[MediaWiki-commits] [Gerrit] operations/puppet[production]: Labs ldap: Hide the novaobserver account from everyone but ...

Andrew Bogott (Code Review) Mon, 05 Dec 2016 13:14:40 -0800

Andrew Bogott has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/325371


Change subject: Labs ldap:  Hide the novaobserver account from everyone but 
keystone
......................................................................

Labs ldap:  Hide the novaobserver account from everyone but keystone

Bug: T150092
Change-Id: I10ea7b203fa5fed10e0110ab844c15eb6dcac4d8
---
M modules/openldap/templates/labs-acls.erb
M modules/role/manifests/openldap/labs.pp
2 files changed, 8 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/71/325371/1

diff --git a/modules/openldap/templates/labs-acls.erb 
b/modules/openldap/templates/labs-acls.erb
index d2a91ed..a5cb167 100644
--- a/modules/openldap/templates/labs-acls.erb
+++ b/modules/openldap/templates/labs-acls.erb
@@ -9,3 +9,9 @@
 # novaadmin needs to run queries on all users.  10,000 users is less than
 #  'unlimited' but should keep us happy for a year at least :/
 limits dn.exact="uid=novaadmin,ou=people,dc=wikimedia,dc=org" time=unlimited 
size=10000
+
+# novaobserver is an account used only for keystone access.  We don't want it
+#  to appear on wikitech, gerrit, etc. so limit access only to the keystone 
host
+access to dn=uid=novaobserver,ou=people,dc=wikimedia,dc=org
+       by peername.ip=<%= @labs_keystone_ip %>  users read
+       by * break
diff --git a/modules/role/manifests/openldap/labs.pp 
b/modules/role/manifests/openldap/labs.pp
index ba95b10..a16d517 100644
--- a/modules/role/manifests/openldap/labs.pp
+++ b/modules/role/manifests/openldap/labs.pp
@@ -7,6 +7,8 @@
     $ldapconfig = hiera_hash('labsldapconfig', {})
     $ldap_labs_hostname = $ldapconfig['hostname']
 
+    $labs_keystone_ip = ipresolve(hiera('labs_keystone_host'),4)
+
     system::role { 'role::openldap::labs':
         description => 'LDAP servers for labs (based on OpenLDAP)'
     }

-- 
To view, visit https://gerrit.wikimedia.org/r/325371
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I10ea7b203fa5fed10e0110ab844c15eb6dcac4d8
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Andrew Bogott <abog...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: Labs ldap: Hide the novaobserver account from everyone but ...

Reply via email to