Fix files permissions Fixes-bug: PROD-36507 Change-Id: Ie239dab2832d17ebb6dd144cd10ebe733e835f1d

commit: 0a64f7e439d659410b19c26c8a49517993c999f2 [log] [tgz]
author: Taras Khlivnyak <tkhlivnyak@mirantis.com> Thu Aug 19 10:57:43 2021 +0300
committer: Taras Khlivnyak <tkhlivnyak@mirantis.com> Fri Aug 20 15:08:08 2021 +0300
tree: 57e7c27f81f3315ec297fa529dbe7e51632d021d
parent: 705e2ffa6c95726d985956235028ae301c75d721 [diff]
diff --git a/README.rst b/README.rst
index ee64e22..d356390 100644
--- a/README.rst
+++ b/README.rst

@@ -1066,6 +1066,37 @@
 
 .. code-block::
 
+Change files permissions for keystone service:
+=======================================
+In order to change file permissions a few data need to be set:.
+'files' - block to set permissions to files.
+It could be set the following data:
+- full path to file
+- user ( default value is 'root' ) this parameter is optional.
+- group ( default value is 'keystone' ) this parameter is optional
+- mode ( default value is '0640' ) this parameter is optional
+'directories' - block to set permissions to directories.
+- full path to directory
+- user ( default value is 'root' ) this parameter is optional
+- group ( default value is 'keystone' ) this parameter is optional
+- mode ( default value is '0750' ) this parameter is optional
+
+.. code-block:: yaml
+      
+    keystone:
+      files:
+        /etc/keystone/keystone.conf:
+          user: 'root'
+          group: 'keystone'
+          mode: '0750'
+      directories:
+        /etc/keystone:
+          user: 'root'
+          group: 'keystone'
+          mode: '0750'
+
+
+
 Upgrades
 ========
 

diff --git a/keystone/file_permissions.sls b/keystone/file_permissions.sls
new file mode 100644
index 0000000..a11f75b
--- /dev/null
+++ b/keystone/file_permissions.sls

@@ -0,0 +1,22 @@
+{% if pillar.keystone.files is defined %}
+{%- for file_full_path, file_mode in pillar.keystone.files.iteritems() %}
+{{ file_full_path }}_permissions:
+  file.managed:
+    - name: {{ file_full_path }}
+    - mode: {{ file_mode.get('mode', '0640') }}
+    - user: {{ file_mode.get('user', 'root') }}
+    - group: {{ file_mode.get('group', 'keystone') }}
+    - replace: false
+{%- endfor %}
+{% endif %}
+
+{% if pillar.keystone.directories is defined %}
+{%- for directory_path, directory_mode in pillar.keystone.directories.iteritems() %}
+{{ directory_path }}_permissions:
+  file.directory:
+    - name: {{ directory_path }}
+    - mode: {{ directory_mode.get('mode', '0750') }}
+    - user: {{ directory_mode.get('user', 'root') }}
+    - group: {{ directory_mode.get('group', 'keystone') }}
+{%- endfor %}
+{% endif %}
\ No newline at end of file

diff --git a/keystone/init.sls b/keystone/init.sls
index adb2f15..a0c26a6 100644
--- a/keystone/init.sls
+++ b/keystone/init.sls

@@ -9,3 +9,4 @@
 {% if pillar.keystone.control is defined %}
 - keystone.control
 {% endif %}
+- keystone.file_permissions

diff --git a/metadata/service/client/init.yml b/metadata/service/client/init.yml
index b89c0ea..9134434 100644
--- a/metadata/service/client/init.yml
+++ b/metadata/service/client/init.yml

@@ -1,2 +1,3 @@
 classes:
 - service.keystone.support
+- service.keystone.file_permissions

diff --git a/metadata/service/file_permissions.yml b/metadata/service/file_permissions.yml
new file mode 100644
index 0000000..e2733c9
--- /dev/null
+++ b/metadata/service/file_permissions.yml

@@ -0,0 +1,14 @@
+parameters:
+  keystone:
+    directories:
+      /etc/keystone:
+        mode: '0750'
+        user: 'keystone'
+    files:
+      /etc/keystone/keystone-paste.ini:
+        user: 'keystone'
+      /etc/keystone/logging.conf:
+        user: 'keystone'
+      /etc/keystone/policy.json:
+        user: 'keystone'
+

diff --git a/metadata/service/server/cluster.yml b/metadata/service/server/cluster.yml
index 9407cb6..386d49a 100644
--- a/metadata/service/server/cluster.yml
+++ b/metadata/service/server/cluster.yml

@@ -2,6 +2,7 @@
 - keystone
 classes:
 - service.keystone.support
+- service.keystone.file_permissions
 parameters:
   _param:
     openstack_log_appender: false

diff --git a/metadata/service/server/single.yml b/metadata/service/server/single.yml
index e639b00..5872e10 100644
--- a/metadata/service/server/single.yml
+++ b/metadata/service/server/single.yml

@@ -2,6 +2,7 @@
 - keystone
 classes:
 - service.keystone.support
+- service.keystone.file_permissions
 parameters:
   _param:
     openstack_log_appender: false

diff --git a/tests/integration/queens/single/config_spec.rb b/tests/integration/queens/single/config_spec.rb
index da9a00d..5740f25 100644
--- a/tests/integration/queens/single/config_spec.rb
+++ b/tests/integration/queens/single/config_spec.rb

@@ -134,14 +134,14 @@
 }
 
 keystone_database = {
-  'connection'              => 'mysql+pymysql://keystone:passw0rd@127.0.0.1/keystone?charset=utf8',
+  'connection'              => 'mysql+pymysql://keystone:passw0rd@127.0.0.1:3306/keystone?charset=utf8',
   'max_overflow'            => '30',
   'max_pool_size'           => '10',
   'max_retries'             => '-1',
 }
 
 keystone_database_ssl = {
-  'connection'              => 'mysql+pymysql://keystone:passw0rd@127.0.0.1/keystone?charset=utf8&ssl_ca=/etc/keystone/ssl/mysql/ca-cert.pem&ssl_cert=/etc/keystone/ssl/mysql/client-cert.pem&ssl_key=/etc/keystone/ssl/mysql/client-key.pem',
+  'connection'              => 'mysql+pymysql://keystone:passw0rd@127.0.0.1:3306/keystone?charset=utf8&ssl_ca=/etc/keystone/ssl/mysql/ca-cert.pem&ssl_cert=/etc/keystone/ssl/mysql/client-cert.pem&ssl_key=/etc/keystone/ssl/mysql/client-key.pem',
   'max_overflow'            => '30',
   'max_pool_size'           => '10',
   'max_retries'             => '-1',
commit	0a64f7e439d659410b19c26c8a49517993c999f2	[log] [tgz]
author	Taras Khlivnyak <tkhlivnyak@mirantis.com>	Thu Aug 19 10:57:43 2021 +0300
committer	Taras Khlivnyak <tkhlivnyak@mirantis.com>	Fri Aug 20 15:08:08 2021 +0300
tree	57e7c27f81f3315ec297fa529dbe7e51632d021d
parent	705e2ffa6c95726d985956235028ae301c75d721 [diff]