Telegraf Charm

Merge charm-telegraf:bug/1896467 into charm-telegraf:master

  1. Git
  2. lp:charm-telegraf
  3. bug/1896467
  4. Merge into master
Proposed by Facundo Ciccioli
Status: Merged
Approved by: Alvaro Uria
Approved revision: 9ccd1a821c2b08a24e79dddfd38be5d12a13b68b
Merged at revision: 42c814bf359e12064506ccde51088d8cdd68542d
Proposed branch: charm-telegraf:bug/1896467
Merge into: charm-telegraf:master
Diff against target: 168 lines (+42/-16)
4 files modified
src/reactive/telegraf.py (+14/-5)
src/tests/unit/test_mysql.py (+6/-3)
src/tests/unit/test_postgresql.py (+11/-8)
src/tests/unit/test_telegraf.py (+11/-0)
Reviewer Review Type Date Requested Status
Adam Dyess (community) Approve
Paul Goins (community) Approve
Benjamin Allot Pending
Review via email: mp+391124@code.launchpad.net

Commit message

Write config files containing credentials as telegraf-only readable

To post a comment you must log in.
Revision history for this message
🤖 Canonical IS Merge Bot (canonical-is-mergebot) wrote :

This merge proposal is being monitored by mergebot. Change the status to Approved to merge.

Revision history for this message
Facundo Ciccioli (fandanbango) wrote :

Unit tests: https://paste.ubuntu.com/p/mBVpZkgVfR/
Functional tests: https://paste.ubuntu.com/p/J6hRwYkqrF/

Revision history for this message
Benjamin Allot (ballot) wrote :

Usually, files in /etc are written with root as owner and possibly a group with group readable permission.

I think something like

host.write_file(
            config_path,
            f.getvalue().encode("UTF-8"),
            owner=root,
            group=TELEGRAF_USER,
            perms=0o640,
)

is more on par with what we expect in /etc.
(0o440 is a possibility if we really want to discourage people to edit the files)

However, I may miss something.
Not a hard block, just something I'm curious about.

Revision history for this message
Facundo Ciccioli (fandanbango) wrote :

As per zzehring verbal comment, I've factored out the writing of the sensitive files.

Changed also ownership to root and made group readable and root writable as per ballot's suggestion (I do agree with that that's the custom for /etc).

Unit tests: https://paste.ubuntu.com/p/zjQCY6XP3R/
Functional tests: https://paste.ubuntu.com/p/Hw25x5N2Sp/

Revision history for this message
Paul Goins (vultaire) wrote :

LGTM

review: Approve
Revision history for this message
Adam Dyess (addyess) wrote :

LGTM2

review: Approve
Revision history for this message
🤖 Canonical IS Merge Bot (canonical-is-mergebot) wrote :

