restrict access for backups
Change-Id: I64f63eab66fc7ab44685ba0f59f353f921630f29
diff --git a/zookeeper/backup.sls b/zookeeper/backup.sls
index 05c29ee..3be7180 100644
--- a/zookeeper/backup.sls
+++ b/zookeeper/backup.sls
@@ -105,10 +105,27 @@
{%- if key.get('enabled', False) %}
+{%- set clients = [] %}
+{%- for node_name, node_grains in salt['mine.get']('*', 'grains.items').iteritems() %}
+{%- if node_grains.get('zookeeper', {}).get('backup', {}).get('client') %}
+{%- set client = node_grains.get('zookeeper').get('backup').get('client') %}
+{%- if client.get('addresses') and client.get('addresses', []) is iterable %}
+{%- for address in client.addresses %}
+{%- do clients.append(address|string) %}
+{%- endfor %}
+{%- endif %}
+{%- endif %}
+{%- endfor %}
+
zookeeper_key_{{ key.key }}:
ssh_auth.present:
- user: zookeeper
- name: {{ key.key }}
+ - options:
+ - no-pty
+{%- if clients %}
+ - from="{{ clients|join(',') }}"
+{%- endif %}
- require:
- file: {{ backup.backup_dir }}/full
diff --git a/zookeeper/meta/salt.yml b/zookeeper/meta/salt.yml
new file mode 100644
index 0000000..de0cdcd
--- /dev/null
+++ b/zookeeper/meta/salt.yml
@@ -0,0 +1,21 @@
+{%- if pillar.get('zookeeper', {}).get('backup', {}).get('client') %}
+
+{%- set addresses = [] %}
+{%- set ips = salt['grains.get']("fqdn_ip4")|list %}
+{%- if ips %}
+ {%- for ip in ips %}
+ {%- if not (ip|string).startswith('127.') %}
+ {%- do addresses.append(ip) %}
+ {%- endif %}
+ {%- endfor %}
+{%- endif %}
+{%- if addresses %}
+grain:
+ zookeeper:
+ zookeeper:
+ backup:
+ client:
+ addresses: {{ addresses|yaml }}
+{%- endif %}
+
+{%- endif %}