16f97867a3
Previously the post-deploy.yml playbook was executed with become: true, and the admin-openrc.sh file templated without an owner or mode specified. This resulted in admin-openrc.sh being owned by root with 644 permissions. This change creates the file without become: true, and explicitly sets the owner to the user executing Ansible, and the mode to 600. Co-Authored-By: Mark Goddard <mark@stackhpc.com> Closes-Bug: #1891704 Change-Id: Iadf43383a7f2bf377d4666a55a38d92bd70711aa
20 lines
1009 B
YAML
20 lines
1009 B
YAML
---
|
|
security:
|
|
- |
|
|
The ``admin-openrc.sh`` file generated by ``kolla-ansible post-deploy`` was
|
|
previously created with ``root:root`` ownership and ``644`` permissions.
|
|
This would allow anyone with access to the same directory to read the file,
|
|
including the admin credentials. The ownership of ``admin-openrc.sh`` is
|
|
now set to the user executing ``kolla-ansible``, and the file is assigned a
|
|
mode of ``600``. This change can be applied by running ``kolla-ansible
|
|
post-deploy``.
|
|
fixes:
|
|
- |
|
|
The ``admin-openrc.sh`` file generated by ``kolla-ansible post-deploy`` was
|
|
previously created with ``root:root`` ownership and ``644`` permissions.
|
|
This would allow anyone with access to the same directory to read the file,
|
|
including the admin credentials. The ownership of ``admin-openrc.sh`` is
|
|
now set to the user executing ``kolla-ansible``, and the file is assigned a
|
|
mode of ``600``. This change can be applied by running ``kolla-ansible
|
|
post-deploy``.
|