Merge "Fix default signing_dir for Debian"

This commit is contained in:
Zuul 2018-11-07 19:53:34 +00:00 committed by Gerrit Code Review
commit 79f51081ce
4 changed files with 40 additions and 12 deletions

View File

@ -41,6 +41,11 @@ class swift::params {
$account_reaper_service_name = 'swift-account-reaper' $account_reaper_service_name = 'swift-account-reaper'
$account_replicator_service_name = 'swift-account-replicator' $account_replicator_service_name = 'swift-account-replicator'
$swift3 = 'swift-plugin-s3' $swift3 = 'swift-plugin-s3'
if ($::os_package_type == 'debian') {
$signing_dir = '/var/lib/swift'
}else{
$signing_dir = '/var/cache/swift'
}
} }
'RedHat': { 'RedHat': {
$package_name = 'openstack-swift' $package_name = 'openstack-swift'
@ -67,6 +72,7 @@ class swift::params {
$account_reaper_service_name = 'openstack-swift-account-reaper' $account_reaper_service_name = 'openstack-swift-account-reaper'
$account_replicator_service_name = 'openstack-swift-account-replicator' $account_replicator_service_name = 'openstack-swift-account-replicator'
$swift3 = 'openstack-swift-plugin-swift3' $swift3 = 'openstack-swift-plugin-swift3'
$signing_dir = '/var/cache/swift'
} }
default: { default: {
fail("Unsupported osfamily: ${::osfamily} for os ${::operatingsystem}") fail("Unsupported osfamily: ${::osfamily} for os ${::operatingsystem}")

View File

@ -11,7 +11,7 @@
# #
# [*signing_dir*] # [*signing_dir*]
# The cache directory for signing certificates. # The cache directory for signing certificates.
# Defaults to '/var/cache/swift' # Defaults to $::swift::params::signing_dir
# #
# [*cache*] # [*cache*]
# The cache backend to use # The cache backend to use
@ -87,7 +87,7 @@
# #
class swift::proxy::authtoken( class swift::proxy::authtoken(
$delay_auth_decision = 1, $delay_auth_decision = 1,
$signing_dir = '/var/cache/swift', $signing_dir = $::swift::params::signing_dir,
$cache = 'swift.cache', $cache = 'swift.cache',
$auth_uri = 'http://127.0.0.1:5000', $auth_uri = 'http://127.0.0.1:5000',
$auth_url = 'http://127.0.0.1:5000', $auth_url = 'http://127.0.0.1:5000',
@ -104,7 +104,7 @@ class swift::proxy::authtoken(
$admin_password = undef, $admin_password = undef,
$identity_uri = undef, $identity_uri = undef,
$admin_token = undef, $admin_token = undef,
) { ) inherits swift::params {
include ::swift::deps include ::swift::deps
@ -133,16 +133,19 @@ class swift::proxy::authtoken(
$project_name_real = pick($admin_tenant_name, $project_name) $project_name_real = pick($admin_tenant_name, $project_name)
$password_real = pick($admin_password, $password) $password_real = pick($admin_password, $password)
file { $signing_dir: if ($::os_package_type != 'debian') {
ensure => directory, file { $signing_dir:
mode => '0700', ensure => directory,
owner => 'swift', mode => '0700',
group => 'swift', owner => 'swift',
selinux_ignore_defaults => true, group => 'swift',
require => Anchor['swift::config::begin'], selinux_ignore_defaults => true,
before => Anchor['swift::config::end'], require => Anchor['swift::config::begin'],
before => Anchor['swift::config::end'],
}
} }
swift_proxy_config { swift_proxy_config {
'filter:authtoken/log_name': value => 'swift'; 'filter:authtoken/log_name': value => 'swift';
'filter:authtoken/signing_dir': value => $signing_dir; 'filter:authtoken/signing_dir': value => $signing_dir;

View File

@ -0,0 +1,6 @@
---
prelude: >
The default signing_dir is changed to /var/lib/swift for Debian. For all
other OSes, /var/cache/swift is kept. This is due to the fact that the
Debian sysv-init / systemd scripts are setting /var/cache/swift with the
unix rights 0755, which isn't safe for this OS.

View File

@ -19,7 +19,7 @@ describe 'swift::proxy::authtoken' do
describe "when using default parameters" do describe "when using default parameters" do
it { is_expected.to contain_swift_proxy_config('filter:authtoken/log_name').with_value('swift') } it { is_expected.to contain_swift_proxy_config('filter:authtoken/log_name').with_value('swift') }
it { is_expected.to contain_swift_proxy_config('filter:authtoken/signing_dir').with_value('/var/cache/swift') } it { is_expected.to contain_swift_proxy_config('filter:authtoken/signing_dir').with_value(platform_params[:default_signing_dir]) }
it { is_expected.to contain_swift_proxy_config('filter:authtoken/paste.filter_factory').with_value('keystonemiddleware.auth_token:filter_factory') } it { is_expected.to contain_swift_proxy_config('filter:authtoken/paste.filter_factory').with_value('keystonemiddleware.auth_token:filter_factory') }
it { is_expected.to contain_swift_proxy_config('filter:authtoken/www_authenticate_uri').with_value('http://127.0.0.1:5000') } it { is_expected.to contain_swift_proxy_config('filter:authtoken/www_authenticate_uri').with_value('http://127.0.0.1:5000') }
it { is_expected.to contain_swift_proxy_config('filter:authtoken/auth_url').with_value('http://127.0.0.1:5000') } it { is_expected.to contain_swift_proxy_config('filter:authtoken/auth_url').with_value('http://127.0.0.1:5000') }
@ -101,6 +101,19 @@ describe 'swift::proxy::authtoken' do
facts.merge(OSDefaults.get_facts()) facts.merge(OSDefaults.get_facts())
end end
let(:platform_params) do
case facts[:osfamily]
when 'Debian'
if facts[:os_package_type] == 'debian'
{ :default_signing_dir => '/var/lib/swift' }
else
{ :default_signing_dir => '/var/cache/swift' }
end
when 'RedHat'
{ :default_signing_dir => '/var/cache/swift' }
end
end
it_configures 'swift::proxy::authtoken' it_configures 'swift::proxy::authtoken'
end end
end end