Merge pull request #215 from michaelweiser/qr2
Restrict access to the Puppet master by default
This commit is contained in:
commit
ed371ce829
7 changed files with 135 additions and 13 deletions
|
@ -668,6 +668,14 @@ Defaults to `undef`, using the PuppetDB built-in default.
|
||||||
The amount of disk space (in MB) to allow for temporary message storage.
|
The amount of disk space (in MB) to allow for temporary message storage.
|
||||||
Defaults to `undef`, using the PuppetDB built-in default.
|
Defaults to `undef`, using the PuppetDB built-in default.
|
||||||
|
|
||||||
|
####`certificate_whitelist_file`
|
||||||
|
|
||||||
|
The name of the certificate whitelist file to set up and configure in PuppetDB. Defaults to `/etc/puppetdb/certificate-whitelist` or `/etc/puppetlabs/puppetdb/certificate-whitelist` for FOSS and PE respectively.
|
||||||
|
|
||||||
|
####`certificate_whitelist`
|
||||||
|
|
||||||
|
Array of the X.509 certificate Common Names of clients allowed to connect to PuppetDB. Defaults to empty. Be aware that this permits full access to all Puppet clients to download anything contained in PuppetDB, including the full catalogs of all nodes, which possibly contain sensitive information. Set to `[ $::servername ]` to allow access only from your (single) Puppet master, which is enough for normal operation. Set to a list of Puppet masters if you have multiple.
|
||||||
|
|
||||||
|
|
||||||
### puppetdb::server
|
### puppetdb::server
|
||||||
|
|
||||||
|
|
|
@ -66,7 +66,9 @@ class puppetdb (
|
||||||
$max_threads = $puppetdb::params::max_threads,
|
$max_threads = $puppetdb::params::max_threads,
|
||||||
$command_threads = $puppetdb::params::command_threads,
|
$command_threads = $puppetdb::params::command_threads,
|
||||||
$store_usage = $puppetdb::params::store_usage,
|
$store_usage = $puppetdb::params::store_usage,
|
||||||
$temp_usage = $puppetdb::params::temp_usage
|
$temp_usage = $puppetdb::params::temp_usage,
|
||||||
|
$certificate_whitelist_file = $puppetdb::params::certificate_whitelist_file,
|
||||||
|
$certificate_whitelist = $puppetdb::params::certificate_whitelist,
|
||||||
) inherits puppetdb::params {
|
) inherits puppetdb::params {
|
||||||
|
|
||||||
class { '::puppetdb::server':
|
class { '::puppetdb::server':
|
||||||
|
@ -132,6 +134,8 @@ class puppetdb (
|
||||||
command_threads => $command_threads,
|
command_threads => $command_threads,
|
||||||
store_usage => $store_usage,
|
store_usage => $store_usage,
|
||||||
temp_usage => $temp_usage,
|
temp_usage => $temp_usage,
|
||||||
|
certificate_whitelist_file => $certificate_whitelist_file,
|
||||||
|
certificate_whitelist => $certificate_whitelist,
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($database == 'postgres') {
|
if ($database == 'postgres') {
|
||||||
|
|
|
@ -71,28 +71,25 @@ class puppetdb::params inherits puppetdb::globals {
|
||||||
if !($puppetdb_version in ['latest','present','absent']) and versioncmp($puppetdb_version, '3.0.0') < 0 {
|
if !($puppetdb_version in ['latest','present','absent']) and versioncmp($puppetdb_version, '3.0.0') < 0 {
|
||||||
case $::osfamily {
|
case $::osfamily {
|
||||||
'RedHat', 'Suse', 'Archlinux','Debian': {
|
'RedHat', 'Suse', 'Archlinux','Debian': {
|
||||||
$confdir = '/etc/puppetdb/conf.d'
|
$etcdir = '/etc/puppetdb'
|
||||||
$vardir = '/var/lib/puppetdb'
|
$vardir = '/var/lib/puppetdb'
|
||||||
$database_embedded_path = "${vardir}/db/db"
|
