set 0600 permissions on fernet keys & folder

Fernet keys and the fernet key folder should be managed with permissions
0600 for more security on the keys. Same for the credentials folder and
credentials.

Change-Id: I42b868d27582d1edec22fd93cb1c86f489e144a2

manifests/init.pp

@@ -1129,6 +1129,7 @@ running as a standalone service, or httpd for being run by a httpd server")
       ensure    => 'directory',
       owner     => $keystone_user,
       group     => $keystone_group,
+      mode      => '0600',
       subscribe => Anchor['keystone::install::end'],
     })
 
@@ -1137,6 +1138,7 @@ running as a standalone service, or httpd for being run by a httpd server")
       create_resources('file', $fernet_keys, {
           'owner'     => $keystone_user,
           'group'     => $keystone_group,
+          'mode'      => '0600',
           'subscribe' => 'Anchor[keystone::install::end]',
         }
       )
@@ -1162,6 +1164,7 @@ running as a standalone service, or httpd for being run by a httpd server")
       ensure    => 'directory',
       owner     => $keystone_user,
       group     => $keystone_group,
+      mode      => '0600',
       subscribe => Anchor['keystone::install::end'],
     })
 
@@ -1170,6 +1173,7 @@ running as a standalone service, or httpd for being run by a httpd server")
       create_resources('file', $credential_keys, {
           'owner'     => $keystone_user,
           'group'     => $keystone_group,
+          'mode'      => '0600',
           'subscribe' => 'Anchor[keystone::install::end]',
         }
       )

releasenotes/notes/permissions_on_keys_and_creds-9c0b9f56dfc1fd63.yaml

@@ -0,0 +1,5 @@
+---
+security:
+  - Make the fernet key directory, fernet keys, credential
+    folder, and credentials have mode 0600. This ensures
+    that only the keystone user can read the keys.

spec/classes/keystone_spec.rb

@@ -907,6 +907,7 @@ describe 'keystone' do
         :ensure => 'directory',
         :owner  => params['keystone_user'],
         :group  => params['keystone_group'],
+        'mode'  => '0600',
       ) }
 
       it { is_expected.to contain_exec('keystone-manage credential_setup').with(
@@ -1004,6 +1005,7 @@ describe 'keystone' do
         :ensure => 'directory',
         :owner  => params['keystone_user'],
         :group  => params['keystone_group'],
+        :mode   => '0600',
       ) }
 
       it { is_expected.to contain_exec('keystone-manage fernet_setup').with(
@@ -1069,12 +1071,14 @@ describe 'keystone' do
       'content'   => 't-WdduhORSqoyAykuqWAQSYjg2rSRuJYySgI2xh48CI=',
       'owner'     => 'keystone',
       'owner'     => 'keystone',
+      'mode'      => '0600',
       'subscribe' => 'Anchor[keystone::install::end]',
     )}
     it { is_expected.to contain_file('/etc/keystone/fernet-keys/1').with(
       'content'   => 'GLlnyygEVJP4-H2OMwClXn3sdSQUZsM5F194139Unv8=',
       'owner'     => 'keystone',
       'owner'     => 'keystone',
+      'mode'      => '0600',
       'subscribe' => 'Anchor[keystone::install::end]',
     )}
   end