From 7f2b169627d7a936da182b4128ac34e6d5bece6d Mon Sep 17 00:00:00 2001 From: likui Date: Thu, 6 Aug 2020 14:12:44 +0800 Subject: [PATCH] Fix ownership and permissions of admin-openrc.sh Previously the post-deploy.yml playbook was executed with become: true, and the admin-openrc.sh file templated without an owner or mode specified. This resulted in admin-openrc.sh being owned by root with 644 permissions. This change creates the file without become: true, and explicitly sets the owner to the user executing Ansible, and the mode to 600. Co-Authored-By: Mark Goddard Closes-Bug: #1891704 Change-Id: Iadf43383a7f2bf377d4666a55a38d92bd70711aa (cherry picked from commit 16f97867a3f7050ac42fbb921310ca884e974a11) --- ansible/post-deploy.yml | 9 ++++++--- ...penrc-ownership-mode-310d89a6f50a9640.yaml | 19 +++++++++++++++++++ 2 files changed, 25 insertions(+), 3 deletions(-) create mode 100644 releasenotes/notes/fix-admin-openrc-ownership-mode-310d89a6f50a9640.yaml diff --git a/ansible/post-deploy.yml b/ansible/post-deploy.yml index ae95aabcb6..6bf8b482c6 100644 --- a/ansible/post-deploy.yml +++ b/ansible/post-deploy.yml @@ -1,9 +1,12 @@ --- - name: Creating admin openrc file on the deploy node hosts: localhost - become: true tasks: - - template: + - name: Template out admin-openrc.sh + become: true + template: src: "roles/common/templates/admin-openrc.sh.j2" dest: "{{ node_config }}/admin-openrc.sh" - run_once: True + owner: "{{ ansible_user_uid }}" + group: "{{ ansible_user_gid }}" + mode: 0600 diff --git a/releasenotes/notes/fix-admin-openrc-ownership-mode-310d89a6f50a9640.yaml b/releasenotes/notes/fix-admin-openrc-ownership-mode-310d89a6f50a9640.yaml new file mode 100644 index 0000000000..2380130273 --- /dev/null +++ b/releasenotes/notes/fix-admin-openrc-ownership-mode-310d89a6f50a9640.yaml @@ -0,0 +1,19 @@ +--- +security: + - | + The ``admin-openrc.sh`` file generated by ``kolla-ansible post-deploy`` was + previously created with ``root:root`` ownership and ``644`` permissions. + This would allow anyone with access to the same directory to read the file, + including the admin credentials. The ownership of ``admin-openrc.sh`` is + now set to the user executing ``kolla-ansible``, and the file is assigned a + mode of ``600``. This change can be applied by running ``kolla-ansible + post-deploy``. +fixes: + - | + The ``admin-openrc.sh`` file generated by ``kolla-ansible post-deploy`` was + previously created with ``root:root`` ownership and ``644`` permissions. + This would allow anyone with access to the same directory to read the file, + including the admin credentials. The ownership of ``admin-openrc.sh`` is + now set to the user executing ``kolla-ansible``, and the file is assigned a + mode of ``600``. This change can be applied by running ``kolla-ansible + post-deploy``.