Fix file permissions. Fixes-bug: PROD-36505 Change-Id: I20bcf7968b9bfafbd89e9cd8ae6bef65faecf9be

commit: b85e02d00e83970af0b448d97f9e6b206da4b740 [log] [tgz]
author: Taras Khlivnyak <tkhlivnyak@mirantis.com> Thu Aug 19 09:48:56 2021 +0300
committer: Taras Khlivnyak <tkhlivnyak@mirantis.com> Wed Aug 25 13:03:40 2021 +0300
tree: a1a3c5cd268dbfe05db088c851f6ee6d96adbf22
parent: 8ec3c8fe722a8b426935ed3eeb5adbf8ecbccafa [diff]
diff --git a/README.rst b/README.rst
index 6a81192..6d420fe 100644
--- a/README.rst
+++ b/README.rst

@@ -1439,6 +1439,38 @@
       compute:
         security_driver: apparmor
 
+
+Change files/directories permissions for nova service:
+=======================================
+In order to change file permissions the following should be set:
+
+'files' - block to set permissions for files.
+- full path to file
+- user ( default value is 'root' ) this parameter is optional.
+- group ( default value is 'nova' ) this parameter is optional
+- mode ( default value is '0640' ) this parameter is optional
+
+'directories' - block to set permissions for directories.
+- full path to directory
+- user ( default value is 'root' ) this parameter is optional
+- group ( default value is 'nova' ) this parameter is optional
+- mode ( default value is '0750' ) this parameter is optional
+
+.. code-block:: yaml
+
+    nova:
+      files:
+        /etc/nova/nova.conf:
+          user: 'root'
+          group: 'nova'
+          mode: '0750'
+      directories:
+        /etc/nova:
+          user: 'root'
+          group: 'nova'
+          mode: '0750'
+
+
 Upgrades
 ========
 

diff --git a/metadata/service/compute/cluster.yml b/metadata/service/compute/cluster.yml
index b9bdfd3..d154d2c 100644
--- a/metadata/service/compute/cluster.yml
+++ b/metadata/service/compute/cluster.yml

@@ -2,6 +2,7 @@
 - nova
 classes:
 - service.nova.support
+- service.nova.file_permissions
 parameters:
   _param:
     openstack_log_appender: false

diff --git a/metadata/service/compute/ironic.yml b/metadata/service/compute/ironic.yml
index 0612e9f..c80253c 100644
--- a/metadata/service/compute/ironic.yml
+++ b/metadata/service/compute/ironic.yml

@@ -2,6 +2,7 @@
 - nova
 classes:
 - service.nova.support
+- service.nova.file_permissions
 parameters:
   _param:
     openstack_log_appender: false

diff --git a/metadata/service/compute/kvm.yml b/metadata/service/compute/kvm.yml
index 0352323..56d9318 100644
--- a/metadata/service/compute/kvm.yml
+++ b/metadata/service/compute/kvm.yml

@@ -2,6 +2,7 @@
 - nova
 classes:
 - service.nova.support
+- service.nova.file_permissions
 parameters:
   _param:
     openstack_log_appender: false

diff --git a/metadata/service/control/cluster.yml b/metadata/service/control/cluster.yml
index 232c7d5..24dde8f 100644
--- a/metadata/service/control/cluster.yml
+++ b/metadata/service/control/cluster.yml

@@ -2,6 +2,7 @@
 - nova
 classes:
 - service.nova.support
+- service.nova.file_permissions
 parameters:
   _param:
     nova_vncproxy_url: http://${_param:single_address}:6080

diff --git a/metadata/service/control/single.yml b/metadata/service/control/single.yml
index 27c2527..8d88ba9 100644
--- a/metadata/service/control/single.yml
+++ b/metadata/service/control/single.yml

@@ -2,6 +2,7 @@
 - nova
 classes:
 - service.nova.support
+- service.nova.file_permissions
 parameters:
   _param:
     nova_vncproxy_url: http://${_param:single_address}:6080

diff --git a/metadata/service/file_permissions.yml b/metadata/service/file_permissions.yml
new file mode 100644
index 0000000..da953ce
--- /dev/null
+++ b/metadata/service/file_permissions.yml

@@ -0,0 +1,13 @@
+parameters:
+  nova:
+    directories:
+      /etc/nova:
+        user: 'root'
+    files:
+      /etc/nova/nova.conf:
+        user: 'root'
+      /etc/nova/rootwrap.conf:
+        mode: '0640'
+        group: 'nova'
+      /etc/nova/api-paste.ini:
+        user: 'root'

diff --git a/nova/file_permissions.sls b/nova/file_permissions.sls
new file mode 100644
index 0000000..7559734
--- /dev/null
+++ b/nova/file_permissions.sls

@@ -0,0 +1,22 @@
+{% if pillar.nova.files is defined %}
+{%- for file_full_path, file_mode in pillar.nova.files.iteritems() %}
+{{ file_full_path }}_permissions:
+  file.managed:
+    - name: {{ file_full_path }}
+    - mode: {{ file_mode.get('mode', '0640') }}
+    - user: {{ file_mode.get('user', 'root') }}
+    - group: {{ file_mode.get('group', 'nova') }}
+    - replace: false
+{%- endfor %}
+{% endif %}
+
+{% if pillar.nova.directories is defined %}
+{%- for directory_path, directory_mode in pillar.nova.directories.iteritems() %}
+{{ directory_path }}_permissions:
+  file.directory:
+    - name: {{ directory_path }}
+    - mode: {{ directory_mode.get('mode', '0750') }}
+    - user: {{ directory_mode.get('user', 'root') }}
+    - group: {{ directory_mode.get('group', 'nova') }}
+{%- endfor %}
+{% endif %}

diff --git a/nova/init.sls b/nova/init.sls
index 3cd900b..7a9a4db 100644
--- a/nova/init.sls
+++ b/nova/init.sls

@@ -9,3 +9,4 @@
 {% if pillar.nova.client is defined %}
 - nova.client
 {% endif %}
+- nova.file_permissions
\ No newline at end of file
commit	b85e02d00e83970af0b448d97f9e6b206da4b740	[log] [tgz]
author	Taras Khlivnyak <tkhlivnyak@mirantis.com>	Thu Aug 19 09:48:56 2021 +0300
committer	Taras Khlivnyak <tkhlivnyak@mirantis.com>	Wed Aug 25 13:03:40 2021 +0300
tree	a1a3c5cd268dbfe05db088c851f6ee6d96adbf22
parent	8ec3c8fe722a8b426935ed3eeb5adbf8ecbccafa [diff]