From 5ceee03113baae17fc2cfeae073a7a44f63f11b3 Mon Sep 17 00:00:00 2001 From: Matt Fischer Date: Tue, 4 Oct 2016 22:29:02 -0600 Subject: [PATCH] set 0600 permissions on fernet keys & folder Fernet keys and the fernet key folder should be managed with permissions 0600 for more security on the keys. Same for the credentials folder and credentials. Change-Id: I42b868d27582d1edec22fd93cb1c86f489e144a2 --- manifests/init.pp | 4 ++++ .../permissions_on_keys_and_creds-9c0b9f56dfc1fd63.yaml | 5 +++++ spec/classes/keystone_spec.rb | 4 ++++ 3 files changed, 13 insertions(+) create mode 100644 releasenotes/notes/permissions_on_keys_and_creds-9c0b9f56dfc1fd63.yaml diff --git a/manifests/init.pp b/manifests/init.pp index d4eead320..05bd9afc4 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1129,6 +1129,7 @@ running as a standalone service, or httpd for being run by a httpd server") ensure => 'directory', owner => $keystone_user, group => $keystone_group, + mode => '0600', subscribe => Anchor['keystone::install::end'], }) @@ -1137,6 +1138,7 @@ running as a standalone service, or httpd for being run by a httpd server") create_resources('file', $fernet_keys, { 'owner' => $keystone_user, 'group' => $keystone_group, + 'mode' => '0600', 'subscribe' => 'Anchor[keystone::install::end]', } ) @@ -1162,6 +1164,7 @@ running as a standalone service, or httpd for being run by a httpd server") ensure => 'directory', owner => $keystone_user, group => $keystone_group, + mode => '0600', subscribe => Anchor['keystone::install::end'], }) @@ -1170,6 +1173,7 @@ running as a standalone service, or httpd for being run by a httpd server") create_resources('file', $credential_keys, { 'owner' => $keystone_user, 'group' => $keystone_group, + 'mode' => '0600', 'subscribe' => 'Anchor[keystone::install::end]', } ) diff --git a/releasenotes/notes/permissions_on_keys_and_creds-9c0b9f56dfc1fd63.yaml b/releasenotes/notes/permissions_on_keys_and_creds-9c0b9f56dfc1fd63.yaml new file mode 100644 index 000000000..97ca79cea --- /dev/null +++ b/releasenotes/notes/permissions_on_keys_and_creds-9c0b9f56dfc1fd63.yaml @@ -0,0 +1,5 @@ +--- +security: + - Make the fernet key directory, fernet keys, credential + folder, and credentials have mode 0600. This ensures + that only the keystone user can read the keys. diff --git a/spec/classes/keystone_spec.rb b/spec/classes/keystone_spec.rb index a372e54c4..79bb0ddbd 100644 --- a/spec/classes/keystone_spec.rb +++ b/spec/classes/keystone_spec.rb @@ -907,6 +907,7 @@ describe 'keystone' do :ensure => 'directory', :owner => params['keystone_user'], :group => params['keystone_group'], + 'mode' => '0600', ) } it { is_expected.to contain_exec('keystone-manage credential_setup').with( @@ -1004,6 +1005,7 @@ describe 'keystone' do :ensure => 'directory', :owner => params['keystone_user'], :group => params['keystone_group'], + :mode => '0600', ) } it { is_expected.to contain_exec('keystone-manage fernet_setup').with( @@ -1069,12 +1071,14 @@ describe 'keystone' do 'content' => 't-WdduhORSqoyAykuqWAQSYjg2rSRuJYySgI2xh48CI=', 'owner' => 'keystone', 'owner' => 'keystone', + 'mode' => '0600', 'subscribe' => 'Anchor[keystone::install::end]', )} it { is_expected.to contain_file('/etc/keystone/fernet-keys/1').with( 'content' => 'GLlnyygEVJP4-H2OMwClXn3sdSQUZsM5F194139Unv8=', 'owner' => 'keystone', 'owner' => 'keystone', + 'mode' => '0600', 'subscribe' => 'Anchor[keystone::install::end]', )} end