From 979474d89d5dc9f9c80233f649050a61bccf778d Mon Sep 17 00:00:00 2001 From: TwizzyDizzy Date: Fri, 5 Jan 2024 10:46:56 +0100 Subject: [PATCH 1/6] Implement raw ACL passing for Sentinel and Redis --- manifests/config.pp | 1 + manifests/init.pp | 1 + manifests/instance.pp | 2 ++ manifests/sentinel.pp | 1 + templates/redis-sentinel.conf.erb | 4 ++++ templates/redis.conf.epp | 5 +++++ 6 files changed, 14 insertions(+) diff --git a/manifests/config.pp b/manifests/config.pp index fc3b6d61..beedbdc7 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -35,6 +35,7 @@ daemonize => $redis::daemonize, service_name => $redis::service_name, manage_service_file => $redis::manage_service_file, + acls => $redis::acls, } } diff --git a/manifests/init.pp b/manifests/init.pp index 6b79e612..ebdbaa4c 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -473,6 +473,7 @@ Optional[Boolean] $jemalloc_bg_thread = undef, Optional[Boolean] $rdb_save_incremental_fsync = undef, Optional[String[1]] $dnf_module_stream = undef, + Optional[String[1]] $acls = undef, ) inherits redis::params { contain redis::preinstall contain redis::install diff --git a/manifests/instance.pp b/manifests/instance.pp index 7e139bf1..0a7b055a 100644 --- a/manifests/instance.pp +++ b/manifests/instance.pp @@ -405,6 +405,7 @@ Integer[1] $active_defrag_max_scan_fields = $redis::active_defrag_max_scan_fields, Optional[Boolean] $jemalloc_bg_thread = $redis::jemalloc_bg_thread, Optional[Boolean] $rdb_save_incremental_fsync = $redis::rdb_save_incremental_fsync, + Optional[String[1]] $acls = $redis::acls, ) { if $title == 'default' { $redis_file_name_orig = $config_file_orig @@ -596,6 +597,7 @@ active_defrag_max_scan_fields => $active_defrag_max_scan_fields, jemalloc_bg_thread => $jemalloc_bg_thread, rdb_save_incremental_fsync => $rdb_save_incremental_fsync, + acls => $acls, } ), } diff --git a/manifests/sentinel.pp b/manifests/sentinel.pp index 87bfa9e4..36357aeb 100644 --- a/manifests/sentinel.pp +++ b/manifests/sentinel.pp @@ -180,6 +180,7 @@ Stdlib::Absolutepath $working_dir = $redis::params::sentinel_working_dir, Optional[Stdlib::Absolutepath] $notification_script = undef, Optional[Stdlib::Absolutepath] $client_reconfig_script = undef, + Optional[String[1]] $acls = undef, ) inherits redis::params { $auth_pass_unsensitive = if $auth_pass =~ Sensitive { $auth_pass.unwrap diff --git a/templates/redis-sentinel.conf.erb b/templates/redis-sentinel.conf.erb index b3ba03ea..371d7a54 100644 --- a/templates/redis-sentinel.conf.erb +++ b/templates/redis-sentinel.conf.erb @@ -54,3 +54,7 @@ tls-replication <%= @tls_replication ? 'yes' : 'no' %> loglevel <%= @log_level %> logfile <%= @log_file %> + +<% if @acls -%> +<%= @acls %> +<% end -%> diff --git a/templates/redis.conf.epp b/templates/redis.conf.epp index dd9223d4..3e043e4c 100644 --- a/templates/redis.conf.epp +++ b/templates/redis.conf.epp @@ -99,6 +99,7 @@ Integer[1] $active_defrag_max_scan_fields, Optional[Boolean] $jemalloc_bg_thread, Optional[Boolean] $rdb_save_incremental_fsync, + Optional[String[1]] $acls, | -%> # Redis configuration file example @@ -1201,3 +1202,7 @@ loadmodule <%= $module_path %> <% if $extra_config_file { -%> include <%= $extra_config_file %> <% } -%> + +<% if $acls { -%> +<%= $acls %> +<% } -%> From 085ff129467bf018d1287807deb205e621a3787a Mon Sep 17 00:00:00 2001 From: TwizzyDizzy Date: Fri, 5 Jan 2024 10:59:23 +0100 Subject: [PATCH 2/6] Add documentation --- manifests/init.pp | 5 +++++ manifests/instance.pp | 5 +++++ manifests/sentinel.pp | 6 ++++++ 3 files changed, 16 insertions(+) diff --git a/manifests/init.pp b/manifests/init.pp index ebdbaa4c..280f46a3 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -329,6 +329,11 @@ # @param dnf_module_stream # Manage the DNF module and set the version. This only makes sense on distributions # that use DNF package manager, such as EL8 or Fedora. +# @param acls +# This is a way to pass raw ACLs to Redis. Must be in the form of +# +# user USERNAME1 [additional ACL options] +# user USERNAME2 [additional ACL options] # @param manage_service_file # Determine