Change successfully merged at revision 42c814bf359e12064506ccde51088d8cdd68542d

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/src/reactive/telegraf.py b/src/reactive/telegraf.py
index 1b1208e..e24b7eb 100644
--- a/src/reactive/telegraf.py
+++ b/src/reactive/telegraf.py
@@ -79,6 +79,15 @@ class InvalidInstallMethod(Exception):
79 pass79 pass
8080
8181
82def write_telegraf_file(path, content):
83 return host.write_file(
84 path,
85 content.encode("UTF-8"),
86 group="telegraf",
87 perms=0o640,
88 )
89
90
82def get_install_method():91def get_install_method():
83 config = hookenv.config()92 config = hookenv.config()
8493
@@ -861,7 +870,7 @@ def render_mysql_tmpl(contexts):
861 for ctx in contexts:870 for ctx in contexts:
862 f.write(render_template(template, ctx))871 f.write(render_template(template, ctx))
863 f.write(render_extra_options("inputs", "mysql"))872 f.write(render_extra_options("inputs", "mysql"))
864 host.write_file(config_path, f.getvalue().encode("UTF-8"))873 write_telegraf_file(config_path, f.getvalue())
865 elif os.path.exists(config_path):874 elif os.path.exists(config_path):
866 os.unlink(config_path)875 os.unlink(config_path)
867876
@@ -876,7 +885,7 @@ def render_postgresql_tmpl(contexts):
876 ).read()885 ).read()
877 for ctx in contexts:886 for ctx in contexts:
878 f.write(render_template(template, ctx))887 f.write(render_template(template, ctx))
879 host.write_file(config_path, f.getvalue().encode("UTF-8"))888 write_telegraf_file(config_path, f.getvalue())
880 elif os.path.exists(config_path):889 elif os.path.exists(config_path):
881 os.unlink(config_path)890 os.unlink(config_path)
882891
@@ -917,7 +926,7 @@ def haproxy_input(haproxy):
917 template, {"servers": json.dumps(haproxy_addresses)}926 template, {"servers": json.dumps(haproxy_addresses)}
918 ) + render_extra_options("inputs", "haproxy")927 ) + render_extra_options("inputs", "haproxy")
919 hookenv.log("Updating {} plugin config file".format("haproxy"))928 hookenv.log("Updating {} plugin config file".format("haproxy"))
920 host.write_file(config_path, input_config.encode("utf-8"))929 write_telegraf_file(config_path, input_config)
921 set_flag("plugins.haproxy.configured")930 set_flag("plugins.haproxy.configured")
922 elif os.path.exists(config_path):931 elif os.path.exists(config_path):
923 os.unlink(config_path)932 os.unlink(config_path)
@@ -1123,7 +1132,7 @@ def rabbitmq_input(rabbitmq):
1123 )1132 )
11241133
1125 hookenv.log("Updating {} plugin config file".format("rabbitmq"))1134 hookenv.log("Updating {} plugin config file".format("rabbitmq"))
1126 host.write_file(config_path, input_config.encode("utf-8"))1135 write_telegraf_file(config_path, input_config)
11271136
1128 set_flag("plugins.rabbitmq.configured")1137 set_flag("plugins.rabbitmq.configured")
1129 set_flag("telegraf.needs_reload")1138 set_flag("telegraf.needs_reload")
@@ -1168,7 +1177,7 @@ def influxdb_api_output(influxdb):
1168 },1177 },
1169 )1178 )
1170 extra_opts = render_extra_options("outputs", "influxdb")1179 extra_opts = render_extra_options("outputs", "influxdb")
1171 host.write_file(config_path, "\n".join([content, extra_opts]).encode("utf-8"))1180 write_telegraf_file(config_path, "\n".join([content, extra_opts]))
1172 set_flag("plugins.influxdb-api.configured")1181 set_flag("plugins.influxdb-api.configured")
1173 elif os.path.exists(config_path):1182 elif os.path.exists(config_path):
1174 os.unlink(config_path)1183 os.unlink(config_path)
diff --git a/src/tests/unit/test_mysql.py b/src/tests/unit/test_mysql.py
index 9015600..3de025e 100644
--- a/src/tests/unit/test_mysql.py
+++ b/src/tests/unit/test_mysql.py
@@ -64,11 +64,11 @@ class TestMySQL(unittest.TestCase):
64 toggle_flag.assert_called_once_with("plugins.mysql.configured", True)64 toggle_flag.assert_called_once_with("plugins.mysql.configured", True)
6565
66 @patch("reactive.telegraf.render_extra_options")66 @patch("reactive.telegraf.render_extra_options")
67 @patch("charmhelpers.core.host.write_file")67 @patch("reactive.telegraf.write_telegraf_file")
68 @patch("reactive.telegraf.get_templates_dir")68 @patch("reactive.telegraf.get_templates_dir")
69 @patch("reactive.telegraf.get_base_dir")69 @patch("reactive.telegraf.get_base_dir")
70 def test_render_mysql_tmpl(70 def test_render_mysql_tmpl(
71 self, get_base_dir, get_templates_dir, write_file, extra_options71 self, get_base_dir, get_templates_dir, write_telegraf_file, extra_options
72 ):72 ):
