diff options
| author | Luke Kanies <luke@madstop.com> | 2009-08-19 17:49:04 -0700 |
|---|---|---|
| committer | James Turnbull <james@lovedthanlost.net> | 2009-08-24 11:36:23 +1000 |
| commit | ea417d60915fcb68aeebaf750abb57cb5604fe6d (patch) | |
| tree | b7099e28b24aec71a8a86ee67ade0adf2b4f8dbd | |
| parent | a49915ad928e01aa1a5505ae52125fac6f4f2744 (diff) | |
| download | puppet-ea417d60915fcb68aeebaf750abb57cb5604fe6d.tar.gz puppet-ea417d60915fcb68aeebaf750abb57cb5604fe6d.tar.xz puppet-ea417d60915fcb68aeebaf750abb57cb5604fe6d.zip | |
Fixing #2460 - puppetmasterd can now read the cert and key
This follows on to the previous commits which made Puppet
resilient to the service user being absent. This just
changes the default owner of all of the cert-related files
to now be the service user, which means that on the server
all of these files will be owned by that user and on
the client, at least when the service user does not exist,
they will be owned by root.
Signed-off-by: Luke Kanies <luke@madstop.com>
| -rw-r--r-- | lib/puppet/defaults.rb | 29 | ||||
| -rwxr-xr-x | spec/integration/defaults.rb | 10 |
2 files changed, 35 insertions, 4 deletions
diff --git a/lib/puppet/defaults.rb b/lib/puppet/defaults.rb index 383b491d7..3a0feeca3 100644 --- a/lib/puppet/defaults.rb +++ b/lib/puppet/defaults.rb @@ -213,50 +213,71 @@ module Puppet :certdnsnames => ['', "The DNS names on the Server certificate as a colon-separated list. If it's anything other than an empty string, it will be used as an alias in the created certificate. By default, only the server gets an alias set up, and only for 'puppet'."], - :certdir => ["$ssldir/certs", "The certificate directory."], + :certdir => { + :default => "$ssldir/certs", + :owner => "service", + :desc => "The certificate directory." + }, :ssldir => { :default => "$confdir/ssl", :mode => 0771, - :owner => "root", + :owner => "service", :desc => "Where SSL certificates are kept." }, - :publickeydir => ["$ssldir/public_keys", "The public key directory."], - :requestdir => ["$ssldir/certificate_requests", "Where host certificate requests are stored."], + :publickeydir => { + :default => "$ssldir/public_keys", + :owner => "service", + :desc => "The public key directory." + }, + :requestdir => { + :default => "$ssldir/certificate_requests", + :owner => "service", + :desc => "Where host certificate requests are stored." + }, :privatekeydir => { :default => "$ssldir/private_keys", :mode => 0750, + :owner => "service", :desc => "The private key directory." }, :privatedir => { :default => "$ssldir/private", :mode => 0750, + :owner => "service", :desc => "Where the client stores private certificate information." }, :passfile => { :default => "$privatedir/password", :mode => 0640, + :owner => "service", :desc => "Where puppetd stores the password for its private key. Generally unused." }, :hostcsr => { :default => "$ssldir/csr_$certname.pem", :mode => 0644, + :owner => "service", :desc => "Where individual hosts store and look for their certificate requests." }, :hostcert => { :default => "$certdir/$certname.pem", :mode => 0644, + :owner => "service", :desc => "Where individual hosts store and look for their certificates." }, :hostprivkey => { :default => "$privatekeydir/$certname.pem", :mode => 0600, + :owner => "service", :desc => "Where individual hosts store and look for their private key." }, :hostpubkey => { :default => "$publickeydir/$certname.pem", :mode => 0644, + :owner => "service", :desc => "Where individual hosts store and look for their public key." }, :localcacert => { :default => "$certdir/ca.pem", :mode => 0644, + :owner => "service", :desc => "Where each client stores the CA certificate." }, :hostcrl => { :default => "$ssldir/crl.pem", :mode => 0644, + :owner => "service", :desc => "Where the host's certificate revocation list can be found. This is distinct from the certificate authority's CRL." } diff --git a/spec/integration/defaults.rb b/spec/integration/defaults.rb index 35ac3b12b..c38a1a14b 100755 --- a/spec/integration/defaults.rb +++ b/spec/integration/defaults.rb @@ -55,6 +55,16 @@ describe "Puppet defaults" do Puppet.settings.setting(:rundir).group.should be_nil end + it "should specify that the host private key should be owned by the service user" do + Puppet.settings.stubs(:service_user_available?).returns true + Puppet.settings.setting(:hostprivkey).owner.should == Puppet.settings[:user] + end + + it "should specify that the host certificate should be owned by the service user" do + Puppet.settings.stubs(:service_user_available?).returns true + Puppet.settings.setting(:hostcert).owner.should == Puppet.settings[:user] + end + it "should use a bind address of ''" do Puppet.settings[:bindaddress].should == "" end |