commit 55f3b71d05b0c47616d01b5f735e65d642d68d1e
author Vasyl Saienko <vsaienko@mirantis.com> Wed Oct 03 14:31:17 2018 +0000
committer Vasyl Saienko <vsaienko@mirantis.com> Wed Oct 03 19:30:00 2018 +0000
tree 3c1b037246169bf181961d07a1662b3651fe87a7
parent 8c7a0b9d08225b8fccd021286be78f0c0949c95a

Fix certificate permissions

This patch fixes certificate permissions for the following
certificates to root:nova

 * mysql
 * rabbit
 * vncencrypt
 * libvirt

Change-Id: I101d5ef254f5e39109678662fd0232188ba5c9b1

nova/_ssl/mysql.sls

diff --git a/nova/_ssl/mysql.sls b/nova/_ssl/mysql.sls
index 3d715e9..cc21c91 100644
--- a/nova/_ssl/mysql.sls
+++ b/nova/_ssl/mysql.sls
@@ -15,8 +15,8 @@
   file.managed:
     - name: {{ ca_file }}
     - contents_pillar: nova:controller:database:x509:cacert
-    - mode: 444
-    - user: nova
+    - mode: 644
+    - user: root
     - group: nova
     - makedirs: true
   {%- else %}
@@ -29,8 +29,8 @@
   file.managed:
     - name: {{ cert_file }}
     - contents_pillar: nova:controller:database:x509:cert
-    - mode: 440
-    - user: nova
+    - mode: 640
+    - user: root
     - group: nova
     - makedirs: true
   {%- else %}
@@ -43,8 +43,8 @@
   file.managed:
     - name: {{ key_file }}
     - contents_pillar: nova:controller:database:x509:key
-    - mode: 400
-    - user: nova
+    - mode: 640
+    - user: root
     - group: nova
     - makedirs: true
   {%- else %}
@@ -58,7 +58,7 @@
       - {{ ca_file }}
       - {{ cert_file }}
       - {{ key_file }}
-    - user: nova
+    - user: root
     - group: nova
 
   {% elif controller.database.get('ssl',{}).get('enabled',False) %}
@@ -67,11 +67,19 @@
   file.managed:
     - name: {{ controller.database.ssl.cacert_file }}
     - contents_pillar: nova:controller:database:ssl:cacert
-    - mode: 0444
+    - mode: 644
     - makedirs: true
+    - user: root
+    - group: nova
   {%- else %}
   file.exists:
     - name: {{ controller.database.ssl.get('cacert_file', controller.cacert_file) }}
   {%- endif %}
 
+mysql_nova_ssl_set_user_and_group:
+  file.managed:
+    - name: {{ controller.database.ssl.get('cacert_file', controller.cacert_file) }}
+    - user: root
+    - group: nova
+
 {%- endif %}

nova/_ssl/rabbitmq.sls

diff --git a/nova/_ssl/rabbitmq.sls b/nova/_ssl/rabbitmq.sls
index 0dc7c6e..6abb6f4 100644
--- a/nova/_ssl/rabbitmq.sls
+++ b/nova/_ssl/rabbitmq.sls
@@ -25,8 +25,8 @@
   file.managed:
     - name: {{ ca_file }}
     - contents_pillar: nova:{{ role }}:message_queue:x509:cacert
-    - mode: 444
-    - user: nova
+    - mode: 644
+    - user: root
     - group: nova
     - makedirs: true
   {%- else %}
@@ -39,8 +39,8 @@
   file.managed:
     - name: {{ cert_file }}
     - contents_pillar: nova:{{ role }}:message_queue:x509:cert
-    - mode: 440
-    - user: nova
+    - mode: 640
+    - user: root
     - group: nova
     - makedirs: true
   {%- else %}
@@ -53,8 +53,8 @@
   file.managed:
     - name: {{ key_file }}
     - contents_pillar: nova:{{ role }}:message_queue:x509:key
-    - mode: 400
-    - user: nova
+    - mode: 640
+    - user: root
     - group: nova
     - makedirs: true
   {%- else %}
@@ -68,7 +68,7 @@
       - {{ ca_file }}
       - {{ cert_file }}
       - {{ key_file }}
-    - user: nova
+    - user: root
     - group: nova
 
   {% elif nova_msg.get('ssl',{}).get('enabled',False) %}
@@ -77,11 +77,16 @@
   file.managed:
     - name: {{ nova_msg.ssl.cacert_file }}
     - contents_pillar: nova:{{ role }}:message_queue:ssl:cacert
-    - mode: 0444
+    - mode: 644
     - makedirs: true
   {%- else %}
   file.exists:
     - name: {{ nova_msg.ssl.get('cacert_file', nova_cacert) }}
   {%- endif %}
 
+rabbitmq_nova_{{ role }}_ssl_set_user_and_group:
+  file.managed:
+    - name: {{ nova_msg.ssl.get('cacert_file', nova_cacert) }}
+    - user: root
+    - group: nova
 {%- endif %}

nova/controller.sls

diff --git a/nova/controller.sls b/nova/controller.sls
index f1819fb..b67926e 100644
--- a/nova/controller.sls
+++ b/nova/controller.sls
@@ -75,8 +75,10 @@
   file.managed:
     - name: {{ ca_file }}
     - contents_pillar: nova:controller:novncproxy:vencrypt:tls:cacert
-    - mode: 444
+    - mode: 644
     - makedirs: true
+    - user: root
+    - group: nova
     - watch_in:
       - service: nova_controller_services
 {%- else %}
@@ -89,7 +91,9 @@
   file.managed:
     - name: {{ cert_file }}
     - contents_pillar: nova:controller:novncproxy:vencrypt:tls:cert
-    - mode: 440
+    - mode: 640
+    - user: root
+    - group: nova
     - makedirs: true
 {%- else %}
   file.exists:
@@ -101,12 +105,24 @@
   file.managed:
     - name: {{ key_file }}
     - contents_pillar: nova:controller:novncproxy:vencrypt:tls:key
-    - mode: 400
+    - mode: 640
+    - user: root
+    - group: nova
     - makedirs: true
 {%- else %}
   file.exists:
    - name: {{ key_file }}
 {%- endif %}
+
+novncproxy_vencrypt_set_user_and_group:
+  file.managed:
+    - names:
+      - {{ ca_file }}
+      - {{ cert_file }}
+      - {{ key_file }}
+    - user: root
+    - group: nova
+
 {%- endif %}
 {%- endif %}
 
@@ -119,8 +135,10 @@
   file.managed:
     - name: {{ cert_file }}
     - contents_pillar: nova:controller:novncproxy:tls:server:cert
-    - mode: 440
+    - mode: 644
     - makedirs: true
+    - user: root
+    - group: nova
     - watch_in:
       - service: nova_controller_services
 {%- else %}
@@ -133,12 +151,23 @@
   file.managed:
     - name: {{ key_file }}
     - contents_pillar: nova:controller:novncproxy:tls:server:key
-    - mode: 400
+    - mode: 640
+    - user: root
+    - group: nova
     - makedirs: true
 {%- else %}
   file.exists:
    - name: {{ key_file }}
 {%- endif %}
+
+novncproxy_server_set_user_and_group:
+  file.managed:
+    - names:
+      - {{ cert_file }}
+      - {{ key_file }}
+    - user: root
+    - group: nova
+
 {%- endif %}
 
 {%- if controller.get('networking', 'default') == "contrail" and controller.version == "juno" %}