Alexandros Kosiaris has submitted this change and it was merged. Change subject: puppetmaster: Split extra_auth_rules from is_labs_master ......................................................................
puppetmaster: Split extra_auth_rules from is_labs_master Change-Id: I0f2a7e9979b92c48cf0dbbf5b95b4188b87288ce --- M modules/puppetmaster/manifests/init.pp M modules/puppetmaster/templates/auth-master.conf.erb M modules/role/manifests/labs/puppetmaster.pp A modules/role/templates/labs/puppetmaster/extra_auth_rules.conf.erb 4 files changed, 16 insertions(+), 14 deletions(-) Approvals: Alexandros Kosiaris: Verified; Looks good to me, approved diff --git a/modules/puppetmaster/manifests/init.pp b/modules/puppetmaster/manifests/init.pp index 5ad8f11..5f46acc 100644 --- a/modules/puppetmaster/manifests/init.pp +++ b/modules/puppetmaster/manifests/init.pp @@ -27,6 +27,8 @@ # - $secure_private: # If true, some magic is done to have local repositories and sync between puppetmasters. # Otherwise, /etc/puppet/private will be labs/private.git. +# - $extra_auth_rules: +# String - extra authentication rules to add before the default policy. class puppetmaster( $server_name='puppet', @@ -47,6 +49,7 @@ $is_git_master=false, $hiera_config=$::realm, $secure_private=true, + $extra_auth_rules='', ){ $gitdir = '/var/lib/git' @@ -125,9 +128,6 @@ if $is_labs_master { # This is required for the mwyaml hiera backend require_package('ruby-httpclient') - - # This variable is used by the auth.conf template - $horizon_host = hiera('labs_horizon_host') } file { '/etc/puppet/auth.conf': diff --git a/modules/puppetmaster/templates/auth-master.conf.erb b/modules/puppetmaster/templates/auth-master.conf.erb index 809dd74..64b03a9 100644 --- a/modules/puppetmaster/templates/auth-master.conf.erb +++ b/modules/puppetmaster/templates/auth-master.conf.erb @@ -110,12 +110,8 @@ auth any method find, save allow * -<% if @is_labs_master %> -# Allow Horizon to ask the puppetmaster about available roles -path /resource_type -auth any -allow <%= @horizon_host %> -<% end %> +<%= @extra_auth_rules -%> + # deny everything else; this ACL is not strictly necessary, but # illustrates the default policy. path / diff --git a/modules/role/manifests/labs/puppetmaster.pp b/modules/role/manifests/labs/puppetmaster.pp index 92df2c6..bfe3cc6 100644 --- a/modules/role/manifests/labs/puppetmaster.pp +++ b/modules/role/manifests/labs/puppetmaster.pp @@ -11,6 +11,7 @@ $basedn = $ldapconfig['basedn'] $novaconfig = hiera_hash('novaconfig', {}) $labs_instance_range = $novaconfig['fixed_range'] + $horizon_host = hiera('labs_horizon_host') $horizon_host_ip = ipresolve(hiera('labs_horizon_host'), 4) @@ -18,11 +19,12 @@ $allow_from = flatten([$labs_instance_range, '208.80.154.14', $horizon_host_ip, $labs_metal]) class { '::puppetmaster': - server_name => hiera('labs_puppet_master'), - allow_from => $allow_from, - is_labs_master => true, - secure_private => false, - config => { + server_name => hiera('labs_puppet_master'), + allow_from => $allow_from, + is_labs_master => true, + secure_private => false, + extra_auth_rules => template('role/labs/puppetmaster/extra_auth_rules.conf.erb'), + config => { 'thin_storeconfigs' => false, 'node_terminus' => 'ldap', 'ldapserver' => $ldapconfig['servernames'][0], diff --git a/modules/role/templates/labs/puppetmaster/extra_auth_rules.conf.erb b/modules/role/templates/labs/puppetmaster/extra_auth_rules.conf.erb new file mode 100644 index 0000000..b1e6fd6 --- /dev/null +++ b/modules/role/templates/labs/puppetmaster/extra_auth_rules.conf.erb @@ -0,0 +1,4 @@ +# Allow Horizon to ask the puppetmaster about available roles +path /resource_type +auth any +allow <%= @horizon_host %> -- To view, visit https://gerrit.wikimedia.org/r/303757 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I0f2a7e9979b92c48cf0dbbf5b95b4188b87288ce Gerrit-PatchSet: 9 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Alex Monk <a...@wikimedia.org> Gerrit-Reviewer: Alex Monk <a...@wikimedia.org> Gerrit-Reviewer: Alexandros Kosiaris <akosia...@wikimedia.org> Gerrit-Reviewer: Giuseppe Lavagetto <glavage...@wikimedia.org> Gerrit-Reviewer: Yuvipanda <yuvipa...@wikimedia.org> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits