Disable SSH login for nova_migration user when migration over ssh is disabled.

If migration over ssh is enabled, and then later disabled, the ssh config
for the nova_migration user remains intact. This change clobbers the migration
SSH key to disable login when it is not necessary.

Change-Id: Icc6d5d4f4671b3525a731d334ca6fa7c5419dac3
Closes-Bug: #1688321

diff --git a/manifests/profile/base/nova.pp b/manifests/profile/base/nova.pp
index 65355d4..6065e62 100644 (file)
--- a/manifests/profile/base/nova.pp
+++ b/manifests/profile/base/nova.pp
@@ -217,31 +217,42 @@ class tripleo::profile::base::nova (
           notify  => Service['sshd']
         }
 
-        file { '/etc/nova/migration/authorized_keys':
-          content => $migration_ssh_key['public_key'],
-          mode    => '0640',
-          owner   => 'root',
-          group   => 'nova_migration',
-          require => Package['openstack-nova-migration'],
-        }
+        $migration_authorized_keys = $migration_ssh_key['public_key']
+        $migration_identity = $migration_ssh_key['private_key']
+        $migration_user_shell = '/bin/bash'
+      }
+      else {
+        # Remove the keys and prevent login when migration over SSH is not enabled
+        $migration_authorized_keys = '# Migration over SSH disabled by TripleO'
+        $migration_identity = '# Migration over SSH disabled by TripleO'
+        $migration_user_shell = '/sbin/nologin'
+      }
 
-        # Client side
-        file { '/etc/nova/migration/identity':
-          content => $migration_ssh_key['private_key'],
-          mode    => '0600',
-          owner   => 'nova',
-          group   => 'nova',
-          require => Package['openstack-nova-migration'],
-        }
-        $migration_pkg_ensure = installed
-      } else {
-        $migration_pkg_ensure = absent
+      package { 'openstack-nova-migration':
+        ensure => present,
+        tag    => ['openstack', 'nova-package'],
+      }
+
+      file { '/etc/nova/migration/authorized_keys':
+        content => $migration_authorized_keys,
+        mode    => '0640',
+        owner   => 'root',
+        group   => 'nova_migration',
+        require => Package['openstack-nova-migration']
+      }
+
+      file { '/etc/nova/migration/identity':
+        content => $migration_identity,
+        mode    => '0600',
+        owner   => 'nova',
+        group   => 'nova',
+        require => Package['openstack-nova-migration']
+      }
+
+      user {'nova_migration':
+        shell   => $migration_user_shell,
+        require => Package['openstack-nova-migration']
       }
-    } else {
-      $migration_pkg_ensure = absent
-    }
-    package {'openstack-nova-migration':
-      ensure => $migration_pkg_ensure
     }
   }
 }

diff --git a/spec/classes/tripleo_profile_base_nova_spec.rb b/spec/classes/tripleo_profile_base_nova_spec.rb
index d77ba1b..a48c94f 100644 (file)
--- a/spec/classes/tripleo_profile_base_nova_spec.rb
+++ b/spec/classes/tripleo_profile_base_nova_spec.rb
@@ -95,9 +95,8 @@ describe 'tripleo::profile::base::nova' do
         is_expected.to contain_class('nova::cache')
         is_expected.to contain_class('nova::placement')
         is_expected.to_not contain_class('nova::migration::libvirt')
-        is_expected.to contain_package('openstack-nova-migration').with(
-          :ensure => 'absent'
-        )
+        is_expected.to_not contain_file('/etc/nova/migration/authorized_keys')
+        is_expected.to_not contain_file('/etc/nova/migration/identity')
       }
     end
 
@@ -132,7 +131,22 @@ describe 'tripleo::profile::base::nova' do
           :configure_nova    => params[:nova_compute_enabled]
         )
         is_expected.to contain_package('openstack-nova-migration').with(
-          :ensure => 'absent'
+          :ensure => 'present'
+        )
+        is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
+          :content => '# Migration over SSH disabled by TripleO',
+          :mode    => '0640',
+          :owner   => 'root',
+          :group   => 'nova_migration',
+        )
+        is_expected.to contain_file('/etc/nova/migration/identity').with(
+          :content => '# Migration over SSH disabled by TripleO',
+          :mode    => '0600',
+          :owner   => 'nova',
+          :group   => 'nova',
+        )
+        is_expected.to contain_user('nova_migration').with(
+          :shell => '/sbin/nologin'
         )
       }
     end
@@ -169,7 +183,22 @@ describe 'tripleo::profile::base::nova' do
           :configure_nova    => params[:nova_compute_enabled],
         )
         is_expected.to contain_package('openstack-nova-migration').with(
-          :ensure => 'absent'
+          :ensure => 'present'
+        )
+        is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
+          :content => '# Migration over SSH disabled by TripleO',
+          :mode    => '0640',
+          :owner   => 'root',
+          :group   => 'nova_migration',
+        )
+        is_expected.to contain_file('/etc/nova/migration/identity').with(
+          :content => '# Migration over SSH disabled by TripleO',
+          :mode    => '0600',
+          :owner   => 'nova',
+          :group   => 'nova',
+        )
+        is_expected.to contain_user('nova_migration').with(
+          :shell => '/sbin/nologin'
         )
       }
     end
@@ -223,6 +252,9 @@ describe 'tripleo::profile::base::nova' do
           }
         )
         is_expected.to_not contain_ssh__server__match_block('nova_migration deny')
+        is_expected.to contain_package('openstack-nova-migration').with(
+          :ensure => 'present'
+        )
         is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
           :content => 'ssh-rsa bar',
           :mode => '0640',
@@ -235,8 +267,8 @@ describe 'tripleo::profile::base::nova' do
           :owner => 'nova',
           :group => 'nova',
         )
-        is_expected.to contain_package('openstack-nova-migration').with(
-          :ensure => 'installed'
+        is_expected.to contain_user('nova_migration').with(
+          :shell => '/bin/bash'
         )
       }
     end
@@ -297,6 +329,9 @@ describe 'tripleo::profile::base::nova' do
             'DenyUsers' => 'nova_migration'
           }
         )
+        is_expected.to contain_package('openstack-nova-migration').with(
+          :ensure => 'present'
+        )
         is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
           :content => 'ssh-rsa bar',
           :mode => '0640',
@@ -309,8 +344,8 @@ describe 'tripleo::profile::base::nova' do
           :owner => 'nova',
           :group => 'nova',
         )
-        is_expected.to contain_package('openstack-nova-migration').with(
-          :ensure => 'installed'
+        is_expected.to contain_user('nova_migration').with(
+          :shell => '/bin/bash'
         )
       }
     end
@@ -365,6 +400,9 @@ describe 'tripleo::profile::base::nova' do
           }
         )
         is_expected.to_not contain_ssh__server__match_block('nova_migration deny')
+        is_expected.to contain_package('openstack-nova-migration').with(
+          :ensure => 'present'
+        )
         is_expected.to contain_file('/etc/nova/migration/authorized_keys').with(
           :content => 'ssh-rsa bar',
           :mode => '0640',
@@ -377,8 +415,8 @@ describe 'tripleo::profile::base::nova' do
           :owner => 'nova',
           :group => 'nova',
         )
-        is_expected.to contain_package('openstack-nova-migration').with(
-          :ensure => 'installed'
+        is_expected.to contain_user('nova_migration').with(
+          :shell => '/bin/bash'
         )
       }
     end