Add option to restrict access to PuppetDB
Add the option to set up a certificate whitelist file and configure it in PuppetDB so that only specific hosts (i.e. the Puppet master(s)) have access.
This commit is contained in:
parent
b3f685b5e1
commit
3889cc56a4
7 changed files with 135 additions and 13 deletions
|
@ -495,6 +495,14 @@ The amount of disk space (in MB) to allow for persistent message storage. Defaul
|
||||||
|
|
||||||
The amount of disk space (in MB) to allow for temporary message storage. Defaults to undef, using the PuppetDB built-in default.
|
The amount of disk space (in MB) to allow for temporary message storage. Defaults to undef, using the PuppetDB built-in default.
|
||||||
|
|
||||||
|
####`certificate_whitelist_file`
|
||||||
|
|
||||||
|
The name of the certificate whitelist file to set up and configure in PuppetDB. Defaults to `/etc/puppetdb/certificate-whitelist` or `/etc/puppetlabs/puppetdb/certificate-whitelist` for FOSS and PE respectively.
|
||||||
|
|
||||||
|
####`certificate_whitelist`
|
||||||
|
|
||||||
|
Array of the X.509 certificate Common Names of clients allowed to connect to PuppetDB. Defaults to empty. Be aware that this permits full access to all Puppet clients to download anything contained in PuppetDB, including the full catalogs of all nodes, which possibly contain sensitive information. Set to `[ $::servername ]` to allow access only from your (single) Puppet master, which is enough for normal operation. Set to a list of Puppet masters if you have multiple.
|
||||||
|
|
||||||
|
|
||||||
### puppetdb::server
|
### puppetdb::server
|
||||||
|
|
||||||
|
|
|
@ -65,7 +65,9 @@ class puppetdb (
|
||||||
$max_threads = $puppetdb::params::max_threads,
|
$max_threads = $puppetdb::params::max_threads,
|
||||||
$command_threads = $puppetdb::params::command_threads,
|
$command_threads = $puppetdb::params::command_threads,
|
||||||
$store_usage = $puppetdb::params::store_usage,
|
$store_usage = $puppetdb::params::store_usage,
|
||||||
$temp_usage = $puppetdb::params::temp_usage
|
$temp_usage = $puppetdb::params::temp_usage,
|
||||||
|
$certificate_whitelist_file = $puppetdb::params::certificate_whitelist_file,
|
||||||
|
$certificate_whitelist = $puppetdb::params::certificate_whitelist,
|
||||||
) inherits puppetdb::params {
|
) inherits puppetdb::params {
|
||||||
|
|
||||||
class { '::puppetdb::server':
|
class { '::puppetdb::server':
|
||||||
|
@ -130,6 +132,8 @@ class puppetdb (
|
||||||
command_threads => $command_threads,
|
command_threads => $command_threads,
|
||||||
store_usage => $store_usage,
|
store_usage => $store_usage,
|
||||||
temp_usage => $temp_usage,
|
temp_usage => $temp_usage,
|
||||||
|
certificate_whitelist_file => $certificate_whitelist_file,
|
||||||
|
certificate_whitelist => $certificate_whitelist,
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($database == 'postgres') {
|
if ($database == 'postgres') {
|
||||||
|
|
|
@ -70,28 +70,25 @@ class puppetdb::params inherits puppetdb::globals {
|
||||||
if !($puppetdb_version in ['latest','present','absent']) and versioncmp($puppetdb_version, '3.0.0') < 0 {
|
if !($puppetdb_version in ['latest','present','absent']) and versioncmp($puppetdb_version, '3.0.0') < 0 {
|
||||||
case $::osfamily {
|
case $::osfamily {
|
||||||
'RedHat', 'Suse', 'Archlinux','Debian': {
|
'RedHat', 'Suse', 'Archlinux','Debian': {
|
||||||
$confdir = '/etc/puppetdb/conf.d'
|
$etcdir = '/etc/puppetdb'
|
||||||
$vardir = '/var/lib/puppetdb'
|
$vardir = '/var/lib/puppetdb'
|
