Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / keystone / 4bb73a1baeafd254ca4325cde1bbba8f9e8ae186^! / .
commit4bb73a1baeafd254ca4325cde1bbba8f9e8ae186[log] [tgz]
authorOleksandr Bryndzii <obryndzii@mirantis.com>Thu Aug 30 12:12:43 2018 +0300
committerOleksandr Bryndzii <obryndzii@mirantis.com>Thu Aug 30 12:26:50 2018 +0300
treee77bcbc8e6dd2705da972c275fafa8491ff3ecc1
parentd9ccafe5101907bafb2a2906246f21c8da7b8dc4 [diff]
Update keystone config files permissions

The /etc/keystone/*.conf|*.yaml files are world readable.
This may lead to sensitive information leakage and cloud compromise.

Set keystone config files permissions to 0640.
Set keystone config files owner and group to root:keystone.

Change-Id: Id4790a4b2b1362a3eb2457216f24cc06d78371af
Related-Prod: https://mirantis.jira.com/browse/PROD-22095

diff --git a/keystone/client/os_client_config.sls b/keystone/client/os_client_config.sls
index bffed11..1b87982 100644
--- a/keystone/client/os_client_config.sls
+++ b/keystone/client/os_client_config.sls

@@ -12,7 +12,7 @@
     - name: {{ config.get('file', '/root/.config/openstack/clouds.yml') }}
     - contents: |
         {{ client.os_client_config.cfgs.get(conf_name).content |yaml(False)|indent(8) }}
-    - owner: {{ config.get('owner', 'root') }}
+    - user: {{ config.get('user', 'root') }}
     - group: {{ config.get('group', 'root') }}
     - makedirs: True
 

diff --git a/keystone/server.sls b/keystone/server.sls
index 4c3e17c..c2a9eba 100644
--- a/keystone/server.sls
+++ b/keystone/server.sls

@@ -94,6 +94,8 @@
   file.managed:
   - source: salt://keystone/files/{{ server.version }}/keystone.conf.{{ grains.os_family }}
   - template: jinja
+  - mode: 0640
+  - group: keystone
   - require:
     - pkg: keystone_packages
   - watch_in:
@@ -104,6 +106,8 @@
 /etc/keystone/sso_callback_template.html:
   file.managed:
   - source: salt://keystone/files/sso_callback_template.html
+  - mode: 0640
+  - group: keystone
   - require:
     - pkg: keystone_packages
   - watch_in:
@@ -114,7 +118,8 @@
 /etc/keystone/keystone-paste.ini:
   file.managed:
   - source: salt://keystone/files/{{ server.version }}/keystone-paste.ini.{{ grains.os_family }}
-  - user: keystone
+  - mode: 0640
+  - user: root
   - group: keystone
   - template: jinja
   - require:
@@ -132,7 +137,8 @@
 
 /etc/keystone/logging.conf:
   file.managed:
-    - user: keystone
+    - mode: 0640
+    - user: root
     - group: keystone
     - source: salt://oslo_templates/files/logging/_logging.conf
     - template: jinja
@@ -158,7 +164,8 @@
 
 /etc/keystone/policy.json:
   file.managed:
-  - user: keystone
+  - mode: 0640
+  - user: root
   - group: keystone
   - require:
     - pkg: keystone_packages
@@ -208,6 +215,8 @@
   file.managed:
     - source: salt://keystone/files/keystone.domain.conf
     - template: jinja
+    - mode: 0640
+    - group: keystone
     - require:
       - file: /etc/keystone/domains
     - watch_in:
@@ -298,6 +307,9 @@
   file.managed:
   - source: salt://keystone/files/keystonerc
   - template: jinja
+  - mode: 0640
+  - user: root
+  - group: root
   - require:
     - pkg: keystone_packages
 
@@ -305,6 +317,9 @@
   file.managed:
   - source: salt://keystone/files/keystonercv3
   - template: jinja
+  - mode: 0640
+  - user: root
+  - group: root
   - require:
     - pkg: keystone_packages