if the systemd service file should be managed # diff --git a/manifests/instance.pp b/manifests/instance.pp index 0a7b055a..7cdabb82 100644 --- a/manifests/instance.pp +++ b/manifests/instance.pp @@ -278,6 +278,11 @@ # @param rdb_save_incremental_fsync # When redis saves RDB file, if the following option is enabled # the file will be fsync-ed every 32 MB of data generated. +# @param acls +# This is a way to pass raw ACLs to Redis. Must be in the form of +# +# user USERNAME1 [additional ACL options] +# user USERNAME2 [additional ACL options] # @param output_buffer_limit_slave # Value of client-output-buffer-limit-slave in redis config # @param output_buffer_limit_pubsub diff --git a/manifests/sentinel.pp b/manifests/sentinel.pp index 36357aeb..7b84217d 100644 --- a/manifests/sentinel.pp +++ b/manifests/sentinel.pp @@ -130,6 +130,12 @@ # @param client_reconfig_script # Path to the client-reconfig script # +# @param acls +# This is a way to pass raw ACLs to Redis. Must be in the form of +# +# user USERNAME1 [additional ACL options] +# user USERNAME2 [additional ACL options] +# # @example Basic inclusion # include redis::sentinel # From 8e93370db4e4264227999eb327f4c09465384081 Mon Sep 17 00:00:00 2001 From: cruelsmith <92088441+cruelsmith@users.noreply.github.com> Date: Mon, 5 Feb 2024 19:13:53 +0100 Subject: [PATCH 3/6] Convert acls in an array and add spec tests --- REFERENCE.md | 36 +++++++++++++++++++++++++++++ manifests/init.pp | 2 +- manifests/instance.pp | 2 +- manifests/sentinel.pp | 2 +- spec/classes/redis_sentinel_spec.rb | 13 +++++++++++ spec/classes/redis_spec.rb | 13 +++++++++++ templates/redis-sentinel.conf.erb | 6 +++-- templates/redis.conf.epp | 8 ++++--- 8 files changed, 74 insertions(+), 8 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index 111d33d7..4853e35a 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -224,6 +224,7 @@ The following parameters are available in the `redis` class: * [`jemalloc_bg_thread`](#-redis--jemalloc_bg_thread) * [`rdb_save_incremental_fsync`](#-redis--rdb_save_incremental_fsync) * [`dnf_module_stream`](#-redis--dnf_module_stream) +* [`acls`](#-redis--acls) * [`manage_service_file`](#-redis--manage_service_file) ##### `activerehashing` @@ -1370,6 +1371,17 @@ that use DNF package manager, such as EL8 or Fedora. Default value: `undef` +##### `acls` + +Data type: `Array[String[1]]` + +This is a way to pass raw ACLs to Redis. Must be in the form of + + user USERNAME1 [additional ACL options] + user USERNAME2 [additional ACL options] + +Default value: `[]` + ##### `manage_service_file` Data type: `Boolean` @@ -1511,6 +1523,7 @@ The following parameters are available in the `redis::sentinel` class: * [`working_dir`](#-redis--sentinel--working_dir) * [`notification_script`](#-redis--sentinel--notification_script) * [`client_reconfig_script`](#-redis--sentinel--client_reconfig_script) +* [`acls`](#-redis--sentinel--acls) * [`service_ensure`](#-redis--sentinel--service_ensure) ##### `auth_pass` @@ -1838,6 +1851,17 @@ Path to the client-reconfig script Default value: `undef` +##### `acls` + +Data type: `Array[String[1]]` + +This is a way to pass raw ACLs to Redis. Must be in the form of + + user USERNAME1 [additional ACL options] + user USERNAME2 [additional ACL options] + +Default value: `[]` + ##### `service_ensure` Data type: `Stdlib::Ensure::Service` @@ -1986,6 +2010,7 @@ The following parameters are available in the `redis::instance` defined type: * [`active_defrag_max_scan_fields`](#-redis--instance--active_defrag_max_scan_fields) * [`jemalloc_bg_thread`](#-redis--instance--jemalloc_bg_thread) * [`rdb_save_incremental_fsync`](#-redis--instance--rdb_save_incremental_fsync) +* [`acls`](#-redis--instance--acls) * [`output_buffer_limit_slave`](#-redis--instance--output_buffer_limit_slave) * [`output_buffer_limit_pubsub`](#-redis--instance--output_buffer_limit_pubsub) @@ -2973,6 +2998,17 @@ the file will be fsync-ed every 32 MB of data generated. Default value: `$redis::rdb_save_incremental_fsync` +##### `acls` + +Data type: `Array[String[1]]` + +This is a way to pass raw