||||||
$database_embedded_path = "${vardir}/db/db"
|
$database_embedded_path = "${vardir}/db/db"
|
||||||
$puppet_confdir = pick($settings::confdir,'/etc/puppet')
|
$puppet_confdir = pick($settings::confdir,'/etc/puppet')
|
||||||
$puppet_service_name = 'puppetmaster'
|
$puppet_service_name = 'puppetmaster'
|
||||||
$ssl_dir = '/etc/puppetdb/ssl'
|
|
||||||
}
|
}
|
||||||
'OpenBSD': {
|
'OpenBSD': {
|
||||||
$confdir = '/etc/puppetdb/conf.d'
|
$etcdir = '/etc/puppetdb'
|
||||||
$vardir = '/var/db/puppetdb'
|
$vardir = '/var/db/puppetdb'
|
||||||
$database_embedded_path = "${vardir}/db/db"
|
$database_embedded_path = "${vardir}/db/db"
|
||||||
$puppet_confdir = pick($settings::confdir,'/etc/puppet')
|
$puppet_confdir = pick($settings::confdir,'/etc/puppet')
|
||||||
$puppet_service_name = 'puppetmasterd'
|
$puppet_service_name = 'puppetmasterd'
|
||||||
$ssl_dir = '/etc/puppetdb/ssl'
|
|
||||||
}
|
}
|
||||||
'FreeBSD': {
|
'FreeBSD': {
|
||||||
$confdir = '/usr/local/etc/puppetdb/conf.d'
|
$etcdir = '/usr/local/etc/puppetdb'
|
||||||
$vardir = '/var/db/puppetdb'
|
$vardir = '/var/db/puppetdb'
|
||||||
$database_embedded_path = "${vardir}/db/db"
|
$database_embedded_path = "${vardir}/db/db"
|
||||||
$puppet_confdir = pick($settings::confdir,'/usr/local/etc/puppet')
|
$puppet_confdir = pick($settings::confdir,'/usr/local/etc/puppet')
|
||||||
$puppet_service_name = 'puppetmaster'
|
$puppet_service_name = 'puppetmaster'
|
||||||
$ssl_dir = '/usr/local/etc/puppetdb/ssl'
|
|
||||||
}
|
}
|
||||||
default: {
|
default: {
|
||||||
fail("The fact 'osfamily' is set to ${::osfamily} which is not supported by the puppetdb module.")
|
fail("The fact 'osfamily' is set to ${::osfamily} which is not supported by the puppetdb module.")
|
||||||
|
@ -102,22 +99,19 @@ class puppetdb::params inherits puppetdb::globals {
|
||||||
} else {
|
} else {
|
||||||
case $::osfamily {
|
case $::osfamily {
|
||||||
'RedHat', 'Suse', 'Archlinux','Debian': {
|
'RedHat', 'Suse', 'Archlinux','Debian': {
|
||||||
$confdir = '/etc/puppetlabs/puppetdb/conf.d'
|
$etcdir = '/etc/puppetlabs/puppetdb'
|
||||||
$puppet_confdir = pick($settings::confdir,'/etc/puppetlabs/puppet')
|
$puppet_confdir = pick($settings::confdir,'/etc/puppetlabs/puppet')
|
||||||
$puppet_service_name = 'puppetserver'
|
$puppet_service_name = 'puppetserver'
|
||||||
$ssl_dir = '/etc/puppetlabs/puppetdb/ssl'
|
|
||||||
}
|
}
|
||||||
'OpenBSD': {
|
'OpenBSD': {
|
||||||
$confdir = '/etc/puppetlabs/puppetdb/conf.d'
|
$etcdir = '/etc/puppetlabs/puppetdb'
|
||||||
$puppet_confdir = pick($settings::confdir,'/etc/puppetlabs/puppet')
|
$puppet_confdir = pick($settings::confdir,'/etc/puppetlabs/puppet')
|
||||||
$puppet_service_name = undef
|
$puppet_service_name = undef
|
||||||
$ssl_dir = '/etc/puppetlabs/puppetdb/ssl'
|
|
||||||
}
|
}
|
||||||
'FreeBSD': {
|
'FreeBSD': {
|
||||||
$confdir = '/usr/local/etc/puppetlabs/puppetdb/conf.d'
|
$etcdir = '/usr/local/etc/puppetlabs/puppetdb'
|
||||||
$puppet_confdir = pick($settings::confdir,'/usr/local/etc/puppetlabs/puppet')
|
$puppet_confdir = pick($settings::confdir,'/usr/local/etc/puppetlabs/puppet')
|
||||||
$puppet_service_name = undef
|
$puppet_service_name = undef
|
||||||
$ssl_dir = '/usr/local/etc/puppetlabs/puppetdb/ssl'
|
|
||||||
}
|
}
|
||||||
default: {
|
default: {
|
||||||
fail("The fact 'osfamily' is set to ${::osfamily} which is not supported by the puppetdb module.")
|
fail("The fact 'osfamily' is set to ${::osfamily} which is not supported by the puppetdb module.")
