Merge pull request #502 from pixelpark/feature/acls

Implement rudimentary Redis and Sentinel ACLs

REFERENCE.md

@@ -224,6 +224,7 @@ The following parameters are available in the `redis` class:
 * [`jemalloc_bg_thread`](#-redis--jemalloc_bg_thread)
 * [`rdb_save_incremental_fsync`](#-redis--rdb_save_incremental_fsync)
 * [`dnf_module_stream`](#-redis--dnf_module_stream)
+* [`acls`](#-redis--acls)
 * [`manage_service_file`](#-redis--manage_service_file)
 
 ##### <a name="-redis--activerehashing"></a>`activerehashing`
@@ -1370,6 +1371,17 @@ that use DNF package manager, such as EL8 or Fedora.
 
 Default value: `undef`
 
+##### <a name="-redis--acls"></a>`acls`
+
+Data type: `Array[String[1]]`
+
+This is a way to pass an array of raw ACLs to Redis. The ACLs must be
+in the form of:
+
+  user USERNAME [additional ACL options]
+
+Default value: `[]`
+
 ##### <a name="-redis--manage_service_file"></a>`manage_service_file`
 
 Data type: `Boolean`
@@ -1511,6 +1523,7 @@ The following parameters are available in the `redis::sentinel` class:
 * [`working_dir`](#-redis--sentinel--working_dir)
 * [`notification_script`](#-redis--sentinel--notification_script)
 * [`client_reconfig_script`](#-redis--sentinel--client_reconfig_script)
+* [`acls`](#-redis--sentinel--acls)
 * [`service_ensure`](#-redis--sentinel--service_ensure)
 
 ##### <a name="-redis--sentinel--auth_pass"></a>`auth_pass`
@@ -1838,6 +1851,17 @@ Path to the client-reconfig script
 
 Default value: `undef`
 
+##### <a name="-redis--sentinel--acls"></a>`acls`
+
+Data type: `Array[String[1]]`
+
+This is a way to pass an array of raw ACLs to Sentinel. The ACLs must be
+in the form of:
+
+  user USERNAME [additional ACL options]
+
+Default value: `[]`
+
 ##### <a name="-redis--sentinel--service_ensure"></a>`service_ensure`
 
 Data type: `Stdlib::Ensure::Service`
@@ -1986,6 +2010,7 @@ The following parameters are available in the `redis::instance` defined type:
 * [`active_defrag_max_scan_fields`](#-redis--instance--active_defrag_max_scan_fields)
 * [`jemalloc_bg_thread`](#-redis--instance--jemalloc_bg_thread)
 * [`rdb_save_incremental_fsync`](#-redis--instance--rdb_save_incremental_fsync)
+* [`acls`](#-redis--instance--acls)
 * [`output_buffer_limit_slave`](#-redis--instance--output_buffer_limit_slave)
 * [`output_buffer_limit_pubsub`](#-redis--instance--output_buffer_limit_pubsub)
 
@@ -2973,6 +2998,17 @@ the file will be fsync-ed every 32 MB of data generated.
 
 Default value: `$redis::rdb_save_incremental_fsync`
 
+##### <a name="-redis--instance--acls"></a>`acls`
+
+Data type: `Array[String[1]]`
+
+This is a way to pass an array of raw ACLs to Redis. The ACLs must be
+in the form of:
+
+  user USERNAME [additional ACL options]
+
+Default value: `$redis::acls`
+
 ##### <a name="-redis--instance--output_buffer_limit_slave"></a>`output_buffer_limit_slave`
 
 Data type: `String[1]`

manifests/config.pp

@@ -35,6 +35,7 @@
       daemonize           => $redis::daemonize,
       service_name        => $redis::service_name,
       manage_service_file => $redis::manage_service_file,
+      acls                => $redis::acls,
     }
   }
 

manifests/init.pp

@@ -329,6 +329,12 @@
 # @param dnf_module_stream
 #   Manage the DNF module and set the version. This only makes sense on distributions
 #   that use DNF package manager, such as EL8 or Fedora.
+# @param acls
+#   This is a way to pass an array of raw ACLs to Redis. The ACLs must be
+#   in the form of:
+# 
+#     user USERNAME [additional ACL options]
+#
 # @param manage_service_file
 #   Determine if the systemd service file should be managed
 #
@@ -473,6 +479,7 @@
   Optional[Boolean] $jemalloc_bg_thread                          = undef,
   Optional[Boolean] $rdb_save_incremental_fsync                  = undef,
   Optional[String[1]] $dnf_module_stream                         = undef,
+  Array[String[1]] $acls                                         = [],
 ) inherits redis::params {
   contain redis::preinstall
   contain redis::install

