commit 0f00965ab68bf93252cb7a422808e26fa3eb0f6b
author Vasyl Saienko <vsaienko@mirantis.com> Thu Feb 01 11:17:32 2018 +0200
committer Vasyl Saienko <vsaienko@mirantis.com> Thu Feb 01 17:23:14 2018 +0000
tree ba64ba5050277e76f980c5d2b47bde25868aebe8
parent e4301ebf3bd790479db0eb8fc68b6efcdb359fc6

Fix ownership for SSL files

Make sure files are owner by root:rabbitmq,
make sure they have 640 perms.

Change-Id: I21271f447360b19066682e891ea8762030d9f5a2

rabbitmq/server/ssl.sls

diff --git a/rabbitmq/server/ssl.sls b/rabbitmq/server/ssl.sls
index 6847126..dcb8e85 100644
--- a/rabbitmq/server/ssl.sls
+++ b/rabbitmq/server/ssl.sls
@@ -7,7 +7,9 @@
   file.managed:
     - name: {{ server.ssl.ca_file }}
     - contents_pillar: rabbitmq:server:ssl:cacert_chain
-    - mode: 0444
+    - mode: 640
+    - user: root
+    - group: rabbitmq
     - makedirs: true
 {%- else %}
 rabbitmq_cacertificate_exists:
@@ -17,6 +19,8 @@
   file.managed:
   - name: {{ server.ssl.ca_file }}
   - mode: 644
+  - user: root
+  - group: rabbitmq
   - create: False
   - require:
     - file: rabbitmq_cacertificate_exists
@@ -27,7 +31,9 @@
   file.managed:
     - name: {{ server.ssl.cert_file }}
     - contents_pillar: rabbitmq:server:ssl:cert
-    - mode: 0444
+    - mode: 640
+    - user: root
+    - group: rabbitmq
     - makedirs: true
 {%- else %}
 rabbitmq_certificate_exists:
@@ -36,7 +42,9 @@
 rabbitmq_certificate:
   file.managed:
   - name: {{ server.ssl.cert_file }}
-  - mode: 644
+  - mode: 640
+  - user: root
+  - group: rabbitmq
   - create: False
   - require:
     - file: rabbitmq_certificate_exists
@@ -49,7 +57,7 @@
     - contents_pillar: rabbitmq:server:ssl:key
     - user: root
     - group: rabbitmq
-    - mode: 0440
+    - mode: 640
     - makedirs: true
 {%- else %}
 rabbitmq_server_key_exists:
@@ -58,14 +66,15 @@
 rabbitmq_server_key:
   file.managed:
     - name: {{ server.ssl.key_file }}
+    - mode: 640
     - user: root
     - group: rabbitmq
-    - mode: 0440
     - create: False
     - require:
       - file: rabbitmq_server_key_exists
 {%- endif %}
 
+{%- if server.ssl.cert is defined or server.ssl.key is defined %}
 rabbitmq_ssl_all_file:
   file.managed:
     - name: {{ server.ssl.all_file }}
@@ -73,7 +82,7 @@
     - template: jinja
     - user: root
     - group: rabbitmq
-    - mode: 0440
+    - mode: 640
     - makedirs: true
     - context:
         ssl_key_file: {{ server.ssl.key_file }}
@@ -81,6 +90,20 @@
     - watch:
       - file: rabbitmq_server_key
       - file: rabbitmq_certificate
+{%- else %}
+rabbitmq_ssl_all_file_exists:
+  file.exists:
+    - name: {{ server.ssl.all_file }}
+rabbitmq_ssl_all_file:
+  file.managed:
+    - name: {{ server.ssl.all_file }}
+    - mode: 640
+    - user: root
+    - group: rabbitmq
+    - create: False
+    - require:
+      - file: rabbitmq_server_key_exists
+{%- endif %}
 
 rabbitmq_ssl_env:
   file.managed:
@@ -89,7 +112,7 @@
     - template: jinja
     - user: root
     - group: rabbitmq
-    - mode: 0440
+    - mode: 640
     - makedirs: true
     - context:
        all_file: {{ server.ssl.all_file }}