$database_embedded_path = "${vardir}/db/db"
|
||||||
$puppet_confdir = pick($settings::confdir,'/etc/puppet')
|
$puppet_confdir = pick($settings::confdir,'/etc/puppet')
|
||||||
$puppet_service_name = 'puppetmaster'
|
$puppet_service_name = 'puppetmaster'
|
||||||
$ssl_dir = '/etc/puppetdb/ssl'
|
|
||||||
}
|
}
|
||||||
'OpenBSD': {
|
'OpenBSD': {
|
||||||
$confdir = '/etc/puppetdb/conf.d'
|
$etcdir = '/etc/puppetdb'
|
||||||
$vardir = '/var/db/puppetdb'
|
$vardir = '/var/db/puppetdb'
|
||||||
$database_embedded_path = "${vardir}/db/db"
|
$database_embedded_path = "${vardir}/db/db"
|
||||||
$puppet_confdir = pick($settings::confdir,'/etc/puppet')
|
$puppet_confdir = pick($settings::confdir,'/etc/puppet')
|
||||||
$puppet_service_name = 'puppetmasterd'
|
$puppet_service_name = 'puppetmasterd'
|
||||||
$ssl_dir = '/etc/puppetdb/ssl'
|
|
||||||
}
|
}
|
||||||
'FreeBSD': {
|
'FreeBSD': {
|
||||||
$confdir = '/usr/local/etc/puppetdb/conf.d'
|
$etcdir = '/usr/local/etc/puppetdb'
|
||||||
$vardir = '/var/db/puppetdb'
|
$vardir = '/var/db/puppetdb'
|
||||||
$database_embedded_path = "${vardir}/db/db"
|
$database_embedded_path = "${vardir}/db/db"
|
||||||
$puppet_confdir = pick($settings::confdir,'/usr/local/etc/puppet')
|
$puppet_confdir = pick($settings::confdir,'/usr/local/etc/puppet')
|
||||||
$puppet_service_name = 'puppetmaster'
|
$puppet_service_name = 'puppetmaster'
|
||||||
$ssl_dir = '/usr/local/etc/puppetdb/ssl'
|
|
||||||
}
|
}
|
||||||
default: {
|
default: {
|
||||||
fail("The fact 'osfamily' is set to ${::osfamily} which is not supported by the puppetdb module.")
|
fail("The fact 'osfamily' is set to ${::osfamily} which is not supported by the puppetdb module.")
|
||||||
|
@ -103,22 +100,19 @@ class puppetdb::params inherits puppetdb::globals {
|
||||||
} else {
|
} else {
|
||||||
case $::osfamily {
|
case $::osfamily {
|
||||||
'RedHat', 'Suse', 'Archlinux','Debian': {
|
'RedHat', 'Suse', 'Archlinux','Debian': {
|
||||||
$confdir = '/etc/puppetlabs/puppetdb/conf.d'
|
$etcdir = '/etc/puppetlabs/puppetdb'
|
||||||
$puppet_confdir = pick($settings::confdir,'/etc/puppetlabs/puppet')
|
$puppet_confdir = pick($settings::confdir,'/etc/puppetlabs/puppet')
|
||||||
$puppet_service_name = 'puppetserver'
|
$puppet_service_name = 'puppetserver'
|
||||||
$ssl_dir = '/etc/puppetlabs/puppetdb/ssl'
|
|
||||||
}
|
}
|
||||||
'OpenBSD': {
|
'OpenBSD': {
|
||||||
$confdir = '/etc/puppetlabs/puppetdb/conf.d'
|
$etcdir = '/etc/puppetlabs/puppetdb'
|
||||||
$puppet_confdir = pick($settings::confdir,'/etc/puppetlabs/puppet')
|
$puppet_confdir = pick($settings::confdir,'/etc/puppetlabs/puppet')
|
||||||
$puppet_service_name = undef
|
$puppet_service_name = undef
|
||||||
$ssl_dir = '/etc/puppetlabs/puppetdb/ssl'
|
|
||||||
}
|
}
|
||||||
'FreeBSD': {
|
'FreeBSD': {
|
||||||
$confdir = '/usr/local/etc/puppetlabs/puppetdb/conf.d'
|
$etcdir = '/usr/local/etc/puppetlabs/puppetdb'
|
||||||
$puppet_confdir = pick($settings::confdir,'/usr/local/etc/puppetlabs/puppet')
|
$puppet_confdir = pick($settings::confdir,'/usr/local/etc/puppetlabs/puppet')
|
||||||
$puppet_service_name = undef
|
$puppet_service_name = undef
|
||||||
$ssl_dir = '/usr/local/etc/puppetlabs/puppetdb/ssl'
|
|
||||||
}
|
}
|
||||||
default: {
|
default: {
|
||||||
fail("The fact 'osfamily' is set to ${::osfamily} which is not supported by the puppetdb module.")
|
fail("The fact 'osfamily' is set to ${::osfamily} which is not supported by the puppetdb module.")
