From 911919e5a5fca9bd1f8fe67f66aad51cf899822b Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <tkajinam@redhat.com>
Date: Thu, 20 Oct 2022 11:08:56 +0900
Subject: [PATCH] Restrict access to the mount base directory

The swift processes does not require write access to the mount base
directory (which is usually /srv/node), thus the directory can be owned
by root. This is more consistent with the current installation guide
of Swift.

Change-Id: I6da122c569e7a66a1933b7483fb8cf68a40dd94f
---
 manifests/storage/disk.pp     | 4 ++--
 manifests/storage/loopback.pp | 4 ++--
 manifests/storage/xfs.pp      | 4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/manifests/storage/disk.pp b/manifests/storage/disk.pp
index 4e24f2b6..c2ad37a7 100644
--- a/manifests/storage/disk.pp
+++ b/manifests/storage/disk.pp
@@ -75,8 +75,8 @@ define swift::storage::disk(
   if(!defined(File[$mnt_base_dir])) {
     file { $mnt_base_dir:
       ensure  => directory,
-      owner   => $::swift::params::user,
-      group   => $::swift::params::group,
+      owner   => 'root',
+      group   => 'root',
       require => Anchor['swift::config::begin'],
       before  => Anchor['swift::config::end'],
     }
diff --git a/manifests/storage/loopback.pp b/manifests/storage/loopback.pp
index 8d16822b..42496946 100644
--- a/manifests/storage/loopback.pp
+++ b/manifests/storage/loopback.pp
@@ -52,8 +52,8 @@ define swift::storage::loopback(
   if(!defined(File[$mnt_base_dir])) {
     file { $mnt_base_dir:
       ensure  => directory,
-      owner   => $::swift::params::user,
-      group   => $::swift::params::group,
+      owner   => 'root',
+      group   => 'root',
       require => Anchor['swift::config::begin'],
       before  => Anchor['swift::config::end'],
     }
diff --git a/manifests/storage/xfs.pp b/manifests/storage/xfs.pp
index 718dd7e6..a7252909 100644
--- a/manifests/storage/xfs.pp
+++ b/manifests/storage/xfs.pp
@@ -76,8 +76,8 @@ define swift::storage::xfs(
   if(!defined(File[$mnt_base_dir])) {
     file { $mnt_base_dir:
       ensure  => directory,
-      owner   => $::swift::params::user,
-      group   => $::swift::params::group,
+      owner   => 'root',
+      group   => 'root',
       require => Anchor['swift::config::begin'],
       before  => Anchor['swift::config::end'],
     }