diff --git a/manifests/storage/all.pp b/manifests/storage/all.pp index a0df37b6..1fbdbe8f 100644 --- a/manifests/storage/all.pp +++ b/manifests/storage/all.pp @@ -56,6 +56,18 @@ # good for seeing errors if true # Defaults to true. # +# [*max_connections*] +# (optional) maximum number of simultaneous connections allowed for rsync. +# Defaults to 25. +# +# [*hosts_allow*] +# (optional) List of patterns allowed to connect to this module +# Defaults to undef. +# +# [*hosts_deny*] +# (optional) List of patterns not allowed to connect to this module +# Defaults to undef. +# # [*incoming_chmod*] Incoming chmod to set in the rsync server. # Optional. Defaults to 'Du=rwx,g=rx,o=rx,Fu=rw,g=r,o=r' # This mask translates to 0755 for directories and 0644 for files. @@ -119,10 +131,6 @@ # version 3.0 or greater. # Default to $facts['os_service_default']. # -# [*max_connections*] -# (optional) maximum number of simultaneous connections allowed for rsync. -# Defaults to 25. -# # [*rsync_use_xinetd*] # (optional) Override whether to use xinetd to manage rsync service # Defaults to swift::params::xinetd_available @@ -142,6 +150,9 @@ class swift::storage::all( $log_udp_host = undef, $log_udp_port = undef, $log_requests = true, + $max_connections = 25, + $hosts_allow = undef, + $hosts_deny = undef, $incoming_chmod = 'Du=rwx,g=rx,o=rx,Fu=rw,g=r,o=r', $outgoing_chmod = 'Du=rwx,g=rx,o=rx,Fu=rw,g=r,o=r', $statsd_enabled = false, @@ -157,7 +168,6 @@ class swift::storage::all( $rsync_timeout = $facts['os_service_default'], $rsync_bwlimit = $facts['os_service_default'], $splice = false, - $max_connections = 25, $rsync_use_xinetd = $::swift::params::xinetd_available, ) inherits swift::params { @@ -203,6 +213,8 @@ from 6002 to 6202 and will be changed in a later release") log_statsd_sample_rate_factor => $log_statsd_sample_rate_factor, log_statsd_metric_prefix => $log_statsd_metric_prefix, max_connections => $max_connections, + hosts_allow => $hosts_allow, + hosts_deny => $hosts_deny, incoming_chmod => $incoming_chmod, outgoing_chmod => $outgoing_chmod, } diff --git a/manifests/storage/server.pp b/manifests/storage/server.pp index 70f9cdda..054c9525 100644 --- a/manifests/storage/server.pp +++ b/manifests/storage/server.pp @@ -39,6 +39,14 @@ # (optional) maximum number of simultaneous connections allowed. # Defaults to 25. # +# [*hosts_allow*] +# (optional) List of patterns allowed to connect to this module +# Defaults to undef. +# +# [*hosts_deny*] +# (optional) List of patterns not allowed to connect to this module +# Defaults to undef. +# # [*incoming_chmod*] Incoming chmod to set in the rsync server. # Optional. Defaults to 'Du=rwx,g=rx,o=rx,Fu=rw,g=r,o=r' # This mask translates to 0755 for directories and 0644 for files. @@ -223,9 +231,11 @@ define swift::storage::server( $device_names = [], $owner = undef, $group = undef, + $max_connections = 25, + $hosts_allow = undef, + $hosts_deny = undef, $incoming_chmod = 'Du=rwx,g=rx,o=rx,Fu=rw,g=r,o=r', $outgoing_chmod = 'Du=rwx,g=rx,o=rx,Fu=rw,g=r,o=r', - $max_connections = 25, $pipeline = ["${type}-server"], $mount_check = true, $disable_fallocate = $facts['os_service_default'], @@ -311,6 +321,8 @@ define swift::storage::server( lock_file => "/var/lock/${type}_${device_name}.lock", uid => pick($owner, $::swift::params::user), gid => pick($group, $::swift::params::group), + hosts_allow => $hosts_allow, + hosts_deny => $hosts_deny, incoming_chmod => $incoming_chmod, outgoing_chmod => $outgoing_chmod, max_connections => $max_connections, @@ -324,6 +336,8 @@ define