Implementing stricter permissions on config files
The security guide suggests that service config files should be owned by root and in the service user group with 0640 permissions. Change-Id: I5dc6e2c44ac5607fc1ff1c9fd2653eb23ef794bf
This commit is contained in:
parent
bdf659d04c
commit
a4c5811465
1
.gitignore
vendored
1
.gitignore
vendored
@ -62,6 +62,7 @@ releasenotes/build
|
|||||||
|
|
||||||
# Test temp files
|
# Test temp files
|
||||||
tests/plugins
|
tests/plugins
|
||||||
|
tests/playbooks
|
||||||
tests/common
|
tests/common
|
||||||
tests/*.retry
|
tests/*.retry
|
||||||
|
|
||||||
|
@ -30,9 +30,9 @@
|
|||||||
template:
|
template:
|
||||||
src: keystone.domain.conf.j2
|
src: keystone.domain.conf.j2
|
||||||
dest: "{{ keystone_ldap_domain_config_dir }}/keystone.{{ item.key }}.conf"
|
dest: "{{ keystone_ldap_domain_config_dir }}/keystone.{{ item.key }}.conf"
|
||||||
owner: "{{ keystone_system_user_name }}"
|
owner: "root"
|
||||||
group: "{{ keystone_system_group_name }}"
|
group: "{{ keystone_system_group_name }}"
|
||||||
mode: "0644"
|
mode: "0640"
|
||||||
with_dict: "{{ keystone_ldap }}"
|
with_dict: "{{ keystone_ldap }}"
|
||||||
notify:
|
notify:
|
||||||
- Restart Keystone APIs on first node
|
- Restart Keystone APIs on first node
|
||||||
|
@ -17,9 +17,9 @@
|
|||||||
config_template:
|
config_template:
|
||||||
src: "{{ item.src }}"
|
src: "{{ item.src }}"
|
||||||
dest: "{{ item.dest }}"
|
dest: "{{ item.dest }}"
|
||||||
owner: "{{ keystone_system_user_name }}"
|
owner: "root"
|
||||||
group: "{{ keystone_system_group_name }}"
|
group: "{{ keystone_system_group_name }}"
|
||||||
mode: "0644"
|
mode: "0640"
|
||||||
config_overrides: "{{ item.config_overrides }}"
|
config_overrides: "{{ item.config_overrides }}"
|
||||||
config_type: "{{ item.config_type }}"
|
config_type: "{{ item.config_type }}"
|
||||||
with_items:
|
with_items:
|
||||||
|
@ -58,7 +58,7 @@
|
|||||||
with_items:
|
with_items:
|
||||||
- { path: "/openstack", mode: "0755", owner: "root", group: "root" }
|
- { path: "/openstack", mode: "0755", owner: "root", group: "root" }
|
||||||
- { path: "/etc/keystone", mode: "0750" }
|
- { path: "/etc/keystone", mode: "0750" }
|
||||||
- { path: "{{ keystone_ldap_domain_config_dir }}" }
|
- { path: "{{ keystone_ldap_domain_config_dir }}", mode: "0750" }
|
||||||
- { path: "/etc/keystone/ssl" }
|
- { path: "/etc/keystone/ssl" }
|
||||||
- { path: "{{ keystone_fernet_tokens_key_repository }}", mode: "2750"}
|
- { path: "{{ keystone_fernet_tokens_key_repository }}", mode: "2750"}
|
||||||
- { path: "{{ keystone_system_user_home }}" }
|
- { path: "{{ keystone_system_user_home }}" }
|
||||||
|
Loading…
Reference in New Issue
Block a user