From bdf1ade1b9de994c3098fb17cca6dd64b3d14cd5 Mon Sep 17 00:00:00 2001
From: John Fulton <fulton@redhat.com>
Date: Tue, 3 Oct 2017 00:21:57 +0000
Subject: [PATCH] Set restrictive file permissions on Ceph keyrings for
 non-containerized deployment

Pass mode parameter 0600 and user and group ownership to puppet-ceph for
Ceph openstack client keyrings during non-containerized deployment.

Author:    Keith Schincke <kschinck@redhat.com>
Co-Author:    John Fulton <fulton@redhat.com>
Change-Id: Iccb24f5c2ee639ad2bc0869a37cec305f32b9fd1
Depends-On: I0c1bc3d2362c6500b1a515d99f641f8c1468754a
Partial-Bug: #1720787
---
 puppet/services/ceph-base.yaml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/puppet/services/ceph-base.yaml b/puppet/services/ceph-base.yaml
index 8debf8c74b..2774581a0a 100644
--- a/puppet/services/ceph-base.yaml
+++ b/puppet/services/ceph-base.yaml
@@ -129,7 +129,9 @@ outputs:
                 cap_mon: 'allow profile bootstrap-osd'
               CEPH_CLIENT_KEY:
                 secret: {get_param: CephClientKey}
-                mode: '0644'
+                mode: '0640'
+                user: 'ceph'
+                group: 'ceph'
                 cap_mon: 'allow r'
                 cap_osd:
                   str_replace:
@@ -141,7 +143,9 @@ outputs:
                       GLANCE_POOL: {get_param: GlanceRbdPoolName}
                       GNOCCHI_POOL: {get_param: GnocchiRbdPoolName}
               MANILA_CLIENT_KEY:
-                mode: '0644'
+                mode: '0640'
+                user: 'ceph'
+                group: 'ceph'
                 secret: {get_param: CephManilaClientKey}
                 cap_mon: 'allow r, allow command \"auth del\", allow command \"auth caps\", allow command \"auth get\", allow command \"auth get-or-create\"'
                 cap_mds: 'allow *'