Fix files permissions Fixes-bug: PROD-36506 Change-Id: Ia50bd3de91dc50cda36cc07ae7b362ecbef08604

commit: 860129b053e9231a0be2c2af8cd30879ad0f6911 [log] [tgz]
author: Taras Khlivnyak <tkhlivnyak@mirantis.com> Thu Aug 19 10:03:04 2021 +0300
committer: Taras Khlivnyak <tkhlivnyak@mirantis.com> Wed Aug 25 13:11:50 2021 +0300
tree: 2444b81d2b1c0073b4f6f6920b6c9ab8bd2a31c3
parent: 1ad7f4e6813ed7d23a66c1db2d547d88a229f130 [diff]
diff --git a/README.rst b/README.rst
index c0330db..86dd6a0 100644
--- a/README.rst
+++ b/README.rst

@@ -1067,6 +1067,37 @@
           backend: mysql
 
 
+Change files/directories permissions for cinder service:
+=======================================
+In order to change file permissions the following should be set:
+
+'files' - block to set permissions for files.
+- full path to file
+- user ( default value is 'root' ) this parameter is optional.
+- group ( default value is 'cinder' ) this parameter is optional
+- mode ( default value is '0640' ) this parameter is optional
+
+'directories' - block to set permissions for directories.
+- full path to directory
+- user ( default value is 'root' ) this parameter is optional
+- group ( default value is 'cinder' ) this parameter is optional
+- mode ( default value is '0750' ) this parameter is optional
+
+.. code-block:: yaml
+
+    cinder:
+      files:
+        /etc/cinder/cinder.conf:
+          user: 'root'
+          group: 'cinder'
+          mode: '0750'
+      directories:
+        /etc/cinder:
+          user: 'root'
+          group: 'cinder'
+          mode: '0750'
+
+
 Upgrades
 ========
 

diff --git a/cinder/file_permissions.sls b/cinder/file_permissions.sls
new file mode 100644
index 0000000..ccef5ab
--- /dev/null
+++ b/cinder/file_permissions.sls

@@ -0,0 +1,22 @@
+{% if pillar.cinder.files is defined %}
+{%- for file_full_path, file_mode in pillar.cinder.files.iteritems() %}
+{{ file_full_path }}_permissions:
+  file.managed:
+    - name: {{ file_full_path }}
+    - mode: {{ file_mode.get('mode', '0640') }}
+    - user: {{ file_mode.get('user', 'root') }}
+    - group: {{ file_mode.get('group', 'cinder') }}
+    - replace: false
+{%- endfor %}
+{% endif %}
+
+{% if pillar.cinder.directories is defined %}
+{%- for directory_path, directory_mode in pillar.cinder.directories.iteritems() %}
+{{ directory_path }}_permissions:
+  file.directory:
+    - name: {{ directory_path }}
+    - mode: {{ directory_mode.get('mode', '0750') }}
+    - user: {{ directory_mode.get('user', 'root') }}
+    - group: {{ directory_mode.get('group', 'cinder') }}
+{%- endfor %}
+{% endif %}

diff --git a/cinder/init.sls b/cinder/init.sls
index 43133e5..d68c0f9 100644
--- a/cinder/init.sls
+++ b/cinder/init.sls

@@ -9,3 +9,4 @@
 {% if pillar.cinder.client is defined %}
 - cinder.client
 {% endif %}
+- cinder.file_permissions
\ No newline at end of file

diff --git a/metadata/service/control/cluster.yml b/metadata/service/control/cluster.yml
index 1c3bcf5..e5c2d83 100644
--- a/metadata/service/control/cluster.yml
+++ b/metadata/service/control/cluster.yml

@@ -2,6 +2,7 @@
 - cinder
 classes:
 - service.cinder.support
+- service.cinder.file_permissions
 parameters:
   _param:
     keystone_cinder_endpoint_type: internalURL

diff --git a/metadata/service/control/cluster_control.yml b/metadata/service/control/cluster_control.yml
index 1c3bcf5..e5c2d83 100644
--- a/metadata/service/control/cluster_control.yml
+++ b/metadata/service/control/cluster_control.yml

@@ -2,6 +2,7 @@
 - cinder
 classes:
 - service.cinder.support
+- service.cinder.file_permissions
 parameters:
   _param:
     keystone_cinder_endpoint_type: internalURL

diff --git a/metadata/service/control/single.yml b/metadata/service/control/single.yml
index 0e87b00..bcf1fda 100644
--- a/metadata/service/control/single.yml
+++ b/metadata/service/control/single.yml

@@ -2,6 +2,7 @@
 - cinder
 classes:
 - service.cinder.support
+- service.cinder.file_permissions
 parameters:
   _param:
     keystone_cinder_endpoint_type: internalURL

diff --git a/metadata/service/file_permissions.yml b/metadata/service/file_permissions.yml
new file mode 100644
index 0000000..4cecced
--- /dev/null
+++ b/metadata/service/file_permissions.yml

@@ -0,0 +1,11 @@
+parameters:
+  cinder:
+    directories:
+      /etc/cinder:
+        user: 'root'
+    files:
+      /etc/cinder/rootwrap.conf:
+        mode: '0640'
+        group: 'cinder'
+      /etc/cinder/api-paste.ini:
+        user: 'root'

diff --git a/metadata/service/volume/local.yml b/metadata/service/volume/local.yml
index 416e366..5d43416 100644
--- a/metadata/service/volume/local.yml
+++ b/metadata/service/volume/local.yml

@@ -2,6 +2,7 @@
 - cinder
 classes:
 - service.cinder.support
+- service.cinder.file_permissions
 parameters:
   _param:
     keystone_cinder_endpoint_type: internalURL

diff --git a/metadata/service/volume/single.yml b/metadata/service/volume/single.yml
index 145ff93..f995f2d 100644
--- a/metadata/service/volume/single.yml
+++ b/metadata/service/volume/single.yml

@@ -2,6 +2,7 @@
 - cinder
 classes:
 - service.cinder.support
+- service.cinder.file_permissions
 parameters:
   _param:
     keystone_cinder_endpoint_type: internalURL
commit	860129b053e9231a0be2c2af8cd30879ad0f6911	[log] [tgz]
author	Taras Khlivnyak <tkhlivnyak@mirantis.com>	Thu Aug 19 10:03:04 2021 +0300
committer	Taras Khlivnyak <tkhlivnyak@mirantis.com>	Wed Aug 25 13:11:50 2021 +0300
tree	2444b81d2b1c0073b4f6f6920b6c9ab8bd2a31c3
parent	1ad7f4e6813ed7d23a66c1db2d547d88a229f130 [diff]