subject:"\[MediaWiki\-commits\] \[Gerrit\] operations\/puppet\[production\]\: Labs ldap\: Hide the novaobserver account from everyone but ..."

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Labs ldap: Hide the novaobserver account from everyone but ...

2016-12-05 Thread Andrew Bogott (Code Review)

Andrew Bogott has submitted this change and it was merged.

Change subject: Labs ldap:  Hide the novaobserver account from everyone but 
keystone
..


Labs ldap:  Hide the novaobserver account from everyone but keystone

Bug: T150092
Change-Id: I10ea7b203fa5fed10e0110ab844c15eb6dcac4d8
---
M modules/openldap/templates/labs-acls.erb
M modules/role/manifests/openldap/labs.pp
2 files changed, 7 insertions(+), 0 deletions(-)

Approvals:
  Andrew Bogott: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/modules/openldap/templates/labs-acls.erb 
b/modules/openldap/templates/labs-acls.erb
index d2a91ed..62fc6fe 100644
--- a/modules/openldap/templates/labs-acls.erb
+++ b/modules/openldap/templates/labs-acls.erb
@@ -9,3 +9,8 @@
 # novaadmin needs to run queries on all users.  10,000 users is less than
 #  'unlimited' but should keep us happy for a year at least :/
 limits dn.exact="uid=novaadmin,ou=people,dc=wikimedia,dc=org" time=unlimited 
size=1
+
+# novaobserver is an account used only for keystone access.  We don't want it
+#  to appear on wikitech, gerrit, etc. so limit access only to the keystone 
host
+access to dn=uid=novaobserver,ou=people,dc=wikimedia,dc=org
+   by peername.ip=<%= @labs_keystone_ip %> anonymous read
diff --git a/modules/role/manifests/openldap/labs.pp 
b/modules/role/manifests/openldap/labs.pp
index ba95b10..a16d517 100644
--- a/modules/role/manifests/openldap/labs.pp
+++ b/modules/role/manifests/openldap/labs.pp
@@ -7,6 +7,8 @@
 $ldapconfig = hiera_hash('labsldapconfig', {})
 $ldap_labs_hostname = $ldapconfig['hostname']
 
+$labs_keystone_ip = ipresolve(hiera('labs_keystone_host'),4)
+
 system::role { 'role::openldap::labs':
 description => 'LDAP servers for labs (based on OpenLDAP)'
 }

-- 
To view, visit https://gerrit.wikimedia.org/r/325371
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I10ea7b203fa5fed10e0110ab844c15eb6dcac4d8
Gerrit-PatchSet: 3
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Andrew Bogott 
Gerrit-Reviewer: Alex Monk 
Gerrit-Reviewer: Andrew Bogott 
Gerrit-Reviewer: Chasemp 
Gerrit-Reviewer: jenkins-bot <>

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Labs ldap: Hide the novaobserver account from everyone but ...

2016-12-05 Thread Andrew Bogott (Code Review)

Andrew Bogott has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/325371

Change subject: Labs ldap:  Hide the novaobserver account from everyone but 
keystone
..

Labs ldap:  Hide the novaobserver account from everyone but keystone

Bug: T150092
Change-Id: I10ea7b203fa5fed10e0110ab844c15eb6dcac4d8
---
M modules/openldap/templates/labs-acls.erb
M modules/role/manifests/openldap/labs.pp
2 files changed, 8 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/71/325371/1

diff --git a/modules/openldap/templates/labs-acls.erb 
b/modules/openldap/templates/labs-acls.erb
index d2a91ed..a5cb167 100644
--- a/modules/openldap/templates/labs-acls.erb
+++ b/modules/openldap/templates/labs-acls.erb
@@ -9,3 +9,9 @@
 # novaadmin needs to run queries on all users.  10,000 users is less than
 #  'unlimited' but should keep us happy for a year at least :/
 limits dn.exact="uid=novaadmin,ou=people,dc=wikimedia,dc=org" time=unlimited 
size=1
+
+# novaobserver is an account used only for keystone access.  We don't want it
+#  to appear on wikitech, gerrit, etc. so limit access only to the keystone 
host
+access to dn=uid=novaobserver,ou=people,dc=wikimedia,dc=org
+   by peername.ip=<%= @labs_keystone_ip %>  users read
+   by * break
diff --git a/modules/role/manifests/openldap/labs.pp 
b/modules/role/manifests/openldap/labs.pp
index ba95b10..a16d517 100644
--- a/modules/role/manifests/openldap/labs.pp
+++ b/modules/role/manifests/openldap/labs.pp
@@ -7,6 +7,8 @@
 $ldapconfig = hiera_hash('labsldapconfig', {})
 $ldap_labs_hostname = $ldapconfig['hostname']
 
+$labs_keystone_ip = ipresolve(hiera('labs_keystone_host'),4)
+
 system::role { 'role::openldap::labs':
 description => 'LDAP servers for labs (based on OpenLDAP)'
 }

-- 
To view, visit https://gerrit.wikimedia.org/r/325371
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I10ea7b203fa5fed10e0110ab844c15eb6dcac4d8
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Andrew Bogott 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Labs ldap: Hide the novaobserver account from everyone but ...

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Labs ldap: Hide the novaobserver account from everyone but ...

2 matches

Site Navigation

Mail list logo

Footer information