factory') }
      it { is_expected.to contain_swift_proxy_config('filter:authtoken/www_authenticate_uri').with_value('http://127.0.0.1:5000') }
      it { is_expected.to contain_swift_proxy_config('filter:authtoken/auth_url').with_value('http://127.0.0.1:5000') }
@ -101,6 +101,19 @@ describe 'swift::proxy::authtoken' do
        facts.merge(OSDefaults.get_facts())
      end

+      let(:platform_params) do
+        case facts[:osfamily]
+        when 'Debian'
+          if facts[:os_package_type] == 'debian'
+            { :default_signing_dir => '/var/lib/swift' }
+          else
+            { :default_signing_dir => '/var/cache/swift' }
+          end
+        when 'RedHat'
+          { :default_signing_dir => '/var/cache/swift' }
+        end
+      end
+
      it_configures 'swift::proxy::authtoken'
    end
  end