manifests/instance.pp

@@ -278,6 +278,12 @@
 # @param rdb_save_incremental_fsync
 #   When redis saves RDB file, if the following option is enabled
 #   the file will be fsync-ed every 32 MB of data generated.
+# @param acls
+#   This is a way to pass an array of raw ACLs to Redis. The ACLs must be
+#   in the form of:
+#
+#     user USERNAME [additional ACL options]
+#
 # @param output_buffer_limit_slave
 #   Value of client-output-buffer-limit-slave in redis config
 # @param output_buffer_limit_pubsub
@@ -405,6 +411,7 @@
   Integer[1] $active_defrag_max_scan_fields                      = $redis::active_defrag_max_scan_fields,
   Optional[Boolean] $jemalloc_bg_thread                          = $redis::jemalloc_bg_thread,
   Optional[Boolean] $rdb_save_incremental_fsync                  = $redis::rdb_save_incremental_fsync,
+  Array[String[1]] $acls                                         = $redis::acls,
 ) {
   if $title == 'default' {
     $redis_file_name_orig = $config_file_orig
@@ -596,6 +603,7 @@
         active_defrag_max_scan_fields => $active_defrag_max_scan_fields,
         jemalloc_bg_thread            => $jemalloc_bg_thread,
         rdb_save_incremental_fsync    => $rdb_save_incremental_fsync,
+        acls                          => $acls,
       }
     ),
   }

manifests/sentinel.pp

@@ -130,6 +130,12 @@
 # @param client_reconfig_script
 #   Path to the client-reconfig script
 #
+# @param acls
+#   This is a way to pass an array of raw ACLs to Sentinel. The ACLs must be
+#   in the form of:
+#   
+#     user USERNAME [additional ACL options]
+#
 # @example Basic inclusion
 #   include redis::sentinel
 #
@@ -180,6 +186,7 @@
   Stdlib::Absolutepath $working_dir = $redis::params::sentinel_working_dir,
   Optional[Stdlib::Absolutepath] $notification_script = undef,
   Optional[Stdlib::Absolutepath] $client_reconfig_script = undef,
+  Array[String[1]] $acls = [],
 ) inherits redis::params {
   $auth_pass_unsensitive = if $auth_pass =~ Sensitive {
     $auth_pass.unwrap

spec/classes/redis_sentinel_spec.rb

@@ -84,6 +84,19 @@
         it { is_expected.to contain_package(sentinel_package_name).with_ensure('installed') }
       end
 
+      describe 'with acls' do
+        let(:params) do
+          {
+            acls: ['user readolny on nopass ~* resetchannels -@all +get'],
+          }
+        end
+
+        it {
+          is_expected.to contain_file(config_file_orig).
+            with_content(%r{^user readolny on nopass ~\* resetchannels -@all \+get$})
+        }
+      end
+
       describe 'with custom parameters' do
         let(:pre_condition) do
           <<-PUPPET

spec/classes/redis_spec.rb

@@ -1554,6 +1554,19 @@ class { 'redis':
         }
       end
 
+      describe 'with acls' do
+        let(:params) do
+          {
+            acls: ['user readolny on nopass ~* resetchannels -@all +get'],
+          }
+        end
+
+        it {
+          is_expected.to contain_file(config_file_orig).
+            with_content(%r{^user readolny on nopass ~\* resetchannels -@all \+get$})
+        }
+      end
+
       describe 'test io-threads for redis6' do
         let(:params) do
           {

templates/redis-sentinel.conf.erb

@@ -54,3 +54,9 @@ tls-replication <%= @tls_replication ? 'yes' : 'no' %>
 
 loglevel <%= @log_level %>
 logfile <%= @log_file %>
+<% unless @acls.empty? -%>
+
+<%   @acls.each do |acl| -%>
+<%= acl %>
+<%   end -%>
+<% end -%>

templates/redis.conf.epp

@@ -99,6 +99,7 @@
   Integer[1]                                         $active_defrag_max_scan_fields,
   Optional[Boolean]                                  $jemalloc_bg_thread,
   Optional[Boolean]                                  $rdb_save_incremental_fsync,
+  Array[String[1]]                                   $acls,
 | -%>
 # Redis configuration file example
 
@@ -1201,3 +1202,9 @@ loadmodule <%= $module_path %>
 <% if $extra_config_file { -%>
 include <%= $extra_config_file %>
 <% } -%>
+<% unless $acls.empty { -%>
+
+<%   $acls.each |$acl| { -%>
+<%= $acl %>
+<%   } -%>
+<% } -%>