|
||||||
|
@ -129,6 +123,9 @@ class puppetdb::params inherits puppetdb::globals {
|
||||||
$database_embedded_path = "${vardir}/db/db"
|
$database_embedded_path = "${vardir}/db/db"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$confdir = "${etcdir}/conf.d"
|
||||||
|
$ssl_dir = "${etcdir}/ssl"
|
||||||
|
|
||||||
case $::osfamily {
|
case $::osfamily {
|
||||||
'RedHat', 'Suse', 'Archlinux': {
|
'RedHat', 'Suse', 'Archlinux': {
|
||||||
$puppetdb_initconf = '/etc/sysconfig/puppetdb'
|
$puppetdb_initconf = '/etc/sysconfig/puppetdb'
|
||||||
|
@ -160,4 +157,10 @@ class puppetdb::params inherits puppetdb::globals {
|
||||||
$ssl_key = undef
|
$ssl_key = undef
|
||||||
$ssl_cert = undef
|
$ssl_cert = undef
|
||||||
$ssl_ca_cert = undef
|
$ssl_ca_cert = undef
|
||||||
|
|
||||||
|
$certificate_whitelist_file = "${etcdir}/certificate-whitelist"
|
||||||
|
# the default is free access for now
|
||||||
|
$certificate_whitelist = [ ]
|
||||||
|
# change to this to only allow access by the puppet master by default:
|
||||||
|
#$certificate_whitelist = [ $::servername ]
|
||||||
}
|
}
|
||||||
|
|
|
@ -61,6 +61,8 @@ class puppetdb::server (
|
||||||
$command_threads = $puppetdb::params::command_threads,
|
$command_threads = $puppetdb::params::command_threads,
|
||||||
$store_usage = $puppetdb::params::store_usage,
|
$store_usage = $puppetdb::params::store_usage,
|
||||||
$temp_usage = $puppetdb::params::temp_usage,
|
$temp_usage = $puppetdb::params::temp_usage,
|
||||||
|
$certificate_whitelist_file = $puppetdb::params::certificate_whitelist_file,
|
||||||
|
$certificate_whitelist = $puppetdb::params::certificate_whitelist,
|
||||||
) inherits puppetdb::params {
|
) inherits puppetdb::params {
|
||||||
# deprecation warnings
|
# deprecation warnings
|
||||||
if $database_ssl != undef {
|
if $database_ssl != undef {
|
||||||
|
@ -236,6 +238,13 @@ class puppetdb::server (
|
||||||
notify => Service[$puppetdb_service],
|
notify => Service[$puppetdb_service],
|
||||||
}
|
}
|
||||||
|
|
||||||
|
class { 'puppetdb::server::puppetdb':
|
||||||
|
certificate_whitelist_file => $certificate_whitelist_file,
|
||||||
|
certificate_whitelist => $certificate_whitelist,
|
||||||
|
confdir => $confdir,
|
||||||
|
notify => Service[$puppetdb_service],
|
||||||
|
}
|
||||||
|
|
||||||
if !empty($java_args) {
|
if !empty($java_args) {
|
||||||
if $merge_default_java_args {
|
if $merge_default_java_args {
|
||||||
create_resources(
|
create_resources(
|
||||||
|
@ -275,6 +284,7 @@ class puppetdb::server (
|
||||||
Class['puppetdb::server::database'] ->
|
Class['puppetdb::server::database'] ->
|
||||||
Class['puppetdb::server::read_database'] ->
|
Class['puppetdb::server::read_database'] ->
|
||||||
Class['puppetdb::server::jetty'] ->
|
Class['puppetdb::server::jetty'] ->
|
||||||
|
Class['puppetdb::server::puppetdb'] ->
|
||||||
Service[$puppetdb_service]
|
Service[$puppetdb_service]
|
||||||
} else {
|
} else {
|
||||||
Package[$puppetdb_package] ->
|
Package[$puppetdb_package] ->
|
||||||
|
@ -282,6 +292,7 @@ class puppetdb::server (
|
||||||
Class['puppetdb::server::database'] ->
|
Class['puppetdb::server::database'] ->
|
||||||
Class['puppetdb::server::read_database'] ->
|
Class['puppetdb::server::read_database'] ->
|
||||||
Class['puppetdb::server::jetty'] ->
|
Class['puppetdb::server::jetty'] ->
|
||||||
|
Class['puppetdb::server::puppetdb'] ->
|
||||||
Service[$puppetdb_service]
|
Service[$puppetdb_service]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
36
manifests/server/puppetdb.pp
Normal file
36
manifests/server/puppetdb.pp
Normal file
|
@ -0,0 +1,36 @@
|
||||||
|
# PRIVATE CLASS - do not use directly
|
||||||
|
class puppetdb::server::puppetdb (
