Expose hosts_allow/deny for rsyncd configuration.

This introduces the hosts_allow parameter and the hosts_deny parameter so that users can limit access to the rsync server. Change-Id: I2bf7240f8c52aef8b4dd74ce5af12056377ab227
2023-06-05 08:10:28 -04:00 · 2023-06-05 08:10:28 -04:00 · de05151b9c
commit de05151b9c
parent 209a71a016
4 changed files with 116 additions and 6 deletions
--- a/manifests/storage/all.pp
+++ b/manifests/storage/all.pp
@ -56,6 +56,18 @@
 #   good for seeing errors if true
 #   Defaults to true.
 #
+# [*max_connections*]
+#   (optional) maximum number of simultaneous connections allowed for rsync.
+#   Defaults to 25.
+#
+# [*hosts_allow*]
+#   (optional) List of patterns allowed to connect to this module
+#   Defaults to undef.
+#
+# [*hosts_deny*]
+#   (optional) List of patterns not allowed to connect to this module
+#   Defaults to undef.
+#
 # [*incoming_chmod*] Incoming chmod to set in the rsync server.
 #   Optional. Defaults to 'Du=rwx,g=rx,o=rx,Fu=rw,g=r,o=r'
 #   This mask translates to 0755 for directories and 0644 for files.
@ -119,10 +131,6 @@
 #   version 3.0 or greater.
 #   Default to $facts['os_service_default'].
 #
-# [*max_connections*]
-#   (optional) maximum number of simultaneous connections allowed for rsync.
-#   Defaults to 25.
-#
 # [*rsync_use_xinetd*]
 #   (optional) Override whether to use xinetd to manage rsync service
 #   Defaults to swift::params::xinetd_available
@ -142,6 +150,9 @@ class swift::storage::all(
  $log_udp_host                   = undef,
  $log_udp_port                   = undef,
  $log_requests                   = true,
+  $max_connections                = 25,
+  $hosts_allow                    = undef,
+  $hosts_deny                     = undef,
  $incoming_chmod                 = 'Du=rwx,g=rx,o=rx,Fu=rw,g=r,o=r',
  $outgoing_chmod                 = 'Du=rwx,g=rx,o=rx,Fu=rw,g=r,o=r',
  $statsd_enabled                 = false,
@ -157,7 +168,6 @@ class swift::storage::all(
  $rsync_timeout                  = $facts['os_service_default'],
  $rsync_bwlimit                  = $facts['os_service_default'],
  $splice                         = false,
-  $max_connections                = 25,
  $rsync_use_xinetd               = $::swift::params::xinetd_available,
 ) inherits swift::params {

