diff --git a/lib/puppet/type/ceph_config.rb b/lib/puppet/type/ceph_config.rb index 6b36d3a..dcfaeed 100644 --- a/lib/puppet/type/ceph_config.rb +++ b/lib/puppet/type/ceph_config.rb @@ -1,49 +1,73 @@ # Copyright (C) Dan Bode # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # Author: Dan Bode # Author: Mathieu Gagne Puppet::Type.newtype(:ceph_config) do ensurable newparam(:name, :namevar => true) do desc 'Section/setting name to manage from ./ceph.conf' newvalues(/\S+\/\S+/) end # required in order to be able to unit test file contents # Note: purge will not work on over-ridden file_path # lifted from ini_file newparam(:path) do desc 'A file path to over ride the default file path if necessary' validate do |value| unless (Puppet.features.posix? and value =~ /^\//) or (Puppet.features.microsoft_windows? and (value =~ /^.:\// or value =~ /^\/\/[^\/]+\/[^\/]+/)) raise(Puppet::Error, "File paths must be fully qualified, not '#{value}'") end end defaultto false end newproperty(:value) do desc 'The value of the setting to be defined.' munge do |value| value = value.to_s.strip value.downcase! if value =~ /^(true|false)$/i value end + + def is_to_s( currentvalue ) + if resource.secret? + return '[old secret redacted]' + else + return currentvalue + end + end + + def should_to_s( newvalue ) + if resource.secret? + return '[new secret redacted]' + else + return newvalue + end + end + end + + newparam(:secret, :boolean => true) do + desc 'Whether to hide the value from Puppet logs. Defaults to `false`.' + + newvalues(:true, :false) + + defaultto false end end diff --git a/manifests/rgw/keystone.pp b/manifests/rgw/keystone.pp index 02735a2..4b88926 100644 --- a/manifests/rgw/keystone.pp +++ b/manifests/rgw/keystone.pp @@ -1,100 +1,100 @@ # # Copyright (C) 2014 Catalyst IT Limited. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # Author: Ricardo Rocha # # Configures keystone auth/authz for the ceph radosgw. # ### == Name # # The RGW id. An alphanumeric string uniquely identifying the RGW. # ( example: radosgw.gateway ) # ### == Parameters # # [*rgw_keystone_admin_domain*] # (Required) The name of OpenStack domain with admin # privilege when using OpenStack Identity API v3. # # [*rgw_keystone_admin_project*] # (Optional) The name of OpenStack project with admin # privilege when using OpenStack Identity API v3 # # [*rgw_keystone_admin_user*] # (Required) The user name of OpenStack tenant with admin # privilege (Service Tenant). # # [*rgw_keystone_admin_password*] # (Required) The password for OpenStack admin user. # # [*rgw_keystone_url*] # (Optional) The internal or admin url for keystone. # Defaults to 'http://127.0.0.1:5000' # # [*rgw_keystone_accepted_roles*] # (Optional) Roles to accept from keystone. # Comma separated list of roles. # Defaults to 'member' # # [*rgw_keystone_token_cache_size*] # (Optional) How many tokens to keep cached. # Defaults to 500 # # [*rgw_s3_auth_use_keystone*] # (Optional) Whether to enable keystone auth for S3. # Defaults to true # # [*rgw_keystone_implicit_tenants*] # (Optional) Set 'true' for a private tenant for each user. # Defaults to true # define ceph::rgw::keystone ( $rgw_keystone_admin_domain, $rgw_keystone_admin_project, $rgw_keystone_admin_user, $rgw_keystone_admin_password, $rgw_keystone_url = 'http://127.0.0.1:5000', $rgw_keystone_accepted_roles = 'member', $rgw_keystone_token_cache_size = 500, $rgw_s3_auth_use_keystone = true, $rgw_keystone_implicit_tenants = true, ) { unless $name =~ /^radosgw\..+/ { fail("Define name must be started with 'radosgw.'") } ceph_config { "client.${name}/rgw_keystone_url": value => $rgw_keystone_url; "client.${name}/rgw_keystone_accepted_roles": value => join(any2array($rgw_keystone_accepted_roles), ','); "client.${name}/rgw_keystone_token_cache_size": value => $rgw_keystone_token_cache_size; "client.${name}/rgw_s3_auth_use_keystone": value => $rgw_s3_auth_use_keystone; "client.${name}/rgw_keystone_implicit_tenants": value => $rgw_keystone_implicit_tenants; } # FIXME(ykarel) Cleanup once https://tracker.ceph.com/issues/24228 is fixed for luminous if ($::os['family'] == 'RedHat' and Integer.new($::os['release']['major']) > 7) { ceph_config { "client.${name}/rgw_ldap_secret": value => ''; } } ceph_config { "client.${name}/rgw_keystone_api_version": value => 3; "client.${name}/rgw_keystone_admin_domain": value => $rgw_keystone_admin_domain; "client.${name}/rgw_keystone_admin_project": value => $rgw_keystone_admin_project; "client.${name}/rgw_keystone_admin_user": value => $rgw_keystone_admin_user; - "client.