Restricting access to fernet keys folder

Leaving access to fernet dir for owner only. This improves security and resolves 'fernet dir is world-readable' warning. Change-Id: I463a56d41697b8c4c1454758267e906665187b15
2017-02-28 10:43:53 +00:00 · 2017-02-28 10:43:53 +00:00 · a797cce765
parent be6b501f26
commit a797cce765
1 changed files with 6 additions and 4 deletions
--- a/service/keystone.yaml
+++ b/service/keystone.yaml
@ -29,11 +29,12 @@ service:
          command: "sudo /bin/chown keystone:keystone /var/log/ccp/keystone"
        - name: chown-fernet-dir
          command: "sudo /bin/chown keystone:keystone /etc/keystone/fernet-keys"
-        - name: remove-fernet-dir-sticky-bit
-          command: /bin/chmod -t /etc/keystone/fernet-keys
-        - name: generate-fernet-keys
+        - name: fernet-dir-permissions
+          command: "/bin/chmod 0700 /etc/keystone/fernet-keys"
+          dependencies:
+            - chown-fernet-dir
+        - name: keystone-generate-fernet-keys
          command: "/usr/bin/python /opt/ccp/bin/fernet-manage.py fernet_setup"
-          image: keystone
          type: single
          files:
            - fernet-manage
@ -61,6 +62,7 @@ service:
            - keystone-conf
          dependencies:
            - keystone-db-sync
+            - keystone-generate-fernet-keys
          type: single
          command: keystone-manage bootstrap
                   --bootstrap-password {{ openstack.user_password }}