Implementing stricter permissions on config files
The security guide suggests that all OpenStack service config files should be owned by root and in the service user group with 0640 permissions. http://docs.openstack.org/security-guide/networking/checklist.html Change-Id: I603eb691828bb3456ae0686ed80342765f52ecea
This commit is contained in:
parent
3d3a2c3e7d
commit
f927760d88
@ -17,9 +17,9 @@
|
|||||||
config_template:
|
config_template:
|
||||||
src: "{{ item.src }}"
|
src: "{{ item.src }}"
|
||||||
dest: "{{ item.dest }}"
|
dest: "{{ item.dest }}"
|
||||||
owner: "{{ item.owner|default(neutron_system_user_name) }}"
|
owner: "root"
|
||||||
group: "{{ item.group|default(neutron_system_group_name) }}"
|
group: "{{ item.group|default(neutron_system_group_name) }}"
|
||||||
mode: "0644"
|
mode: "0640"
|
||||||
config_overrides: "{{ item.config_overrides }}"
|
config_overrides: "{{ item.config_overrides }}"
|
||||||
config_type: "{{ item.config_type }}"
|
config_type: "{{ item.config_type }}"
|
||||||
with_items:
|
with_items:
|
||||||
@ -37,8 +37,6 @@
|
|||||||
config_type: "ini"
|
config_type: "ini"
|
||||||
- src: "rootwrap.conf.j2"
|
- src: "rootwrap.conf.j2"
|
||||||
dest: "{{ neutron_conf_dir }}/rootwrap.conf"
|
dest: "{{ neutron_conf_dir }}/rootwrap.conf"
|
||||||
owner: "root"
|
|
||||||
group: "root"
|
|
||||||
config_overrides: "{{ neutron_rootwrap_conf_overrides }}"
|
config_overrides: "{{ neutron_rootwrap_conf_overrides }}"
|
||||||
config_type: "ini"
|
config_type: "ini"
|
||||||
- src: "policy.json.j2"
|
- src: "policy.json.j2"
|
||||||
@ -52,9 +50,9 @@
|
|||||||
config_template:
|
config_template:
|
||||||
src: "{{ neutron_plugins[item].plugin_ini }}.j2"
|
src: "{{ neutron_plugins[item].plugin_ini }}.j2"
|
||||||
dest: "{{ neutron_conf_dir }}/{{ neutron_plugins[item].plugin_ini }}"
|
dest: "{{ neutron_conf_dir }}/{{ neutron_plugins[item].plugin_ini }}"
|
||||||
owner: "{{ neutron_system_user_name }}"
|
owner: "root"
|
||||||
group: "{{ neutron_system_group_name }}"
|
group: "{{ neutron_system_group_name }}"
|
||||||
mode: "0644"
|
mode: "0640"
|
||||||
config_overrides: "{{ neutron_plugins[item].plugin_conf_ini_overrides }}"
|
config_overrides: "{{ neutron_plugins[item].plugin_conf_ini_overrides }}"
|
||||||
config_type: "ini"
|
config_type: "ini"
|
||||||
with_items: "{{ neutron_plugin_types }}"
|
with_items: "{{ neutron_plugin_types }}"
|
||||||
@ -63,9 +61,9 @@
|
|||||||
config_template:
|
config_template:
|
||||||
src: "dnsmasq-neutron.conf.j2"
|
src: "dnsmasq-neutron.conf.j2"
|
||||||
dest: "{{ neutron_conf_dir }}/dnsmasq-neutron.conf"
|
dest: "{{ neutron_conf_dir }}/dnsmasq-neutron.conf"
|
||||||
owner: "{{ neutron_system_user_name }}"
|
owner: "root"
|
||||||
group: "{{ neutron_system_group_name }}"
|
group: "{{ neutron_system_group_name }}"
|
||||||
mode: "0644"
|
mode: "0640"
|
||||||
config_overrides: "{{ neutron_dnsmasq_neutron_conf_overrides }}"
|
config_overrides: "{{ neutron_dnsmasq_neutron_conf_overrides }}"
|
||||||
config_type: "ini"
|
config_type: "ini"
|
||||||
notify:
|
notify:
|
||||||
@ -82,19 +80,19 @@
|
|||||||
config_template:
|
config_template:
|
||||||
src: "{{ item.value.service_conf }}.j2"
|
src: "{{ item.value.service_conf }}.j2"
|
||||||
dest: "{{ item.value.service_conf_path }}/{{ item.value.service_conf }}"
|
dest: "{{ item.value.service_conf_path }}/{{ item.value.service_conf }}"
|
||||||
owner: "{{ neutron_system_user_name }}"
|
owner: "root"
|
||||||
group: "{{ neutron_system_group_name }}"
|
group: "{{ neutron_system_group_name }}"
|
||||||
mode: "0644"
|
mode: "0640"
|
||||||
config_overrides: "{{ item.value.config_overrides }}"
|
config_overrides: "{{ item.value.config_overrides }}"
|
||||||
config_type: "{{ item.value.config_type }}"
|
config_type: "{{ item.value.config_type }}"
|
||||||
with_dict: "{{ neutron_services }}"
|
with_dict: "{{ neutron_services }}"
|
||||||
notify:
|
notify:
|
||||||
- Restart neutron services
|
- Restart neutron services
|
||||||
when:
|
when:
|
||||||
- item.value.service_en | bool
|
- item.value.service_en | bool
|
||||||
- item.value.service_conf_path is defined
|
- item.value.service_conf_path is defined
|
||||||
- item.value.service_conf is defined
|
- item.value.service_conf is defined
|
||||||
- item.value.group in group_names
|
- item.value.group in group_names
|
||||||
|
|
||||||
- name: Copy neutron rootwrap filters
|
- name: Copy neutron rootwrap filters
|
||||||
copy:
|
copy:
|
||||||
|
@ -39,8 +39,8 @@
|
|||||||
with_items:
|
with_items:
|
||||||
- { path: "/openstack", owner: "root", group: "root" }
|
- { path: "/openstack", owner: "root", group: "root" }
|
||||||
- { path: "{{ neutron_conf_dir }}", mode: "0750" }
|
- { path: "{{ neutron_conf_dir }}", mode: "0750" }
|
||||||
- { path: "{{ neutron_conf_dir }}/plugins" }
|
- { path: "{{ neutron_conf_dir }}/plugins", mode: "0750" }
|
||||||
- { path: "{{ neutron_conf_dir }}/plugins/{{ neutron_plugin_type.split('.')[0] }}" }
|
- { path: "{{ neutron_conf_dir }}/plugins/{{ neutron_plugin_type.split('.')[0] }}", mode: "0750" }
|
||||||
- { path: "{{ neutron_conf_dir }}/rootwrap.d", owner: "root", group: "root" }
|
- { path: "{{ neutron_conf_dir }}/rootwrap.d", owner: "root", group: "root" }
|
||||||
- { path: "/etc/sudoers.d", mode: "0750", owner: "root", group: "root" }
|
- { path: "/etc/sudoers.d", mode: "0750", owner: "root", group: "root" }
|
||||||
- { path: "/var/cache/neutron" }
|
- { path: "/var/cache/neutron" }
|
||||||
|
Loading…
Reference in New Issue
Block a user