Secure permissions on /etc/puppet/hieradata and

/etc/puppet/hieradata/puppet-stack-config.yaml Change-Id: I7cd014914db998d583f79328ed82270d3a280ff5 Resolves: rhbz#1234962
2015-06-24 16:37:32 -04:00 · 2015-06-24 16:37:32 -04:00 · 047e3c11f1
parent 11827e002e
commit 047e3c11f1
4 changed files with 26 additions and 22 deletions
--- a/elements/puppet-stack-config/install.d/02-puppet-stack-config
+++ b/elements/puppet-stack-config/install.d/02-puppet-stack-config
@ -73,3 +73,7 @@ if not os.path.exists(os.path.dirname(puppet_stack_config_yaml_path)):
    os.makedirs(os.path.dirname(puppet_stack_config_yaml_path))
 with open(puppet_stack_config_yaml_path, 'w') as f:
    f.write(puppet_stack_config_yaml)
+
+# Secure permissions
+os.chmod(os.path.dirname(puppet_stack_config_yaml_path), 0750)
+os.chmod(puppet_stack_config_yaml_path, 0600)
--- a/elements/undercloud-stack-config/os-apply-config/root/stackrc
+++ b/elements/undercloud-stack-config/os-apply-config/root/stackrc
@ -1,5 +1,5 @@
 export NOVA_VERSION=1.1
-export OS_PASSWORD=$(hiera admin_password)
+export OS_PASSWORD=$(sudo hiera admin_password)
 export OS_AUTH_URL=http://{{local-ip}}:5000/v2.0
 export OS_USERNAME=admin
 export OS_TENANT_NAME=admin
--- a/elements/undercloud-stack-config/os-apply-config/root/tripleo-undercloud-passwords
+++ b/elements/undercloud-stack-config/os-apply-config/root/tripleo-undercloud-passwords
@ -1,21 +1,21 @@
-UNDERCLOUD_ADMIN_PASSWORD=$(hiera admin_password)
-UNDERCLOUD_ADMIN_TOKEN=$(hiera keystone::admin_token)
-UNDERCLOUD_CEILOMETER_METERING_SECRET=$(hiera ceilometer::metering_secret)
-UNDERCLOUD_CEILOMETER_PASSWORD=$(hiera ceilometer::api::keystone_password)
-UNDERCLOUD_CEILOMETER_SNMPD_PASSWORD=$(hiera snmpd_readonly_user_password)
-UNDERCLOUD_CEILOMETER_SNMPD_USER=$(hiera snmpd_readonly_user_name)
-UNDERCLOUD_DB_PASSWORD=$(hiera admin_password)
-UNDERCLOUD_GLANCE_PASSWORD=$(hiera glance::api::keystone_password)
-UNDERCLOUD_HEAT_ENCRYPTION_KEY=$(hiera heat::engine::auth_encryption_key)
-UNDERCLOUD_HEAT_PASSWORD=$(hiera heat::keystone_password)
-UNDERCLOUD_HEAT_STACK_DOMAIN_ADMIN_PASSWORD=$(hiera heat_stack_domain_admin_password)
-UNDERCLOUD_HORIZON_SECRET_KEY=$(hiera horizon_secret_key)
-UNDERCLOUD_IRONIC_PASSWORD=$(hiera ironic::api::admin_password)
-UNDERCLOUD_NEUTRON_PASSWORD=$(hiera neutron::server::auth_password)
-UNDERCLOUD_NOVA_PASSWORD=$(hiera nova::api::admin_password)
-UNDERCLOUD_RABBIT_COOKIE=$(hiera rabbit_cookie)
-UNDERCLOUD_RABBIT_PASSWORD=$(hiera rabbit_password)
-UNDERCLOUD_RABBIT_USERNAME=$(hiera rabbit_username)
-UNDERCLOUD_SWIFT_HASH_SUFFIX=$(hiera swift::swift_hash_suffix)
-UNDERCLOUD_SWIFT_PASSWORD=$(hiera swift::proxy::authtoken::admin_password)
+UNDERCLOUD_ADMIN_PASSWORD=$(sudo hiera admin_password)
+UNDERCLOUD_ADMIN_TOKEN=$(sudo hiera keystone::admin_token)
+UNDERCLOUD_CEILOMETER_METERING_SECRET=$(sudo hiera ceilometer::metering_secret)
+UNDERCLOUD_CEILOMETER_PASSWORD=$(sudo hiera ceilometer::api::keystone_password)
+UNDERCLOUD_CEILOMETER_SNMPD_PASSWORD=$(sudo hiera snmpd_readonly_user_password)
+UNDERCLOUD_CEILOMETER_SNMPD_USER=$(sudo hiera snmpd_readonly_user_name)
+UNDERCLOUD_DB_PASSWORD=$(sudo hiera admin_password)
+UNDERCLOUD_GLANCE_PASSWORD=$(sudo hiera glance::api::keystone_password)
+UNDERCLOUD_HEAT_ENCRYPTION_KEY=$(sudo hiera heat::engine::auth_encryption_key)
+UNDERCLOUD_HEAT_PASSWORD=$(sudo hiera heat::keystone_password)
+UNDERCLOUD_HEAT_STACK_DOMAIN_ADMIN_PASSWORD=$(sudo hiera heat_stack_domain_admin_password)
+UNDERCLOUD_HORIZON_SECRET_KEY=$(sudo hiera horizon_secret_key)
+UNDERCLOUD_IRONIC_PASSWORD=$(sudo hiera ironic::api::admin_password)
+UNDERCLOUD_NEUTRON_PASSWORD=$(sudo hiera neutron::server::auth_password)
+UNDERCLOUD_NOVA_PASSWORD=$(sudo hiera nova::api::admin_password)
+UNDERCLOUD_RABBIT_COOKIE=$(sudo hiera rabbit_cookie)
+UNDERCLOUD_RABBIT_PASSWORD=$(sudo hiera rabbit_password)
+UNDERCLOUD_RABBIT_USERNAME=$(sudo hiera rabbit_username)
+UNDERCLOUD_SWIFT_HASH_SUFFIX=$(sudo hiera swift::swift_hash_suffix)
+UNDERCLOUD_SWIFT_PASSWORD=$(sudo hiera swift::proxy::authtoken::admin_password)
 UNDERCLOUD_TUSKAR_PASSWORD={{tuskar.service-password}}
--- a/instack_undercloud/undercloud.py
+++ b/instack_undercloud/undercloud.py
@ -474,7 +474,7 @@ def _configure_ssh_keys():
    args = ['sudo', 'chown', getpass.getuser() + ':',
            os.path.expanduser('~/stackrc')]
    _run_command(args, name='Chown stackrc')
-    password = _run_command(['hiera', 'admin_password']).rstrip()
+    password = _run_command(['sudo', 'hiera', 'admin_password']).rstrip()
    user = _extract_from_stackrc('OS_USERNAME')
    auth_url = _extract_from_stackrc('OS_AUTH_URL')
    tenant = _extract_from_stackrc('OS_TENANT')