|
||||||
|
$certificate_whitelist_file = $puppetdb::params::certificate_whitelist_file,
|
||||||
|
$certificate_whitelist = $puppetdb::params::certificate_whitelist,
|
||||||
|
$confdir = $puppetdb::params::confdir,
|
||||||
|
) inherits puppetdb::params {
|
||||||
|
|
||||||
|
# Set the defaults
|
||||||
|
Ini_setting {
|
||||||
|
path => "${confdir}/puppetdb.ini",
|
||||||
|
ensure => present,
|
||||||
|
section => 'puppetdb',
|
||||||
|
}
|
||||||
|
|
||||||
|
$certificate_whitelist_setting_ensure = empty($certificate_whitelist) ? {
|
||||||
|
true => 'absent',
|
||||||
|
default => 'present',
|
||||||
|
}
|
||||||
|
|
||||||
|
# accept connections only from puppet master
|
||||||
|
ini_setting {'puppetdb-connections-from-master-only':
|
||||||
|
ensure => $certificate_whitelist_setting_ensure,
|
||||||
|
path => "${confdir}/puppetdb.ini",
|
||||||
|
section => 'puppetdb',
|
||||||
|
setting => 'certificate-whitelist',
|
||||||
|
value => $certificate_whitelist_file,
|
||||||
|
}
|
||||||
|
|
||||||
|
file { $certificate_whitelist_file:
|
||||||
|
ensure => $certificate_whitelist_setting_ensure,
|
||||||
|
content => template('puppetdb/certificate-whitelist.erb'),
|
||||||
|
mode => '0644',
|
||||||
|
owner => 0,
|
||||||
|
group => 0,
|
||||||
|
}
|
||||||
|
}
|
57
spec/unit/classes/server/puppetdb_ini_spec.rb
Normal file
57
spec/unit/classes/server/puppetdb_ini_spec.rb
Normal file
|
@ -0,0 +1,57 @@
|
||||||
|
require 'spec_helper'
|
||||||
|
|
||||||
|
describe 'puppetdb::server::puppetdb', :type => :class do
|
||||||
|
context 'on a supported platform' do
|
||||||
|
let(:facts) do
|
||||||
|
{
|
||||||
|
:osfamily => 'RedHat',
|
||||||
|
:fqdn => 'test.domain.local',
|
||||||
|
}
|
||||||
|
end
|
||||||
|
|
||||||
|
it { should contain_class('puppetdb::server::puppetdb') }
|
||||||
|
|
||||||
|
describe 'when using default values' do
|
||||||
|
it { should contain_ini_setting('puppetdb-connections-from-master-only').
|
||||||
|
with(
|
||||||
|
'ensure' => 'absent',
|
||||||
|
'path' => '/etc/puppetlabs/puppetdb/conf.d/puppetdb.ini',
|
||||||
|
'section' => 'puppetdb',
|
||||||
|
'setting' => 'certificate-whitelist',
|
||||||
|
'value' => '/etc/puppetlabs/puppetdb/certificate-whitelist'
|
||||||
|
)}
|
||||||
|
it { should contain_file('/etc/puppetlabs/puppetdb/certificate-whitelist').
|
||||||
|
with(
|
||||||
|
'ensure' => 'absent',
|
||||||
|
'owner' => 0,
|
||||||
|
'group' => 0,
|
||||||
|
'mode' => '0644',
|
||||||
|
'content' => ''
|
||||||
|
)}
|
||||||
|
end
|
||||||
|
|
||||||
|
describe 'when restricting access to puppetdb' do
|
||||||
|
let(:params) do
|
||||||
|
{
|
||||||
|
'certificate_whitelist' => [ 'puppetmaster' ]
|
||||||
|
}
|
||||||
|
end
|
||||||
|
it { should contain_ini_setting('puppetdb-connections-from-master-only').
|
||||||
|
with(
|
||||||
|
'ensure' => 'present',
|
||||||
|
'path' => '/etc/puppetlabs/puppetdb/conf.d/puppetdb.ini',
|
||||||
|
'section' => 'puppetdb',
|
||||||
|
'setting' => 'certificate-whitelist',
|
||||||
|
'value' => '/etc/puppetlabs/puppetdb/certificate-whitelist'
|
||||||
|
)}
|
||||||
|
it { should contain_file('/etc/puppetlabs/puppetdb/certificate-whitelist').
|
||||||
|
with(
|
||||||
|
'ensure' => 'present',
|
||||||
|
'owner' => 0,
|
||||||
|
'group' => 0,
|
||||||
|
'mode' => '0644',
|
||||||
|
'content' => "puppetmaster\n"
|
||||||
|
)}
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
3
templates/certificate-whitelist.erb
Normal file
3
templates/certificate-whitelist.erb
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
<% @certificate_whitelist.each do |cn| -%>
|
||||||
|
<%= cn %>
|
||||||
|
<% end -%>
|
Loading…
Reference in a new issue