commit 55f3b71d05b0c47616d01b5f735e65d642d68d1e
author Vasyl Saienko <vsaienko@mirantis.com> Wed Oct 03 14:31:17 2018 +0000
committer Vasyl Saienko <vsaienko@mirantis.com> Wed Oct 03 19:30:00 2018 +0000
tree 3c1b037246169bf181961d07a1662b3651fe87a7
parent 8c7a0b9d08225b8fccd021286be78f0c0949c95a

Fix certificate permissions

This patch fixes certificate permissions for the following
certificates to root:nova

 * mysql
 * rabbit
 * vncencrypt
 * libvirt

Change-Id: I101d5ef254f5e39109678662fd0232188ba5c9b1

nova/controller.sls

diff --git a/nova/controller.sls b/nova/controller.sls
index f1819fb..b67926e 100644
--- a/nova/controller.sls
+++ b/nova/controller.sls
@@ -75,8 +75,10 @@
   file.managed:
     - name: {{ ca_file }}
     - contents_pillar: nova:controller:novncproxy:vencrypt:tls:cacert
-    - mode: 444
+    - mode: 644
     - makedirs: true
+    - user: root
+    - group: nova
     - watch_in:
       - service: nova_controller_services
 {%- else %}
@@ -89,7 +91,9 @@
   file.managed:
     - name: {{ cert_file }}
     - contents_pillar: nova:controller:novncproxy:vencrypt:tls:cert
-    - mode: 440
+    - mode: 640
+    - user: root
+    - group: nova
     - makedirs: true
 {%- else %}
   file.exists:
@@ -101,12 +105,24 @@
   file.managed:
     - name: {{ key_file }}
     - contents_pillar: nova:controller:novncproxy:vencrypt:tls:key
-    - mode: 400
+    - mode: 640
+    - user: root
+    - group: nova
     - makedirs: true
 {%- else %}
   file.exists:
    - name: {{ key_file }}
 {%- endif %}
+
+novncproxy_vencrypt_set_user_and_group:
+  file.managed:
+    - names:
+      - {{ ca_file }}
+      - {{ cert_file }}
+      - {{ key_file }}
+    - user: root
+    - group: nova
+
 {%- endif %}
 {%- endif %}
 
@@ -119,8 +135,10 @@
   file.managed:
     - name: {{ cert_file }}
     - contents_pillar: nova:controller:novncproxy:tls:server:cert
-    - mode: 440
+    - mode: 644
     - makedirs: true
+    - user: root
+    - group: nova
     - watch_in:
       - service: nova_controller_services
 {%- else %}
@@ -133,12 +151,23 @@
   file.managed:
     - name: {{ key_file }}
     - contents_pillar: nova:controller:novncproxy:tls:server:key
-    - mode: 400
+    - mode: 640
+    - user: root
+    - group: nova
     - makedirs: true
 {%- else %}
   file.exists:
    - name: {{ key_file }}
 {%- endif %}
+
+novncproxy_server_set_user_and_group:
+  file.managed:
+    - names:
+      - {{ cert_file }}
+      - {{ key_file }}
+    - user: root
+    - group: nova
+
 {%- endif %}
 
 {%- if controller.get('networking', 'default') == "contrail" and controller.version == "juno" %}