Make sure storage server config files are not world-readable

... instead of vaguely rely on the umask. Change-Id: I685888c8368cea53c225c103c62e5147db2ee28b
2024-04-22 21:21:45 +09:00 · 2024-04-22 21:21:45 +09:00 · 003f4fe6ea
commit 003f4fe6ea
parent 3af1a20fe0
2 changed files with 30 additions and 6 deletions
--- a/manifests/storage/server.pp
+++ b/manifests/storage/server.pp
@ -420,12 +420,12 @@ define swift::storage::server(
      %>"), ',')

  file { $config_file_full_path:
-    ensure  => present,
-    owner   => pick($owner, $::swift::params::user),
-    group   => pick($group, $::swift::params::group),
-    replace => false,
-    tag     => 'swift-config-file',
-    before  => $required_middlewares,
+    ensure => present,
+    owner  => pick($owner, $::swift::params::user),
+    group  => pick($group, $::swift::params::group),
+    mode   => '0640',
+    tag    => 'swift-config-file',
+    before => $required_middlewares,
  }

  resources { "swift_${type}_config":
--- a/spec/defines/swift_storage_server_spec.rb
+++ b/spec/defines/swift_storage_server_spec.rb
@ -57,6 +57,14 @@ describe 'swift::storage::server' do
        :read_only       => false,
      )}

+      it { is_expected.to contain_file('/etc/swift/account-server.conf').with(
+        :ensure => 'present',
+        :owner  => 'swift',
+        :group  => 'swift',
+        :mode   => '0640',
+        :tag    => 'swift-config-file'
+      )}
+
      it {
        is_expected.to contain_swift_account_config('DEFAULT/devices').with_value('/srv/node')
        is_expected.to contain_swift_account_config('DEFAULT/bind_ip').with_value('10.0.0.1')
@ -232,6 +240,14 @@ describe 'swift::storage::server' do
        :read_only       => false,
      )}

+      it { is_expected.to contain_file('/etc/swift/container-server.conf').with(
+        :ensure => 'present',
+        :owner  => 'swift',
+        :group  => 'swift',
+        :mode   => '0640',
+        :tag    => 'swift-config-file'
+      )}
+
      it {
        is_expected.to contain_swift_container_config('DEFAULT/devices').with_value('/srv/node')
        is_expected.to contain_swift_container_config('DEFAULT/bind_ip').with_value('10.0.0.1')
@ -418,6 +434,14 @@ describe 'swift::storage::server' do
        :read_only       => false,
      )}

+      it { is_expected.to contain_file('/etc/swift/object-server.conf').with(
+        :ensure => 'present',
+        :owner  => 'swift',
+        :group  => 'swift',
+        :mode   => '0640',
+        :tag    => 'swift-config-file'
+      )}
+
      it {
        is_expected.to contain_swift_object_config('DEFAULT/devices').with_value('/srv/node')
        is_expected.to contain_swift_object_config('DEFAULT/bind_ip').with_value('10.0.0.1')