Add possibility to manage file permissions of config files
Fixes-bug: PROD-36553
Change-Id: I4a8314449ecf6cb56e32fa04236899f1a914e164
diff --git a/README.rst b/README.rst
index a4f905d..bd71fd6 100644
--- a/README.rst
+++ b/README.rst
@@ -432,6 +432,38 @@
host: 0.0.0.0
port: 8125
+
+Change files/directories permissions for gnocchi service:
+=======================================
+In order to change file permissions the following should be set:
+
+'files' - block to set permissions for files.
+- full path to file
+- user ( default value is 'root' ) this parameter is optional.
+- group ( default value is 'gnocchi' ) this parameter is optional
+- mode ( default value is '0640' ) this parameter is optional
+
+'directories' - block to set permissions for directories.
+- full path to directory
+- user ( default value is 'root' ) this parameter is optional
+- group ( default value is 'gnocchi' ) this parameter is optional
+- mode ( default value is '0750' ) this parameter is optional
+
+.. code-block:: yaml
+
+ gnocchi:
+ files:
+ /etc/gnocchi/gnocchi.conf:
+ user: 'root'
+ group: 'gnocchi'
+ mode: '0750'
+ directories:
+ /etc/gnocchi:
+ user: 'root'
+ group: 'gnocchi'
+ mode: '0750'
+
+
More Information
================
diff --git a/gnocchi/file_permissions.sls b/gnocchi/file_permissions.sls
new file mode 100644
index 0000000..0ef8702
--- /dev/null
+++ b/gnocchi/file_permissions.sls
@@ -0,0 +1,22 @@
+{% if pillar.gnocchi.files is defined %}
+{%- for file_full_path, file_mode in pillar.gnocchi.files.iteritems() %}
+{{ file_full_path }}_permissions:
+ file.managed:
+ - name: {{ file_full_path }}
+ - mode: {{ file_mode.get('mode', '0640') }}
+ - user: {{ file_mode.get('user', 'root') }}
+ - group: {{ file_mode.get('group', 'gnocchi') }}
+ - replace: false
+{%- endfor %}
+{% endif %}
+
+{% if pillar.gnocchi.directories is defined %}
+{%- for directory_path, directory_mode in pillar.gnocchi.directories.iteritems() %}
+{{ directory_path }}_permissions:
+ file.directory:
+ - name: {{ directory_path }}
+ - mode: {{ directory_mode.get('mode', '0750') }}
+ - user: {{ directory_mode.get('user', 'root') }}
+ - group: {{ directory_mode.get('group', 'gnocchi') }}
+{%- endfor %}
+{% endif %}
diff --git a/gnocchi/init.sls b/gnocchi/init.sls
index 8a187a3..6ce47d5 100644
--- a/gnocchi/init.sls
+++ b/gnocchi/init.sls
@@ -9,4 +9,5 @@
{%- if pillar.gnocchi.client is defined %}
- gnocchi.client
{%- endif %}
+- gnocchi.file_permissions
{%- endif %}
diff --git a/metadata/service/file_permissions.yml b/metadata/service/file_permissions.yml
new file mode 100644
index 0000000..fed5690
--- /dev/null
+++ b/metadata/service/file_permissions.yml
@@ -0,0 +1,5 @@
+parameters:
+ gnocchi:
+ directories:
+ /etc/gnocchi:
+ mode: '0750'
\ No newline at end of file
diff --git a/metadata/service/server/cluster.yml b/metadata/service/server/cluster.yml
index 82b8957..feb8a7d 100644
--- a/metadata/service/server/cluster.yml
+++ b/metadata/service/server/cluster.yml
@@ -3,6 +3,7 @@
classes:
- service.gnocchi.common.cluster
- service.gnocchi.support
+- service.gnocchi.file_permissions
parameters:
gnocchi:
server:
diff --git a/metadata/service/server/single.yml b/metadata/service/server/single.yml
index 6eb5d52..a5cabef 100644
--- a/metadata/service/server/single.yml
+++ b/metadata/service/server/single.yml
@@ -3,6 +3,7 @@
classes:
- service.gnocchi.common.single
- service.gnocchi.support
+- service.gnocchi.file_permissions
parameters:
gnocchi:
server:
diff --git a/metadata/service/statsd/cluster.yml b/metadata/service/statsd/cluster.yml
index 723acfa..951873b 100644
--- a/metadata/service/statsd/cluster.yml
+++ b/metadata/service/statsd/cluster.yml
@@ -3,6 +3,7 @@
classes:
- service.gnocchi.common.cluster
- service.gnocchi.support
+- service.gnocchi.file_permissions
parameters:
gnocchi:
statsd:
diff --git a/metadata/service/statsd/single.yml b/metadata/service/statsd/single.yml
index 67bf0a5..b0484bd 100644
--- a/metadata/service/statsd/single.yml
+++ b/metadata/service/statsd/single.yml
@@ -3,6 +3,7 @@
classes:
- service.gnocchi.common.single
- service.gnocchi.support
+- service.gnocchi.file_permissions
parameters:
gnocchi:
statsd: