Implementing stricter permissions on config files

The security guide suggests that service config files should be owned by root and in the service user group with 0640 permissions. Change-Id: I5dc6e2c44ac5607fc1ff1c9fd2653eb23ef794bf
2017-02-07 11:48:30 -05:00 · 2017-02-07 11:48:30 -05:00 · a4c5811465
commit a4c5811465
parent bdf659d04c
4 changed files with 6 additions and 5 deletions
--- a/.gitignore
+++ b/.gitignore
@ -62,6 +62,7 @@ releasenotes/build

 # Test temp files
 tests/plugins
+tests/playbooks
 tests/common
 tests/*.retry

--- a/tasks/keystone_ldap_setup.yml
+++ b/tasks/keystone_ldap_setup.yml
@ -30,9 +30,9 @@
  template:
    src: keystone.domain.conf.j2
    dest: "{{ keystone_ldap_domain_config_dir }}/keystone.{{ item.key }}.conf"
-    owner: "{{ keystone_system_user_name }}"
+    owner: "root"
    group: "{{ keystone_system_group_name }}"
-    mode: "0644"
+    mode: "0640"
  with_dict: "{{ keystone_ldap }}"
  notify:
    - Restart Keystone APIs on first node
--- a/tasks/keystone_post_install.yml
+++ b/tasks/keystone_post_install.yml
@ -17,9 +17,9 @@
  config_template:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
-    owner: "{{ keystone_system_user_name }}"
+    owner: "root"
    group: "{{ keystone_system_group_name }}"
-    mode: "0644"
+    mode: "0640"
    config_overrides: "{{ item.config_overrides }}"
    config_type: "{{ item.config_type }}"
  with_items:
--- a/tasks/keystone_pre_install.yml
+++ b/tasks/keystone_pre_install.yml
@ -58,7 +58,7 @@
  with_items:
    - { path: "/openstack", mode: "0755", owner: "root", group: "root" }
    - { path: "/etc/keystone", mode: "0750" }
-    - { path: "{{ keystone_ldap_domain_config_dir }}" }
+    - { path: "{{ keystone_ldap_domain_config_dir }}", mode: "0750" }
    - { path: "/etc/keystone/ssl" }
    - { path: "{{ keystone_fernet_tokens_key_repository }}", mode: "2750"}
    - { path: "{{ keystone_system_user_home }}" }