|
||||||
|
@ -130,6 +124,9 @@ class puppetdb::params inherits puppetdb::globals {
|
||||||
$database_embedded_path = "${vardir}/db/db"
|
$database_embedded_path = "${vardir}/db/db"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$confdir = "${etcdir}/conf.d"
|
||||||
|
$ssl_dir = "${etcdir}/ssl"
|
||||||
|
|
||||||
case $::osfamily {
|
case $::osfamily {
|
||||||
'RedHat', 'Suse', 'Archlinux': {
|
'RedHat', 'Suse', 'Archlinux': {
|
||||||
$puppetdb_initconf = '/etc/sysconfig/puppetdb'
|
$puppetdb_initconf = '/etc/sysconfig/puppetdb'
|
||||||
|
@ -161,4 +158,10 @@ class puppetdb::params inherits puppetdb::globals {
|
||||||
$ssl_key = undef
|
$ssl_key = undef
|
||||||
$ssl_cert = undef
|
$ssl_cert = undef
|
||||||
$ssl_ca_cert = undef
|
$ssl_ca_cert = undef
|
||||||
|
|
||||||
|
$certificate_whitelist_file = "${etcdir}/certificate-whitelist"
|
||||||
|
# the default is free access for now
|
||||||
|
$certificate_whitelist = [ ]
|
||||||
|
# change to this to only allow access by the puppet master by default:
|
||||||
|
#$certificate_whitelist = [ $::servername ]
|
||||||
}
|
}
|
||||||
|
|
|
@ -62,6 +62,8 @@ class puppetdb::server (
|
||||||
$command_threads = $puppetdb::params::command_threads,
|
$command_threads = $puppetdb::params::command_threads,
|
||||||
$store_usage = $puppetdb::params::store_usage,
|
$store_usage = $puppetdb::params::store_usage,
|
||||||
$temp_usage = $puppetdb::params::temp_usage,
|
$temp_usage = $puppetdb::params::temp_usage,
|
||||||
|
$certificate_whitelist_file = $puppetdb::params::certificate_whitelist_file,
|
||||||
|
$certificate_whitelist = $puppetdb::params::certificate_whitelist,
|
||||||
) inherits puppetdb::params {
|
) inherits puppetdb::params {
|
||||||
# deprecation warnings
|
# deprecation warnings
|
||||||
if $database_ssl != undef {
|
if $database_ssl != undef {
|
||||||
|
@ -238,6 +240,13 @@ class puppetdb::server (
|
||||||
notify => Service[$puppetdb_service],
|
notify => Service[$puppetdb_service],
|
||||||
}
|
}
|
||||||
|
|
||||||
|
class { 'puppetdb::server::puppetdb':
|
||||||
|
certificate_whitelist_file => $certificate_whitelist_file,
|
||||||
|
certificate_whitelist => $certificate_whitelist,
|
||||||
|
confdir => $confdir,
|
||||||
|
notify => Service[$puppetdb_service],
|
||||||
|
}
|
||||||
|
|
||||||
if !empty($java_args) {
|
if !empty($java_args) {
|
||||||
if $merge_default_java_args {
|
if $merge_default_java_args {
|
||||||
create_resources(
|
create_resources(
|
||||||
|
@ -277,6 +286,7 @@ class puppetdb::server (
|
||||||
Class['puppetdb::server::database'] ->
|
Class['puppetdb::server::database'] ->
|
||||||
Class['puppetdb::server::read_database'] ->
|
Class['puppetdb::server::read_database'] ->
|
||||||
Class['puppetdb::server::jetty'] ->
|
Class['puppetdb::server::jetty'] ->
|
||||||
|
Class['puppetdb::server::puppetdb'] ->
|
||||||
Service[$puppetdb_service]
|
Service[$puppetdb_service]
|
||||||
} else {
|
} else {
|
||||||
Package[$puppetdb_package] ->
|
Package[$puppetdb_package] ->
|
||||||
|
@ -284,6 +294,7 @@ class puppetdb::server (
|
||||||
Class['puppetdb::server::database'] ->
|
Class['puppetdb::server::database'] ->
|
||||||
Class['puppetdb::server::read_database'] ->
|
Class['puppetdb::server::read_database'] ->
|
||||||
Class['puppetdb::server::jetty'] ->
|
Class['puppetdb::server::jetty'] ->
|
||||||
|
Class['puppetdb::server::puppetdb'] ->
|
||||||
Service[$puppetdb_service]
|
Service[$puppetdb_service]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
36
manifests/server/puppetdb.pp
Normal file
36
manifests/server/puppetdb.pp
Normal file
|
@ -0,0 +1,36 @@
|
||||||
|
# PRIVATE CLASS - do not use directly
|
||||||
|
class puppetdb::server::puppetdb (
