Make sure storage server config files are not world-readable

... instead of vaguely rely on the umask. Change-Id: I685888c8368cea53c225c103c62e5147db2ee28b
2024-04-22 21:21:45 +09:00 · 2024-04-22 21:21:45 +09:00 · 375920352a
parent 3af1a20fe0
commit 375920352a
2 changed files with 25 additions and 0 deletions
--- a/manifests/storage/server.pp
+++ b/manifests/storage/server.pp
@ -423,6 +423,7 @@ define swift::storage::server(
    ensure  => present,
    owner   => pick($owner, $::swift::params::user),
    group   => pick($group, $::swift::params::group),
+    mode    => '0640'
    replace => false,
    tag     => 'swift-config-file',
    before  => $required_middlewares,
--- a/spec/defines/swift_storage_server_spec.rb
+++ b/spec/defines/swift_storage_server_spec.rb
@ -57,6 +57,14 @@ describe 'swift::storage::server' do
        :read_only       => false,
      )}

+      it { is_expected.to contain_file('/etc/swift/account-server.conf').with(
+        :ensure => 'present',
+        :owner  => 'swift',
+        :group  => 'swift',
+        :mode   => '0640',
+        :tag    => 'swift-config-file'
+      )}
+
      it {
        is_expected.to contain_swift_account_config('DEFAULT/devices').with_value('/srv/node')
        is_expected.to contain_swift_account_config('DEFAULT/bind_ip').with_value('10.0.0.1')
@ -232,6 +240,14 @@ describe 'swift::storage::server' do
        :read_only       => false,
      )}

+      it { is_expected.to contain_file('/etc/swift/container-server.conf').with(
+        :ensure => 'present',
+        :owner  => 'swift',
+        :group  => 'swift',
+        :mode   => '0640',
+        :tag    => 'swift-config-file'
+      )}
+
      it {
        is_expected.to contain_swift_container_config('DEFAULT/devices').with_value('/srv/node')
        is_expected.to contain_swift_container_config('DEFAULT/bind_ip').with_value('10.0.0.1')
@ -418,6 +434,14 @@ describe 'swift::storage::server' do
        :read_only       => false,
      )}

+      it { is_expected.to contain_file('/etc/swift/object-server.conf').with(
+        :ensure => 'present',
+        :owner  => 'swift',
+        :group  => 'swift',
+        :mode   => '0640',
+        :tag    => 'swift-config-file'
+      )}
+
      it {
        is_expected.to contain_swift_object_config('DEFAULT/devices').with_value('/srv/node')
        is_expected.to contain_swift_object_config('DEFAULT/bind_ip').with_value('10.0.0.1')