@ -203,6 +213,8 @@ from 6002 to 6202 and will be changed in a later release")
    log_statsd_sample_rate_factor  => $log_statsd_sample_rate_factor,
    log_statsd_metric_prefix       => $log_statsd_metric_prefix,
    max_connections                => $max_connections,
+    hosts_allow                    => $hosts_allow,
+    hosts_deny                     => $hosts_deny,
    incoming_chmod                 => $incoming_chmod,
    outgoing_chmod                 => $outgoing_chmod,
  }
--- a/manifests/storage/server.pp
+++ b/manifests/storage/server.pp
@ -39,6 +39,14 @@
 #   (optional) maximum number of simultaneous connections allowed.
 #   Defaults to 25.
 #
+# [*hosts_allow*]
+#   (optional) List of patterns allowed to connect to this module
+#   Defaults to undef.
+#
+# [*hosts_deny*]
+#   (optional) List of patterns not allowed to connect to this module
+#   Defaults to undef.
+#
 # [*incoming_chmod*] Incoming chmod to set in the rsync server.
 #   Optional. Defaults to 'Du=rwx,g=rx,o=rx,Fu=rw,g=r,o=r'
 #   This mask translates to 0755 for directories and 0644 for files.
@ -223,9 +231,11 @@ define swift::storage::server(
  $device_names                   = [],
  $owner                          = undef,
  $group                          = undef,
+  $max_connections                = 25,
+  $hosts_allow                    = undef,
+  $hosts_deny                     = undef,
  $incoming_chmod                 = 'Du=rwx,g=rx,o=rx,Fu=rw,g=r,o=r',
  $outgoing_chmod                 = 'Du=rwx,g=rx,o=rx,Fu=rw,g=r,o=r',
-  $max_connections                = 25,
  $pipeline                       = ["${type}-server"],
  $mount_check                    = true,
  $disable_fallocate              = $facts['os_service_default'],
@ -311,6 +321,8 @@ define swift::storage::server(
        lock_file       => "/var/lock/${type}_${device_name}.lock",
        uid             => pick($owner, $::swift::params::user),
        gid             => pick($group, $::swift::params::group),
+        hosts_allow     => $hosts_allow,
+        hosts_deny      => $hosts_deny,
        incoming_chmod  => $incoming_chmod,
        outgoing_chmod  => $outgoing_chmod,
        max_connections => $max_connections,
@ -324,6 +336,8 @@ define swift::storage::server(
      lock_file       => "/var/lock/${type}.lock",
      uid             => pick($owner, $::swift::params::user),
      gid             => pick($group, $::swift::params::group),
+      hosts_allow     => $hosts_allow,
+      hosts_deny      => $hosts_deny,
      incoming_chmod  => $incoming_chmod,
      outgoing_chmod  => $outgoing_chmod,
      max_connections => $max_connections,
--- a/releasenotes/notes/hosts_allow-7795d5f8f9ccd24e.yaml
+++ b/releasenotes/notes/hosts_allow-7795d5f8f9ccd24e.yaml
@ -0,0 +1,9 @@
+---
+features:
+  - |
+    The ``hosts_new`` parameter and the ``hosts_deny`` parameter have been
+    added to the following resources. These allows limiting access to the rsync
+    server.
+
+    - ``swift::storage::all`` class
+    - ``swift::storage::server`` defined resource type
--- a/spec/defines/swift_storage_server_spec.rb
+++ b/spec/defines/swift_storage_server_spec.rb
@ -144,6 +144,31 @@ describe 'swift::storage::server' do
        )}
        it { is_expected.to contain_swift_account_config('account-replicator/rsync_module').with_value('{replication_ip}::account_{device}') }
      end
+
+      context 'with rsync parameters' do
+        before do
+          params.merge!({
+            :max_connections => 100,
+            :hosts_allow     => '192.0.2.0/25',
+            :hosts_deny      => '192.0.2.128/25',
+            :incoming_chmod  => '0644',
+            :outgoing_chmod  => '0644',
+          })
+        end
+
+        it { is_expected.to contain_rsync__server__module('account').with(
+          :path            => '/srv/node',
+          :lock_file       => '/var/lock/account.lock',
+          :uid             => 'swift',
+          :gid             => 'swift',
+          :hosts_allow     => '192.0.2.0/25',
+          :hosts_deny      => '192.0.2.128/25',
+          :incoming_chmod  => '0644',
+          :outgoing_chmod  => '0644',
+          :max_connections => 100,
+          :read_only       => false,
+        )}
+      end
    end

    describe 'for type container' do
@ -272,6 +297,31 @@ describe 'swift::storage::server' do
        )}
        it { is_expected.to contain_swift_container_config('container-replicator/rsync_module').with_value('{replication_ip}::container_{device}') }
      end
+
+      context 'with rsync parameters' do
+        before do
+          params.merge!({
+            :max_connections => 100,
+            :hosts_allow     => '192.0.2.0/25',
+            :hosts_deny      => '192.0.2.128/25',
+            :incoming_chmod  => '0644',
+            :outgoing_chmod  => '0644',
+          })
+        end
+
+        it { is_expected.to contain_rsync__server__module('container').with(
+          :path            => '/srv/node',
+          :lock_file       => '/var/lock/container.lock',
+          :uid             => 'swift',
+          :gid             => 'swift',
+          :hosts_allow     => '192.0.2.0/25',
+          :hosts_deny      => '192.0.2.128/25',
+          :incoming_chmod  => '0644',
+          :outgoing_chmod  => '0644',
+          :max_connections => 100,
+          :read_only       => false,
+        )}
+      end
    end

    describe 'for type object' do
@ -405,6 +455,31 @@ describe 'swift::storage::server' do
        )}
        it { is_expected.to contain_swift_object_config('object-replicator/rsync_module').with_value('{replication_ip}::object_{device}') }
      end
+
+      context 'with rsync parameters' do
+        before do
+          params.merge!({
+            :max_connections => 100,
+            :hosts_allow     => '192.0.2.0/25',
+            :hosts_deny      => '192.0.2.128/25',
+            :incoming_chmod  => '0644',
+            :outgoing_chmod  => '0644',
+          })
+        end
+
+        it { is_expected.to contain_rsync__server__module('object').with(
+          :path            => '/srv/node',
+          :lock_file       => '/var/lock/object.lock',
+          :uid             => 'swift',
+          :gid             => 'swift',
+          :hosts_allow     => '192.0.2.0/25',
+          :hosts_deny      => '192.0.2.128/25',
+          :incoming_chmod  => '0644',
+          :outgoing_chmod  => '0644',
+          :max_connections => 100,
+          :read_only       => false,
+        )}
+      end
    end
  end