${name}/rgw_keystone_admin_password": value => $rgw_keystone_admin_password; + "client.${name}/rgw_keystone_admin_password": value => $rgw_keystone_admin_password, secret => true; } } diff --git a/releasenotes/notes/ceph_config-secret-211b7aa50e393b47.yaml b/releasenotes/notes/ceph_config-secret-211b7aa50e393b47.yaml new file mode 100644 index 0000000..9669d3d --- /dev/null +++ b/releasenotes/notes/ceph_config-secret-211b7aa50e393b47.yaml @@ -0,0 +1,6 @@ +--- +features: + - | + Now the ``ceph_config`` resource type supports the new ``secret`` property. + When this property is set to ``true``, value of the parameter is hidden + from puppet logs. diff --git a/spec/defines/ceph_rgw_keystone_spec.rb b/spec/defines/ceph_rgw_keystone_spec.rb index b411c1e..210532c 100644 --- a/spec/defines/ceph_rgw_keystone_spec.rb +++ b/spec/defines/ceph_rgw_keystone_spec.rb @@ -1,107 +1,107 @@ # # Copyright (C) 2014 Catalyst IT Limited. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # Author: Ricardo Rocha # require 'spec_helper' describe 'ceph::rgw::keystone' do shared_examples 'ceph::rgw::keystone' do context 'create with default params' do let :pre_condition do "include ceph::params class { 'ceph': fsid => 'd5252e7d-75bc-4083-85ed-fe51fa83f62b' } class { 'ceph::repo': } include ceph ceph::rgw { 'radosgw.gateway': }" end let :title do 'radosgw.gateway' end let :params do { :rgw_keystone_admin_domain => 'default', :rgw_keystone_admin_project => 'openstack', :rgw_keystone_admin_user => 'rgwuser', :rgw_keystone_admin_password => '123456', } end it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_api_version').with_value(3) } it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_domain').with_value('default') } it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_project').with_value('openstack') } it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_user').with_value('rgwuser') } - it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_password').with_value('123456') } + it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_admin_password').with_value('123456').with_secret(true) } it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_url').with_value('http://127.0.0.1:5000') } it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_accepted_roles').with_value('member') } it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_token_cache_size').with_value(500) } it { should contain_ceph_config('client.radosgw.gateway/rgw_s3_auth_use_keystone').with_value(true) } it { should contain_ceph_config('client.radosgw.gateway/rgw_keystone_implicit_tenants').with_value(true) } end context 'create with custom params' do let :pre_condition do "include ceph::params class { 'ceph': fsid => 'd5252e7d-75bc-4083-85ed-fe51fa83f62b' } class { 'ceph::repo': } ceph::rgw { 'radosgw.custom': }" end let :title do 'radosgw.custom' end let :params do { :rgw_keystone_admin_domain => 'default', :rgw_keystone_admin_project => 'openstack', :rgw_keystone_admin_user => 'rgwuser', :rgw_keystone_admin_password => '123456', :rgw_keystone_url => 'http://keystone.custom:5000', :rgw_keystone_accepted_roles => '_role1_,role2', :rgw_keystone_token_cache_size => 100, :rgw_s3_auth_use_keystone => false, :rgw_keystone_implicit_tenants => false, } end it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_api_version').with_value(3) } it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_domain').with_value('default') } it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_project').with_value('openstack') } it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_user').with_value('rgwuser') } - it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_password').with_value('123456') } + it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_admin_password').with_value('123456').with_secret(true) } it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_url').with_value('http://keystone.custom:5000') } it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_accepted_roles').with_value('_role1_,role2') } it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_token_cache_size').with_value(100) } it { should contain_ceph_config('client.radosgw.custom/rgw_s3_auth_use_keystone').with_value(false) } it { should contain_ceph_config('client.radosgw.custom/rgw_keystone_implicit_tenants').with_value(false) } end end on_supported_os({ :supported_os => OSDefaults.get_supported_os }).each do |os,facts| context "on #{os}" do let (:facts) do facts.merge!(OSDefaults.get_facts()) end it_behaves_like 'ceph::rgw::keystone' end end end