diff --git a/config.sample.ini b/config.sample.ini index 30bf10b9ad..6f2f3dd402 100644 --- a/config.sample.ini +++ b/config.sample.ini @@ -8,6 +8,13 @@ vardir = /var/lib/puppetdb # Use an external logback config file # logging-config = /path/to/logback.xml +[puppetdb] +# List of certificate names from which to allow incoming HTTPS requests: +# certificate-whitelist = /path/to/certname/whitelist + +# Whether we should check for more recent PuppetDB versions. Defaults to 'false': +# disable-update-checking = true + [database] # For the embedded DB: org.hsqldb.jdbcDriver # For PostgreSQL: org.postgresql.Driver diff --git a/documentation/configure.markdown b/documentation/configure.markdown index 2e5e7df8c2..e468f97705 100644 --- a/documentation/configure.markdown +++ b/documentation/configure.markdown @@ -98,6 +98,10 @@ An example configuration file: subprotocol = postgresql subname = //localhost:5432/puppetdb + [puppetdb] + certificate-whitelist = /path/to/file/containing/certnames + disable-update-checking = false + [jetty] port = 8080 @@ -192,6 +196,10 @@ Optional. This describes the path to a file that contains a list of certificate If not supplied, PuppetDB uses standard HTTPS without any additional authorization. All HTTPS clients must still supply valid, verifiable SSL client certificates. +### `disable-update-checking` + +Optional. Setting this to `true` disables checking for updated versions of PuppetDB. Defaults to `false`. + `[database]` Settings ----- diff --git a/src/puppetlabs/puppetdb/cli/services.clj b/src/puppetlabs/puppetdb/cli/services.clj index f11b6920d6..56a4be7a58 100644 --- a/src/puppetlabs/puppetdb/cli/services.clj +++ b/src/puppetlabs/puppetdb/cli/services.clj @@ -235,7 +235,7 @@ (ifn? add-ring-handler) (ifn? shutdown-on-error)] :post [(map? %) - (every? (partial contains? %) [:broker :updater])]} + (every? (partial contains? %) [:broker])]} (let [{:keys [jetty database read-database global command-processing puppetdb] :as config} (conf/process-config! config) product-name (:product-name global) @@ -280,7 +280,6 @@ (pop/initialize-metrics write-db) (when (.exists discard-dir) (dlo/create-metrics-for-dlo! discard-dir)) - (let [broker (try (log/info "Starting broker") (mq/build-and-start-broker! "localhost" mq-dir command-processing) @@ -291,12 +290,15 @@ "PuppetDB troubleshooting guide.") (throw e))) context (assoc context :broker broker) - updater (future (shutdown-on-error - (service-id service) - #(maybe-check-for-updates product-name update-server read-db) - error-shutdown!)) - context (assoc context :updater updater) - _ (let [authorized? (if-let [wl (puppetdb :certificate-whitelist)] + updater (when-not (:disable-update-checking puppetdb) + (future (shutdown-on-error + (service-id service) + #(maybe-check-for-updates product-name update-server read-db) + error-shutdown!))) + context (if updater + (assoc context :updater updater) + context) + _ (let [authorized? (if-let [wl (:certificate-whitelist puppetdb)] (build-whitelist-authorizer wl) (constantly true)) app (server/build-app :globals globals :authorized? authorized?)] diff --git a/src/puppetlabs/puppetdb/config.clj b/src/puppetlabs/puppetdb/config.clj index 3babf52b60..5b9564121e 100644 --- a/src/puppetlabs/puppetdb/config.clj +++ b/src/puppetlabs/puppetdb/config.clj @@ -115,8 +115,14 @@ (s/optional-key :temp-usage) s/Int}) (def puppetdb-config-in - "Schema for validating the [puppetdb] block" - {(s/optional-key :certificate-whitelist) s/Str}) + "Schema for validating the incoming [puppetdb] block" + {(s/optional-key :certificate-whitelist) s/Str + (s/optional-key :disable-update-checking) (pls/defaulted-maybe String "false")}) + +(def puppetdb-config-out + "Schema for validating the parsed/processed [puppetdb] block" + {(s/optional-key :certificate-whitelist) s/Str + :disable-update-checking Boolean}) ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;; Database config @@ -215,7 +221,11 @@ "Validates the [puppetdb] section of the config" [{:keys [puppetdb] :as config :or {puppetdb {}}}] (s/validate puppetdb-config-in puppetdb) - (assoc config :puppetdb puppetdb)) + (let [converted-config (->> puppetdb + (pls/defaulted-data puppetdb-config-in) + (pls/convert-to-schema puppetdb-config-out))] + (s/validate puppetdb-config-out converted-config) + (assoc config :puppetdb converted-config))) (defn convert-config "Given a `config` map (created from the user defined config), validate, default and convert it diff --git a/test/puppetlabs/puppetdb/config_test.clj b/test/puppetlabs/puppetdb/config_test.clj index ea63b5ad29..c54e019351 100644 --- a/test/puppetlabs/puppetdb/config_test.clj +++ b/test/puppetlabs/puppetdb/config_test.clj @@ -11,6 +11,27 @@ [clojure.string :as str] [fs.core :as fs])) +(deftest puppetdb-configuration + (testing "puppetdb-configuration" + (testing "should throw an exception if unrecognized config options are specified" + (is (thrown? clojure.lang.ExceptionInfo (configure-puppetdb {:puppetdb {:foo "foo"}})))) + + (testing "should convert disable-update-checking value to boolean, if it is specified" + (let [config (configure-puppetdb {:puppetdb {:disable-update-checking "true"}})] + (is (= (get-in config [:puppetdb :disable-update-checking]) true))) + (let [config (configure-puppetdb {:puppetdb {:disable-update-checking "false"}})] + (is (= (get-in config [:puppetdb :disable-update-checking]) false))) + (let [config (configure-puppetdb {:puppetdb {:disable-update-checking "some-string"}})] + (is (= (get-in config [:puppetdb :disable-update-checking]) false)))) + + (testing "should throw exception if disable-update-checking cannot be converted to boolean" + (is (thrown? clojure.lang.ExceptionInfo + (configure-puppetdb {:puppetdb {:disable-update-checking 1337}})))) + + (testing "disable-update-checking should default to 'false' if left unspecified" + (let [config (configure-puppetdb {})] + (is (= (get-in config [:puppetdb :disable-update-checking]) false)))))) + (deftest commandproc-configuration (testing "should throw an error on unrecognized config options" (is (thrown? clojure.lang.ExceptionInfo (configure-command-params {:command-processing {:foo "foo"}}))))