ACLs to Redis. Must be in the form of + + user USERNAME1 [additional ACL options] + user USERNAME2 [additional ACL options] + +Default value: `$redis::acls` + ##### `output_buffer_limit_slave` Data type: `String[1]` diff --git a/manifests/init.pp b/manifests/init.pp index 280f46a3..9ec2ed53 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -478,7 +478,7 @@ Optional[Boolean] $jemalloc_bg_thread = undef, Optional[Boolean] $rdb_save_incremental_fsync = undef, Optional[String[1]] $dnf_module_stream = undef, - Optional[String[1]] $acls = undef, + Array[String[1]] $acls = [], ) inherits redis::params { contain redis::preinstall contain redis::install diff --git a/manifests/instance.pp b/manifests/instance.pp index 7cdabb82..c28611e6 100644 --- a/manifests/instance.pp +++ b/manifests/instance.pp @@ -410,7 +410,7 @@ Integer[1] $active_defrag_max_scan_fields = $redis::active_defrag_max_scan_fields, Optional[Boolean] $jemalloc_bg_thread = $redis::jemalloc_bg_thread, Optional[Boolean] $rdb_save_incremental_fsync = $redis::rdb_save_incremental_fsync, - Optional[String[1]] $acls = $redis::acls, + Array[String[1]] $acls = $redis::acls, ) { if $title == 'default' { $redis_file_name_orig = $config_file_orig diff --git a/manifests/sentinel.pp b/manifests/sentinel.pp index 7b84217d..644e15b4 100644 --- a/manifests/sentinel.pp +++ b/manifests/sentinel.pp @@ -186,7 +186,7 @@ Stdlib::Absolutepath $working_dir = $redis::params::sentinel_working_dir, Optional[Stdlib::Absolutepath] $notification_script = undef, Optional[Stdlib::Absolutepath] $client_reconfig_script = undef, - Optional[String[1]] $acls = undef, + Array[String[1]] $acls = [], ) inherits redis::params { $auth_pass_unsensitive = if $auth_pass =~ Sensitive { $auth_pass.unwrap diff --git a/spec/classes/redis_sentinel_spec.rb b/spec/classes/redis_sentinel_spec.rb index 5e415bf3..945d8561 100644 --- a/spec/classes/redis_sentinel_spec.rb +++ b/spec/classes/redis_sentinel_spec.rb @@ -84,6 +84,19 @@ it { is_expected.to contain_package(sentinel_package_name).with_ensure('installed') } end + describe 'with acls' do + let(:params) do + { + acls: ['user readolny on nopass ~* resetchannels -@all +get'], + } + end + + it { + is_expected.to contain_file(config_file_orig). + with_content(%r{^user readolny on nopass ~\* resetchannels -@all \+get$}) + } + end + describe 'with custom parameters' do let(:pre_condition) do <<-PUPPET diff --git a/spec/classes/redis_spec.rb b/spec/classes/redis_spec.rb index ff204c0a..9629a42a 100644 --- a/spec/classes/redis_spec.rb +++ b/spec/classes/redis_spec.rb @@ -1554,6 +1554,19 @@ class { 'redis': } end + describe 'with acls' do + let(:params) do + { + acls: ['user readolny on nopass ~* resetchannels -@all +get'], + } + end + + it { + is_expected.to contain_file(config_file_orig). + with_content(%r{^user readolny on nopass ~\* resetchannels -@all \+get$}) + } + end + describe 'test io-threads for redis6' do let(:params) do { diff --git a/templates/redis-sentinel.conf.erb b/templates/redis-sentinel.conf.erb index 371d7a54..283743c1 100644 --- a/templates/redis-sentinel.conf.erb +++ b/templates/redis-sentinel.conf.erb @@ -54,7 +54,9 @@ tls-replication <%= @tls_replication ? 'yes' : 'no' %> loglevel <%= @log_level %> logfile <%= @log_file %> +<% unless @acls.empty? -%> -<% if @acls -%> -<%= @acls %> +<% @acls.each do |acl| -%> +<%= acl %> +<% end -%> <% end -%> diff --git a/templates/redis.conf.epp b/templates/redis.conf.epp index 3e043e4c..db32607d 100644 --- a/templates/redis.conf.epp +++ b/templates/redis.conf.epp @@ -99,7 +99,7 @@ Integer[1] $active_defrag_max_scan_fields, Optional[Boolean] $jemalloc_bg_thread, Optional[Boolean] $rdb_save_incremental_fsync, - Optional[String[1]] $acls, + Array[String[1]] $acls, | -%> # Redis configuration file example @@ -1202,7 +1202,9 @@ loadmodule <%= $module_path %> <% if $extra_config_file { -%> include <%= $extra_config_file %> <% } -%> +<% unless $acls.empty { -%> -<% if $acls { -%> -<%= $acls %> +<% $acls.each |$acl| { -%> +<%= $acl %> +<% } -%> <% } -%> From 30ee006f5231ff851c311283b2396bb106bf9f65 Mon Sep 17 