Implementing stricter permissions on config files

The security guide suggests that service config files
should be owned by root and in the service user group with 0640 permissions.

Change-Id: I5dc6e2c44ac5607fc1ff1c9fd2653eb23ef794bf
This commit is contained in:
Travis Truman 2017-02-07 11:48:30 -05:00
parent bdf659d04c
commit a4c5811465
4 changed files with 6 additions and 5 deletions

1
.gitignore vendored
View File

@ -62,6 +62,7 @@ releasenotes/build
# Test temp files # Test temp files
tests/plugins tests/plugins
tests/playbooks
tests/common tests/common
tests/*.retry tests/*.retry

View File

@ -30,9 +30,9 @@
template: template:
src: keystone.domain.conf.j2 src: keystone.domain.conf.j2
dest: "{{ keystone_ldap_domain_config_dir }}/keystone.{{ item.key }}.conf" dest: "{{ keystone_ldap_domain_config_dir }}/keystone.{{ item.key }}.conf"
owner: "{{ keystone_system_user_name }}" owner: "root"
group: "{{ keystone_system_group_name }}" group: "{{ keystone_system_group_name }}"
mode: "0644" mode: "0640"
with_dict: "{{ keystone_ldap }}" with_dict: "{{ keystone_ldap }}"
notify: notify:
- Restart Keystone APIs on first node - Restart Keystone APIs on first node

View File

@ -17,9 +17,9 @@
config_template: config_template:
src: "{{ item.src }}" src: "{{ item.src }}"
dest: "{{ item.dest }}" dest: "{{ item.dest }}"
owner: "{{ keystone_system_user_name }}" owner: "root"
group: "{{ keystone_system_group_name }}" group: "{{ keystone_system_group_name }}"
mode: "0644" mode: "0640"
config_overrides: "{{ item.config_overrides }}" config_overrides: "{{ item.config_overrides }}"
config_type: "{{ item.config_type }}" config_type: "{{ item.config_type }}"
with_items: with_items:

View File

@ -58,7 +58,7 @@
with_items: with_items:
- { path: "/openstack", mode: "0755", owner: "root", group: "root" } - { path: "/openstack", mode: "0755", owner: "root", group: "root" }
- { path: "/etc/keystone", mode: "0750" } - { path: "/etc/keystone", mode: "0750" }
- { path: "{{ keystone_ldap_domain_config_dir }}" } - { path: "{{ keystone_ldap_domain_config_dir }}", mode: "0750" }
- { path: "/etc/keystone/ssl" } - { path: "/etc/keystone/ssl" }
- { path: "{{ keystone_fernet_tokens_key_repository }}", mode: "2750"} - { path: "{{ keystone_fernet_tokens_key_repository }}", mode: "2750"}
- { path: "{{ keystone_system_user_home }}" } - { path: "{{ keystone_system_user_home }}" }