From 8117a8224560d9d1ee9a168bf069a5d3373a5547 Mon Sep 17 00:00:00 2001
From: Travis Truman <travis_truman@cable.comcast.com>
Date: Tue, 7 Feb 2017 12:36:38 -0500
Subject: [PATCH] Implementing stricter permissions on config files

The security guide suggests that all OpenStack service config files
should be owned by root and in the service user group with 0640 permissions.

Change-Id: I60f8aa7cfb61b15be847fb3d380b0926fb1009dd
---
 tasks/glance_post_install.yml | 4 ++--
 tasks/glance_pre_install.yml  | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/tasks/glance_post_install.yml b/tasks/glance_post_install.yml
index f9dd0ff5..5becc417 100644
--- a/tasks/glance_post_install.yml
+++ b/tasks/glance_post_install.yml
@@ -17,9 +17,9 @@
   config_template:
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"
-    owner: "{{ glance_system_user_name }}"
+    owner: "root"
     group: "{{ glance_system_group_name }}"
-    mode: "0644"
+    mode: "0640"
     config_overrides: "{{ item.config_overrides }}"
     config_type: "{{ item.config_type }}"
   with_items:
diff --git a/tasks/glance_pre_install.yml b/tasks/glance_pre_install.yml
index 35645e7e..f21c0674 100644
--- a/tasks/glance_pre_install.yml
+++ b/tasks/glance_pre_install.yml
@@ -38,7 +38,7 @@
     mode: "{{ item.mode|default('0755') }}"
   with_items:
     - { path: "/openstack", mode: "0755", owner: "root", group: "root" }
-    - { path: "/etc/glance", mode: "0755" }
+    - { path: "/etc/glance", mode: "0750" }
     - { path: "/var/cache/glance" }
     - { path: "{{ glance_system_user_home }}" }
     - { path: "{{ glance_system_user_home }}/cache/api", mode: "0700" }