swift::storage::server( lock_file => "/var/lock/${type}.lock", uid => pick($owner, $::swift::params::user), gid => pick($group, $::swift::params::group), + hosts_allow => $hosts_allow, + hosts_deny => $hosts_deny, incoming_chmod => $incoming_chmod, outgoing_chmod => $outgoing_chmod, max_connections => $max_connections, diff --git a/releasenotes/notes/hosts_allow-7795d5f8f9ccd24e.yaml b/releasenotes/notes/hosts_allow-7795d5f8f9ccd24e.yaml new file mode 100644 index 00000000..1019b9d3 --- /dev/null +++ b/releasenotes/notes/hosts_allow-7795d5f8f9ccd24e.yaml @@ -0,0 +1,9 @@ +--- +features: + - | + The ``hosts_new`` parameter and the ``hosts_deny`` parameter have been + added to the following resources. These allows limiting access to the rsync + server. + + - ``swift::storage::all`` class + - ``swift::storage::server`` defined resource type diff --git a/spec/defines/swift_storage_server_spec.rb b/spec/defines/swift_storage_server_spec.rb index 83579c9a..ae3fee11 100644 --- a/spec/defines/swift_storage_server_spec.rb +++ b/spec/defines/swift_storage_server_spec.rb @@ -144,6 +144,31 @@ describe 'swift::storage::server' do )} it { is_expected.to contain_swift_account_config('account-replicator/rsync_module').with_value('{replication_ip}::account_{device}') } end + + context 'with rsync parameters' do + before do + params.merge!({ + :max_connections => 100, + :hosts_allow => '192.0.2.0/25', + :hosts_deny => '192.0.2.128/25', + :incoming_chmod => '0644', + :outgoing_chmod => '0644', + }) + end + + it { is_expected.to contain_rsync__server__module('account').with( + :path => '/srv/node', + :lock_file => '/var/lock/account.lock', + :uid => 'swift', + :gid => 'swift', + :hosts_allow => '192.0.2.0/25', + :hosts_deny => '192.0.2.128/25', + :incoming_chmod => '0644', + :outgoing_chmod => '0644', + :max_connections => 100, + :read_only => false, + )} + end end describe 'for type container' do @@ -272,6 +297,31 @@ describe 'swift::storage::server' do )} it { is_expected.to contain_swift_container_config('container-replicator/rsync_module').with_value('{replication_ip}::container_{device}') } end + + context 'with rsync parameters' do + before do + params.merge!({ + :max_connections => 100, + :hosts_allow => '192.0.2.0/25', + :hosts_deny => '192.0.2.128/25', + :incoming_chmod => '0644', + :outgoing_chmod => '0644', + }) + end + + it { is_expected.to contain_rsync__server__module('container').with( + :path => '/srv/node', + :lock_file => '/var/lock/container.lock', + :uid => 'swift', + :gid => 'swift', + :hosts_allow => '192.0.2.0/25', + :hosts_deny => '192.0.2.128/25', + :incoming_chmod => '0644', + :outgoing_chmod => '0644', + :max_connections => 100, + :read_only => false, + )} + end end describe 'for type object' do @@ -405,6 +455,31 @@ describe 'swift::storage::server' do )} it { is_expected.to contain_swift_object_config('object-replicator/rsync_module').with_value('{replication_ip}::object_{device}') } end + + context 'with rsync parameters' do + before do + params.merge!({ + :max_connections => 100, + :hosts_allow => '192.0.2.0/25', + :hosts_deny => '192.0.2.128/25', + :incoming_chmod => '0644', + :outgoing_chmod => '0644', + }) + end + + it { is_expected.to contain_rsync__server__module('object').with( + :path => '/srv/node', + :lock_file => '/var/lock/object.lock', + :uid => 'swift', + :gid => 'swift', + :hosts_allow => '192.0.2.0/25', + :hosts_deny => '192.0.2.128/25', + :incoming_chmod => '0644', + :outgoing_chmod => '0644', + :max_connections => 100, + :read_only => false, + )} + end end end