Set restrictive file permissions on Ceph keyrings for non-containerized deployment

Pass mode parameter 0600 and user and group ownership to puppet-ceph for Ceph openstack client keyrings during non-containerized deployment. Author: Keith Schincke <kschinck@redhat.com> Co-Author: John Fulton <fulton@redhat.com> Change-Id: Iccb24f5c2ee639ad2bc0869a37cec305f32b9fd1 Depends-On: I0c1bc3d2362c6500b1a515d99f641f8c1468754a Partial-Bug: #1720787
2017-10-03 00:21:57 +00:00 · 2017-10-03 00:21:57 +00:00 · bdf1ade1b9
commit bdf1ade1b9
parent e1a9638732
1 changed files with 6 additions and 2 deletions
--- a/puppet/services/ceph-base.yaml
+++ b/puppet/services/ceph-base.yaml
@ -129,7 +129,9 @@ outputs:
                cap_mon: 'allow profile bootstrap-osd'
              CEPH_CLIENT_KEY:
                secret: {get_param: CephClientKey}
-                mode: '0644'
+                mode: '0640'
+                user: 'ceph'
+                group: 'ceph'
                cap_mon: 'allow r'
                cap_osd:
                  str_replace:
@ -141,7 +143,9 @@ outputs:
                      GLANCE_POOL: {get_param: GlanceRbdPoolName}
                      GNOCCHI_POOL: {get_param: GnocchiRbdPoolName}
              MANILA_CLIENT_KEY:
-                mode: '0644'
+                mode: '0640'
+                user: 'ceph'
+                group: 'ceph'
                secret: {get_param: CephManilaClientKey}
                cap_mon: 'allow r, allow command \"auth del\", allow command \"auth caps\", allow command \"auth get\", allow command \"auth get-or-create\"'
                cap_mds: 'allow *'