73 get_base_dir.return_value = "/etc/telegraf"73 get_base_dir.return_value = "/etc/telegraf"
74 get_templates_dir.return_value = os.path.join(74 get_templates_dir.return_value = os.path.join(
@@ -89,7 +89,10 @@ class TestMySQL(unittest.TestCase):
89 ]89 ]
90 )90 )
9191
92 write_file.assert_called_once_with("/etc/telegraf/telegraf.d/mysql.conf", ANY)92 write_telegraf_file.assert_called_once_with(
93 "/etc/telegraf/telegraf.d/mysql.conf",
94 ANY,
95 )
9396
94 @patch("os.unlink")97 @patch("os.unlink")
95 @patch("os.path.exists")98 @patch("os.path.exists")
diff --git a/src/tests/unit/test_postgresql.py b/src/tests/unit/test_postgresql.py
index c011b32..1eba510 100644
--- a/src/tests/unit/test_postgresql.py
+++ b/src/tests/unit/test_postgresql.py
@@ -113,10 +113,12 @@ class TestPostgreSQL(unittest.TestCase):
113 [call("plugins.postgresql.configured"), call("telegraf.needs_reload")]113 [call("plugins.postgresql.configured"), call("telegraf.needs_reload")]
114 )114 )
115115
116 @patch("charmhelpers.core.host.write_file")116 @patch("reactive.telegraf.write_telegraf_file")
117 @patch("reactive.telegraf.get_templates_dir")117 @patch("reactive.telegraf.get_templates_dir")
118 @patch("reactive.telegraf.get_base_dir")118 @patch("reactive.telegraf.get_base_dir")
119 def test_render_postgresql_tmpl(self, get_base_dir, get_templates_dir, write_file):119 def test_render_postgresql_tmpl(
120 self, get_base_dir, get_templates_dir, write_telegraf_file
121 ):
120 get_templates_dir.return_value = os.path.join(122 get_templates_dir.return_value = os.path.join(
121 os.path.dirname(__file__), "../..", "templates"123 os.path.dirname(__file__), "../..", "templates"
122 )124 )
@@ -126,15 +128,16 @@ class TestPostgreSQL(unittest.TestCase):
126 [{"replica": "master", "conn_str": "my_conn_str", "server": "my_server"}]128 [{"replica": "master", "conn_str": "my_conn_str", "server": "my_server"}]
127 )129 )
128130
129 write_file.assert_called_once_with(131 write_telegraf_file.assert_called_once_with(
130 "/etc/telegraf/telegraf.d/postgresql.conf", ANY132 "/etc/telegraf/telegraf.d/postgresql.conf",
133 ANY,
131 )134 )
132135
133 @patch("charmhelpers.core.host.write_file")136 @patch("reactive.telegraf.write_telegraf_file")
134 @patch("reactive.telegraf.get_templates_dir")137 @patch("reactive.telegraf.get_templates_dir")
135 @patch("reactive.telegraf.get_base_dir")138 @patch("reactive.telegraf.get_base_dir")
136 def test_render_postgresql_tmpl_extra_options(139 def test_render_postgresql_tmpl_extra_options(
137 self, get_base_dir, get_templates_dir, write_file140 self, get_base_dir, get_templates_dir, write_telegraf_file
138 ):141 ):
139 get_templates_dir.return_value = os.path.join(142 get_templates_dir.return_value = os.path.join(
140 os.path.dirname(__file__), "../..", "templates"143 os.path.dirname(__file__), "../..", "templates"
@@ -159,8 +162,8 @@ class TestPostgreSQL(unittest.TestCase):
159 ) as fd:162 ) as fd:
160 rendered = telegraf.render_template(fd.read(), context)163 rendered = telegraf.render_template(fd.read(), context)
161164
162 write_file.assert_called_once_with(165 write_telegraf_file.assert_called_once_with(
163 "/etc/telegraf/telegraf.d/postgresql.conf", rendered.encode("UTF-8")166 "/etc/telegraf/telegraf.d/postgresql.conf", rendered
164 )167 )
165 # now check if what's there is the thing we actually expect168 # now check if what's there is the thing we actually expect
166 expected = """[[inputs.postgresql_extensible]]169 expected = """[[inputs.postgresql_extensible]]
diff --git a/src/tests/unit/test_telegraf.py b/src/tests/unit/test_telegraf.py
index 8ef82ec..a15b5b6 100644
--- a/src/tests/unit/test_telegraf.py
+++ b/src/tests/unit/test_telegraf.py
@@ -190,6 +190,17 @@ def check_sysstat_config(original, expected):
190 assert actual == expected190 assert actual == expected
191191
192192
193def test_write_telegraf_file(mocker):
194 write_file = mocker.patch("charmhelpers.core.host.write_file")
195 telegraf.write_telegraf_file("the-path", "the-content áéíóú")
196 write_file.assert_called_once_with(
197 "the-path",
198 "the-content áéíóú".encode("utf-8"),
199 group="telegraf",
200 perms=0o640,
201 )
202
203
193def test_sadc_options_correct(monkeypatch):204def test_sadc_options_correct(monkeypatch):
194 """If SADC_OPTIONS is already correct, should return None."""205 """If SADC_OPTIONS is already correct, should return None."""
195 original = dedent(206 original = dedent(

Subscribers

No one subscribed via source and target branches