From d5c08266a7b8e8ee4c3f7da445114428976dea9c Mon Sep 17 00:00:00 2001 From: John Fulton Date: Tue, 8 Jun 2021 13:57:29 -0400 Subject: [PATCH] Change default permission for cephx keyring files When we create cephx keys on the undercloud and copy them to overcloud ceph clients, ensure that they have permission mode 600. Change-Id: Ifd9f6d4f6807d865d9b0e5e7a51018962ed2d85d --- .../roles/tripleo_ceph_client/tasks/create_keys.yml | 5 +---- tripleo_ansible/roles/tripleo_ceph_client/tasks/sync.yml | 1 + 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/tripleo_ansible/roles/tripleo_ceph_client/tasks/create_keys.yml b/tripleo_ansible/roles/tripleo_ceph_client/tasks/create_keys.yml index e422d508b..c19f7ec93 100644 --- a/tripleo_ansible/roles/tripleo_ceph_client/tasks/create_keys.yml +++ b/tripleo_ansible/roles/tripleo_ceph_client/tasks/create_keys.yml @@ -15,12 +15,9 @@ # under the License. - name: create cephx key(s) - become: true template: src: templates/ceph_key.j2 dest: "{{ tripleo_ceph_client_fetch_dir }}/{{ tripleo_ceph_client_cluster | default('ceph') }}.{{ item.name }}.keyring" - group: root - owner: root - mode: 0644 + mode: 0600 force: true loop: "{{ ceph_keys| default([]) }}" diff --git a/tripleo_ansible/roles/tripleo_ceph_client/tasks/sync.yml b/tripleo_ansible/roles/tripleo_ceph_client/tasks/sync.yml index d6a1eead0..fe0430028 100644 --- a/tripleo_ansible/roles/tripleo_ceph_client/tasks/sync.yml +++ b/tripleo_ansible/roles/tripleo_ceph_client/tasks/sync.yml @@ -55,5 +55,6 @@ copy: src: "{{ item[0] }}" dest: "{{ tripleo_ceph_client_config_home }}/{{ item[0] | basename }}" + mode: "{{ '600' if item[0] | regex_search('.*.keyring$') else '644' }}" delegate_to: "{{ item[1] }}" loop: "{{ tripleo_ceph_client_dist }}"