summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorvarac <varacanero@zeromail.org>2015-10-01 12:06:02 +0200
committervarac <varacanero@zeromail.org>2015-10-05 13:18:44 +0200
commit4fc7419598a3baf564f063b7330b9cf9115420b5 (patch)
tree9a98dac96b6133daa3fce13329f25f25a2fc2c70
parent659587b9a56274d87c8c8deda499ccea85f875b5 (diff)
[feat] Create-user-db: use couchdb admin rights
- create soledad-admin user - deploy netrc file for userdb creation - Move soledad-server.conf from /etc/leap to /etc/soledad - make soledad-server.conf group-accessible for the soledad group, so the soledad-admin user can read it - Resolves: #7502
-rw-r--r--puppet/modules/site_config/manifests/remove_files.pp1
-rw-r--r--puppet/modules/site_couchdb/manifests/setup.pp35
-rw-r--r--puppet/modules/soledad/manifests/init.pp17
-rw-r--r--puppet/modules/soledad/manifests/server.pp21
-rw-r--r--puppet/modules/soledad/templates/soledad-server.conf.erb5
5 files changed, 56 insertions, 23 deletions
diff --git a/puppet/modules/site_config/manifests/remove_files.pp b/puppet/modules/site_config/manifests/remove_files.pp
index 776c3731..3532c0f0 100644
--- a/puppet/modules/site_config/manifests/remove_files.pp
+++ b/puppet/modules/site_config/manifests/remove_files.pp
@@ -41,6 +41,7 @@ class site_config::remove_files {
'/srv/leap/couchdb/designs/tmp_users':
recurse => true,
rmdirs => true;
+ '/etc/leap/soledad-server.conf':;
}
# leax-mx logged to /var/log/leap_mx.log in the past
diff --git a/puppet/modules/site_couchdb/manifests/setup.pp b/puppet/modules/site_couchdb/manifests/setup.pp
index 69bd1c6a..fef48505 100644
--- a/puppet/modules/site_couchdb/manifests/setup.pp
+++ b/puppet/modules/site_couchdb/manifests/setup.pp
@@ -12,27 +12,40 @@ class site_couchdb::setup {
$user = $site_couchdb::couchdb_admin_user
- # /etc/couchdb/couchdb-admin.netrc is deployed by couchdb::query::setup
- # we symlink to couchdb.netrc for puppet commands.
- # we symlink this to /root/.netrc for couchdb_scripts (eg. backup)
- # and makes life easier for the admin (i.e. using curl/wget without
- # passing credentials)
+ # setup /etc/couchdb/couchdb-admin.netrc for couchdb admin access
+ couchdb::query::setup { 'localhost':
+ user => $user,
+ pw => $site_couchdb::couchdb_admin_pw
+ }
+
+ # We symlink /etc/couchdb/couchdb-admin.netrc to /etc/couchdb/couchdb.netrc
+ # for puppet commands, and to to /root/.netrc for couchdb_scripts
+ # (eg. backup) and to makes life easier for the admin on the command line
+ # (i.e. using curl/wget without passing credentials)
file {
'/etc/couchdb/couchdb.netrc':
ensure => link,
target => "/etc/couchdb/couchdb-${user}.netrc";
-
'/root/.netrc':
ensure => link,
target => '/etc/couchdb/couchdb.netrc';
+ }
- '/srv/leap/couchdb':
- ensure => directory
+ # setup /etc/couchdb/couchdb-soledad-admin.netrc file for couchdb admin
+ # access, accessible only for the soledad-admin user to create soledad
+ # userdbs
+ file { '/etc/couchdb/couchdb-soledad-admin.netrc':
+ content => "machine localhost login ${user} password ${site_couchdb::couchdb_admin_pw}",
+ mode => '0400',
+ owner => 'soledad-admin',
+ group => 'root',
+ require => [ Package['couchdb'], User['soledad-admin'] ];
}
- couchdb::query::setup { 'localhost':
- user => $user,
- pw => $site_couchdb::couchdb_admin_pw,
+ # Checkout couchdb_scripts repo
+ file {
+ '/srv/leap/couchdb':
+ ensure => directory
}
vcsrepo { '/srv/leap/couchdb/scripts':
diff --git a/puppet/modules/soledad/manifests/init.pp b/puppet/modules/soledad/manifests/init.pp
index 7cf0b729..6a2c328e 100644
--- a/puppet/modules/soledad/manifests/init.pp
+++ b/puppet/modules/soledad/manifests/init.pp
@@ -1,18 +1,29 @@
+# set up users, group and directories for soledad-server
+# although the soledad users are already created by the
+# soledad-server package
class soledad {
group { 'soledad':
- ensure => present,
- allowdupe => false;
+ ensure => present,
+ system => true,
}
user { 'soledad':
ensure => present,
- allowdupe => false,
+ system => true,
gid => 'soledad',
home => '/srv/leap/soledad',
require => Group['soledad'];
}
+ user { 'soledad-admin':
+ ensure => present,
+ system => true,
+ gid => 'soledad',
+ home => '/srv/leap/soledad',
+ require => Group['soledad'];
+ }
+
file {
'/srv/leap/soledad':
ensure => directory,
diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp
index b71fab69..e437c8f2 100644
--- a/puppet/modules/soledad/manifests/server.pp
+++ b/puppet/modules/soledad/manifests/server.pp
@@ -1,3 +1,4 @@
+# setup soledad-server
class soledad::server {
tag 'leap_service'
include soledad
@@ -22,13 +23,19 @@ class soledad::server {
# SOLEDAD CONFIG
#
- file { '/etc/leap/soledad-server.conf':
- content => template('soledad/soledad-server.conf.erb'),
- owner => 'soledad',
- group => 'soledad',
- mode => '0600',
- notify => Service['soledad-server'],
- require => Class['soledad'];
+ file {
+ '/etc/soledad':
+ ensure => directory,
+ owner => 'root',
+ group => 'root',
+ mode => '0755';
+ '/etc/soledad/soledad-server.conf':
+ content => template('soledad/soledad-server.conf.erb'),
+ owner => 'soledad',
+ group => 'soledad',
+ mode => '0640',
+ notify => Service['soledad-server'],
+ require => Class['soledad'];
}
package { $sources['soledad']['package']:
diff --git a/puppet/modules/soledad/templates/soledad-server.conf.erb b/puppet/modules/soledad/templates/soledad-server.conf.erb
index 47d1f6e4..42cf44d8 100644
--- a/puppet/modules/soledad/templates/soledad-server.conf.erb
+++ b/puppet/modules/soledad/templates/soledad-server.conf.erb
@@ -1,3 +1,4 @@
[soledad-server]
-couch_url = http://<%= @couchdb_user %>:<%= @couchdb_password %>@<%= @couchdb_host %>:<%= @couchdb_port %>
-
+couch_url = http://<%= @couchdb_user %>:<%= @couchdb_password %>@<%= @couchdb_host %>:<%= @couchdb_port %>
+create_cmd = sudo -u soledad-admin /usr/bin/create-user-db
+admin_netrc = /etc/couchdb/couchdb-soledad-admin.netrc