set 0600 permissions on fernet keys & folder
Fernet keys and the fernet key folder should be managed with permissions 0600 for more security on the keys. Same for the credentials folder and credentials. Change-Id: I42b868d27582d1edec22fd93cb1c86f489e144a2
This commit is contained in:
Matt Fischer
parent
94529b345f
commit
5ceee03113
@ -1129,6 +1129,7 @@ running as a standalone service, or httpd for being run by a httpd server")
|
||||
ensure => 'directory',
|
||||
owner => $keystone_user,
|
||||
group => $keystone_group,
|
||||
mode => '0600',
|
||||
subscribe => Anchor['keystone::install::end'],
|
||||
})
|
||||
|
||||
@ -1137,6 +1138,7 @@ running as a standalone service, or httpd for being run by a httpd server")
|
||||
create_resources('file', $fernet_keys, {
|
||||
'owner' => $keystone_user,
|
||||
'group' => $keystone_group,
|
||||
'mode' => '0600',
|
||||
'subscribe' => 'Anchor[keystone::install::end]',
|
||||
}
|
||||
)
|
||||
@ -1162,6 +1164,7 @@ running as a standalone service, or httpd for being run by a httpd server")
|
||||
ensure => 'directory',
|
||||
owner => $keystone_user,
|
||||
group => $keystone_group,
|
||||
mode => '0600',
|
||||
subscribe => Anchor['keystone::install::end'],
|
||||
})
|
||||
|
||||
@ -1170,6 +1173,7 @@ running as a standalone service, or httpd for being run by a httpd server")
|
||||
create_resources('file', $credential_keys, {
|
||||
'owner' => $keystone_user,
|
||||
'group' => $keystone_group,
|
||||
'mode' => '0600',
|
||||
'subscribe' => 'Anchor[keystone::install::end]',
|
||||
}
|
||||
)
|
||||
|
||||
@ -0,0 +1,5 @@
|
||||
---
|
||||
security:
|
||||
- Make the fernet key directory, fernet keys, credential
|
||||
folder, and credentials have mode 0600. This ensures
|
||||
that only the keystone user can read the keys.
|
||||
@ -907,6 +907,7 @@ describe 'keystone' do
|
||||
:ensure => 'directory',
|
||||
:owner => params['keystone_user'],
|
||||
:group => params['keystone_group'],
|
||||
'mode' => '0600',
|
||||
) }
|
||||
|
||||
it { is_expected.to contain_exec('keystone-manage credential_setup').with(
|
||||
@ -1004,6 +1005,7 @@ describe 'keystone' do
|
||||
:ensure => 'directory',
|
||||
:owner => params['keystone_user'],
|
||||
:group => params['keystone_group'],
|
||||
:mode => '0600',
|
||||
) }
|
||||
|
||||
it { is_expected.to contain_exec('keystone-manage fernet_setup').with(
|
||||
@ -1069,12 +1071,14 @@ describe 'keystone' do
|
||||
'content' => 't-WdduhORSqoyAykuqWAQSYjg2rSRuJYySgI2xh48CI=',
|
||||
'owner' => 'keystone',
|
||||
'owner' => 'keystone',
|
||||
'mode' => '0600',
|
||||
'subscribe' => 'Anchor[keystone::install::end]',
|
||||
)}
|
||||
it { is_expected.to contain_file('/etc/keystone/fernet-keys/1').with(
|
||||
'content' => 'GLlnyygEVJP4-H2OMwClXn3sdSQUZsM5F194139Unv8=',
|
||||
'owner' => 'keystone',
|
||||
'owner' => 'keystone',
|
||||
'mode' => '0600',
|
||||
'subscribe' => 'Anchor[keystone::install::end]',
|
||||
)}
|
||||
end
|
||||
|
||||
Loading…
Reference in New Issue
Block a user