00:00:00 2001 From: TwizzyDizzy Date: Tue, 6 Feb 2024 11:18:43 +0100 Subject: [PATCH 4/6] Adjust documentation, after moving @acls from type string to array --- manifests/instance.pp | 7 ++++--- manifests/sentinel.pp | 8 ++++---- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/manifests/instance.pp b/manifests/instance.pp index c28611e6..8bd2d74a 100644 --- a/manifests/instance.pp +++ b/manifests/instance.pp @@ -279,10 +279,11 @@ # When redis saves RDB file, if the following option is enabled # the file will be fsync-ed every 32 MB of data generated. # @param acls -# This is a way to pass raw ACLs to Redis. Must be in the form of +# This is a way to pass an array of raw ACLs to Redis. The ACLs must be +# in the form of: +# +# user USERNAME [additional ACL options] # -# user USERNAME1 [additional ACL options] -# user USERNAME2 [additional ACL options] # @param output_buffer_limit_slave # Value of client-output-buffer-limit-slave in redis config # @param output_buffer_limit_pubsub diff --git a/manifests/sentinel.pp b/manifests/sentinel.pp index 644e15b4..ba240c70 100644 --- a/manifests/sentinel.pp +++ b/manifests/sentinel.pp @@ -131,10 +131,10 @@ # Path to the client-reconfig script # # @param acls -# This is a way to pass raw ACLs to Redis. Must be in the form of -# -# user USERNAME1 [additional ACL options] -# user USERNAME2 [additional ACL options] +# This is a way to pass an array of raw ACLs to Sentinel. The ACLs must be +# in the form of: +# +# user USERNAME [additional ACL options] # # @example Basic inclusion # include redis::sentinel From 0e653093c31945cb3c411b29940d814e195d168f Mon Sep 17 00:00:00 2001 From: TwizzyDizzy Date: Tue, 6 Feb 2024 14:38:03 +0100 Subject: [PATCH 5/6] Update REFERENCE.md --- REFERENCE.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index 4853e35a..d73780e8 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -1855,10 +1855,10 @@ Default value: `undef` Data type: `Array[String[1]]` -This is a way to pass raw ACLs to Redis. Must be in the form of +This is a way to pass an array of raw ACLs to Sentinel. The ACLs must be +in the form of: - user USERNAME1 [additional ACL options] - user USERNAME2 [additional ACL options] + user USERNAME [additional ACL options] Default value: `[]` @@ -3002,10 +3002,10 @@ Default value: `$redis::rdb_save_incremental_fsync` Data type: `Array[String[1]]` -This is a way to pass raw ACLs to Redis. Must be in the form of +This is a way to pass an array of raw ACLs to Redis. The ACLs must be +in the form of: - user USERNAME1 [additional ACL options] - user USERNAME2 [additional ACL options] + user USERNAME [additional ACL options] Default value: `$redis::acls` From 54cb9b7c24329c871dff324d5ff412ef0ab54617 Mon Sep 17 00:00:00 2001 From: TwizzyDizzy Date: Tue, 6 Feb 2024 17:06:25 +0100 Subject: [PATCH 6/6] Update REFERENCE.md (again) --- REFERENCE.md | 6 +++--- manifests/init.pp | 7 ++++--- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index d73780e8..0902d2e5 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -1375,10 +1375,10 @@ Default value: `undef` Data type: `Array[String[1]]` -This is a way to pass raw ACLs to Redis. Must be in the form of +This is a way to pass an array of raw ACLs to Redis. The ACLs must be +in the form of: - user USERNAME1 [additional ACL options] - user USERNAME2 [additional ACL options] + user USERNAME [additional ACL options] Default value: `[]` diff --git a/manifests/init.pp b/manifests/init.pp index 9ec2ed53..0de065df 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -330,10 +330,11 @@ # Manage the DNF module and set the version. This only makes sense on distributions # that use DNF package manager, such as EL8 or Fedora. # @param acls -# This is a way to pass raw ACLs to Redis. Must be in the form of +# This is a way to pass an array of raw ACLs to Redis. The ACLs must be +# in the form of: +# +# user USERNAME [additional ACL options] # -# user USERNAME1 [additional ACL options] -# user USERNAME2 [additional ACL options] # @param manage_service_file # Determine if the systemd service file should be managed #