commit 8b8eabd1f1cb4dc63719a1d536a7e18dc11e09ea
author Oleksandr Shyshko <oshyshko@mirantis.com> Wed Sep 26 16:52:15 2018 +0300
committer oshyshko <oshyshko@mirantis.com> Thu Sep 27 20:00:38 2018 +0000
tree 9422dc9d8870589748804934020277a8b1b43fff
parent b65003d7445f09796d6a03ca6a6b786278320b63

TLS certs/keys permissions for Libvirt and VNC has been update.

  * Permissions for TLS certs/keys has been update.
  * Little bit cosmetic changes.

Change-Id: I8c7a8db610797e1daa32585637eda44aa85c647e

nova/compute.sls

diff --git a/nova/compute.sls b/nova/compute.sls
index bc699cc..c088ccf 100644
--- a/nova/compute.sls
+++ b/nova/compute.sls
@@ -141,19 +141,23 @@
 {% endif %}
 
 {%- if compute.libvirt.get('tls',{}).get('enabled',False)  %}
-{%- set ca_file=compute.libvirt.tls.get('ca_file') %}
-{%- set key_file=compute.libvirt.tls.get('key_file') %}
-{%- set cert_file=compute.libvirt.tls.get('cert_file') %}
-{%- set client_key_file=compute.libvirt.tls.client.get('key_file') %}
-{%- set client_cert_file=compute.libvirt.tls.client.get('cert_file') %}
+{%- set ca_file=compute.libvirt.tls.ca_file %}
+{%- set key_file=compute.libvirt.tls.key_file %}
+{%- set cert_file=compute.libvirt.tls.cert_file %}
+{%- set client_key_file=compute.libvirt.tls.client.key_file %}
+{%- set client_cert_file=compute.libvirt.tls.client.cert_file %}
 
 libvirt_ca_nova_compute:
 {%- if compute.libvirt.tls.cacert is defined %}
   file.managed:
     - name: {{ ca_file }}
     - contents_pillar: nova:compute:libvirt:tls:cacert
-    - mode: 444
+    - mode: 644
+    - user: root
+    - group: nova
     - makedirs: true
+    - require:
+      - user: user_nova_bash
 {%- else %}
   file.exists:
    - name: {{ ca_file }}
@@ -164,8 +168,12 @@
   file.managed:
     - name: {{ cert_file }}
     - contents_pillar: nova:compute:libvirt:tls:cert
-    - mode: 440
+    - mode: 640
+    - user: root
+    - group: nova
     - makedirs: true
+    - require:
+      - user: user_nova_bash
 {%- else %}
   file.exists:
    - name: {{ cert_file }}
@@ -176,8 +184,12 @@
   file.managed:
     - name: {{ key_file }}
     - contents_pillar: nova:compute:libvirt:tls:key
-    - mode: 400
+    - mode: 640
+    - user: root
+    - group: nova
     - makedirs: true
+    - require:
+      - user: user_nova_bash
 {%- else %}
   file.exists:
    - name: {{ key_file }}
@@ -188,8 +200,12 @@
   file.managed:
     - name: {{ client_cert_file }}
     - contents_pillar: nova:compute:libvirt:tls:client:cert
-    - mode: 440
+    - mode: 640
+    - user: root
+    - group: nova
     - makedirs: true
+    - require:
+      - user: user_nova_bash
 {%- else %}
   file.exists:
    - name: {{ client_cert_file }}
@@ -200,27 +216,49 @@
   file.managed:
     - name: {{ client_key_file }}
     - contents_pillar: nova:compute:libvirt:tls:client:key
-    - mode: 400
+    - mode: 640
+    - user: root
+    - group: nova
     - makedirs: true
+    - require:
+      - user: user_nova_bash
 {%- else %}
   file.exists:
    - name: {{ client_key_file }}
 {%- endif %}
+
+libvirt_tls_set_user_and_group:
+  file.managed:
+    - names:
+      - {{ ca_file }}
+      - {{ cert_file }}
+      - {{ key_file }}
+      - {{ client_key_file }}
+      - {{ client_cert_file }}
+    - user: root
+    - group: nova
+    - require:
+      - user: user_nova_bash
+
 {%- endif %}
 
 {%- if compute.qemu.vnc.tls.get('enabled', False) %}
 
-{%- set ca_file=compute.qemu.vnc.tls.get('ca_file') %}
-{%- set key_file=compute.qemu.vnc.tls.get('key_file') %}
-{%- set cert_file=compute.qemu.vnc.tls.get('cert_file') %}
+{%- set ca_file=compute.qemu.vnc.tls.ca_file %}
+{%- set key_file=compute.qemu.vnc.tls.key_file %}
+{%- set cert_file=compute.qemu.vnc.tls.cert_file %}
 
 qemu_ca_nova_compute:
 {%- if compute.qemu.vnc.tls.cacert is defined %}
   file.managed:
     - name: {{ ca_file }}
     - contents_pillar: nova:compute:qemu:vnc:tls:cacert
-    - mode: 444
+    - mode: 644
+    - user: root
+    - group: libvirt-qemu
     - makedirs: true
+    - require:
+      - user: user_libvirt-qemu
 {%- else %}
   file.exists:
    - name: {{ ca_file }}
@@ -231,8 +269,12 @@
   file.managed:
     - name: {{ cert_file }}
     - contents_pillar: nova:compute:qemu:vnc:tls:cert
-    - mode: 440
+    - mode: 640
+    - user: root
+    - group: libvirt-qemu
     - makedirs: true
+    - require:
+      - user: user_libvirt-qemu
 {%- else %}
   file.exists:
    - name: {{ cert_file }}
@@ -243,13 +285,28 @@
   file.managed:
     - name: {{ key_file }}
     - contents_pillar: nova:compute:qemu:vnc:tls:key
-    - mode: 400
+    - mode: 640
+    - user: root
+    - group: libvirt-qemu
     - makedirs: true
+    - require:
+      - user: user_libvirt-qemu
 {%- else %}
   file.exists:
    - name: {{ key_file }}
 {%- endif %}
 
+qemu_tls_set_user_and_group:
+  file.managed:
+    - names:
+      - {{ ca_file }}
+      - {{ cert_file }}
+      - {{ key_file }}
+    - user: root
+    - group: libvirt-qemu
+    - require:
+      - user: user_libvirt-qemu
+
 {%- endif %}
 
 nova_compute_services: