[MediaWiki-commits] [Gerrit] operations/puppet[production]: puppetmaster: Split extra_auth_rules from is_labs_master

Alexandros Kosiaris (Code Review) Thu, 11 Aug 2016 05:36:44 -0700

Alexandros Kosiaris has submitted this change and it was merged.

Change subject: puppetmaster: Split extra_auth_rules from is_labs_master
......................................................................



puppetmaster: Split extra_auth_rules from is_labs_master

Change-Id: I0f2a7e9979b92c48cf0dbbf5b95b4188b87288ce
---
M modules/puppetmaster/manifests/init.pp
M modules/puppetmaster/templates/auth-master.conf.erb
M modules/role/manifests/labs/puppetmaster.pp
A modules/role/templates/labs/puppetmaster/extra_auth_rules.conf.erb
4 files changed, 16 insertions(+), 14 deletions(-)

Approvals:
  Alexandros Kosiaris: Verified; Looks good to me, approved



diff --git a/modules/puppetmaster/manifests/init.pp 
b/modules/puppetmaster/manifests/init.pp
index 5ad8f11..5f46acc 100644
--- a/modules/puppetmaster/manifests/init.pp
+++ b/modules/puppetmaster/manifests/init.pp
@@ -27,6 +27,8 @@
 #    - $secure_private:
 #        If true, some magic is done to have local repositories and sync 
between puppetmasters.
 #        Otherwise, /etc/puppet/private will be labs/private.git.
+#    - $extra_auth_rules:
+#        String - extra authentication rules to add before the default policy.
 
 class puppetmaster(
             $server_name='puppet',
@@ -47,6 +49,7 @@
             $is_git_master=false,
             $hiera_config=$::realm,
             $secure_private=true,
+            $extra_auth_rules='',
     ){
 
     $gitdir = '/var/lib/git'
@@ -125,9 +128,6 @@
     if $is_labs_master {
         # This is required for the mwyaml hiera backend
         require_package('ruby-httpclient')
-
-        # This variable is used by the auth.conf template
-        $horizon_host = hiera('labs_horizon_host')
     }
 
     file { '/etc/puppet/auth.conf':
diff --git a/modules/puppetmaster/templates/auth-master.conf.erb 
b/modules/puppetmaster/templates/auth-master.conf.erb
index 809dd74..64b03a9 100644
--- a/modules/puppetmaster/templates/auth-master.conf.erb
+++ b/modules/puppetmaster/templates/auth-master.conf.erb
@@ -110,12 +110,8 @@
 auth any
 method find, save
 allow *
-<% if @is_labs_master %>
-# Allow Horizon to ask the puppetmaster about available roles
-path /resource_type
-auth any
-allow <%= @horizon_host %>
-<% end %>
+<%= @extra_auth_rules -%>
+
 # deny everything else; this ACL is not strictly necessary, but
 # illustrates the default policy.
 path /
diff --git a/modules/role/manifests/labs/puppetmaster.pp 
b/modules/role/manifests/labs/puppetmaster.pp
index 92df2c6..bfe3cc6 100644
--- a/modules/role/manifests/labs/puppetmaster.pp
+++ b/modules/role/manifests/labs/puppetmaster.pp
@@ -11,6 +11,7 @@
     $basedn = $ldapconfig['basedn']
     $novaconfig = hiera_hash('novaconfig', {})
     $labs_instance_range = $novaconfig['fixed_range']
+    $horizon_host = hiera('labs_horizon_host')
     $horizon_host_ip = ipresolve(hiera('labs_horizon_host'), 4)
 
 
@@ -18,11 +19,12 @@
     $allow_from = flatten([$labs_instance_range, '208.80.154.14', 
$horizon_host_ip, $labs_metal])
 
     class { '::puppetmaster':
-        server_name    => hiera('labs_puppet_master'),
-        allow_from     => $allow_from,
-        is_labs_master => true,
-        secure_private => false,
-        config         => {
+        server_name      => hiera('labs_puppet_master'),
+        allow_from       => $allow_from,
+        is_labs_master   => true,
+        secure_private   => false,
+        extra_auth_rules => 
template('role/labs/puppetmaster/extra_auth_rules.conf.erb'),
+        config           => {
             'thin_storeconfigs' => false,
             'node_terminus'     => 'ldap',
             'ldapserver'        => $ldapconfig['servernames'][0],
diff --git a/modules/role/templates/labs/puppetmaster/extra_auth_rules.conf.erb 
b/modules/role/templates/labs/puppetmaster/extra_auth_rules.conf.erb
new file mode 100644
index 0000000..b1e6fd6
--- /dev/null
+++ b/modules/role/templates/labs/puppetmaster/extra_auth_rules.conf.erb
@@ -0,0 +1,4 @@
+# Allow Horizon to ask the puppetmaster about available roles
+path /resource_type
+auth any
+allow <%= @horizon_host %>

-- 
To view, visit https://gerrit.wikimedia.org/r/303757
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I0f2a7e9979b92c48cf0dbbf5b95b4188b87288ce
Gerrit-PatchSet: 9
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Alex Monk <a...@wikimedia.org>
Gerrit-Reviewer: Alex Monk <a...@wikimedia.org>
Gerrit-Reviewer: Alexandros Kosiaris <akosia...@wikimedia.org>
Gerrit-Reviewer: Giuseppe Lavagetto <glavage...@wikimedia.org>
Gerrit-Reviewer: Yuvipanda <yuvipa...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: puppetmaster: Split extra_auth_rules from is_labs_master

Reply via email to