|
||||||
|
$certificate_whitelist_file = $puppetdb::params::certificate_whitelist_file,
|
||||||
|
$certificate_whitelist = $puppetdb::params::certificate_whitelist,
|
||||||
|
$confdir = $puppetdb::params::confdir,
|
||||||
|
) inherits puppetdb::params {
|
||||||
|
|
||||||
|
# Set the defaults
|
||||||
|
Ini_setting {
|
||||||
|
path => "${confdir}/puppetdb.ini",
|
||||||
|
ensure => present,
|
||||||
|
section => 'puppetdb',
|
||||||
|
}
|
||||||
|
|
||||||
|
$certificate_whitelist_setting_ensure = empty($certificate_whitelist) ? {
|
||||||
|
true => 'absent',
|
||||||
|
default => 'present',
|
||||||
|
}
|
||||||
|
|
||||||
|
# accept connections only from puppet master
|
||||||
|
ini_setting {'puppetdb-connections-from-master-only':
|
||||||
|
ensure => $certificate_whitelist_setting_ensure,
|
||||||
|
path => "${confdir}/puppetdb.ini",
|
||||||
|
section => 'puppetdb',
|
||||||
|
setting => 'certificate-whitelist',
|
||||||
|
value => $certificate_whitelist_file,
|
||||||
|
}
|
||||||
|
|
||||||
|
file { $certificate_whitelist_file:
|
||||||
|
ensure => $certificate_whitelist_setting_ensure,
|
||||||
|
content => template('puppetdb/certificate-whitelist.erb'),
|
||||||
|
mode => '0644',
|
||||||
|
owner => 0,
|
||||||
|
group => 0,
|
||||||
|
}
|
||||||
|
}
|
57
spec/unit/classes/server/puppetdb_ini_spec.rb
Normal file
57
spec/unit/classes/server/puppetdb_ini_spec.rb
Normal file
|
@ -0,0 +1,57 @@
|
||||||
|
require 'spec_helper'
|
||||||
|
|
||||||
|
describe 'puppetdb::server::puppetdb', :type => :class do
|
||||||
|
context 'on a supported platform' do
|
||||||
|
let(:facts) do
|
||||||
|
{
|
||||||
|
:osfamily => 'RedHat',
|
||||||
|
:fqdn => 'test.domain.local',
|
||||||
|
}
|
||||||
|
end
|
||||||
|
|
||||||
|
it { should contain_class('puppetdb::server::puppetdb') }
|
||||||
|
|
||||||
|
describe 'when using default values' do
|
||||||
|
it { should contain_ini_setting('puppetdb-connections-from-master-only').
|
||||||
|
with(
|
||||||
|
'ensure' => 'absent',
|
||||||
|
'path' => '/etc/puppetlabs/puppetdb/conf.d/puppetdb.ini',
|
||||||
|
'section' => 'puppetdb',
|
||||||
|
'setting' => 'certificate-whitelist',
|
||||||
|
'value' => '/etc/puppetlabs/puppetdb/certificate-whitelist'
|
||||||
|
)}
|
||||||
|
it { should contain_file('/etc/puppetlabs/puppetdb/certificate-whitelist').
|
||||||
|
with(
|
||||||
|
'ensure' => 'absent',
|
||||||
|
'owner' => 0,
|
||||||
|
'group' => 0,
|
||||||
|
'mode' => '0644',
|
||||||
|
'content' => ''
|
||||||
|
)}
|
||||||
|
end
|
||||||
|
|
||||||
|
describe 'when restricting access to puppetdb' do
|
||||||
|
let(:params) do
|
||||||
|
{
|
||||||
|
'certificate_whitelist' => [ 'puppetmaster' ]
|
||||||
|
}
|
||||||
|
end
|
||||||
|
it { should contain_ini_setting('puppetdb-connections-from-master-only').
|
||||||
|
with(
|
||||||
|
'ensure' => 'present',
|
||||||
|
'path' => '/etc/puppetlabs/puppetdb/conf.d/puppetdb.ini',
|
||||||
|
'section' => 'puppetdb',
|
||||||
|
'setting' => 'certificate-whitelist',
|
||||||
|
'value' => '/etc/puppetlabs/puppetdb/certificate-whitelist'
|
||||||
|
)}
|
||||||
|
it { should contain_file('/etc/puppetlabs/puppetdb/certificate-whitelist').
|
||||||
|
with(
|
||||||
|
'ensure' => 'present',
|
||||||
|
'owner' => 0,
|
||||||
|
'group' => 0,
|
||||||
|
'mode' => '0644',
|
||||||
|
'content' => "puppetmaster\n"
|
||||||
|
)}
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
3
templates/certificate-whitelist.erb
Normal file
3
templates/certificate-whitelist.erb
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
<% @certificate_whitelist.each do |cn| -%>
|
||||||
|
<%= cn %>
|
||||||
|
<% end -%>
|
Loading…
Reference in a new issue