From b48c3bc49b154020a83888d57d90339f8206dea7 Mon Sep 17 00:00:00 2001 From: Jeremy Stanley Date: Wed, 24 Apr 2013 01:55:27 +0000 Subject: [PATCH] Update launch docs for salt permissions. * launch/README: Mention adding yourself to the salt group. * modules/salt/manifests/master.pp: Loosen directory permissions minimally as needed for salt group members to be able to run the launch script without being root. Change-Id: I4e462fe2efabe2200a635c79e4b7a1314bf174a3 Reviewed-on: https://review.openstack.org/27562 Reviewed-by: Jesse Keating Reviewed-by: Clark Boylan Reviewed-by: Monty Taylor Approved: James E. Blair Reviewed-by: James E. Blair Tested-by: Jenkins --- launch/README | 5 +++-- modules/salt/manifests/master.pp | 38 +++++++++++++++++++++++++++----- 2 files changed, 36 insertions(+), 7 deletions(-) diff --git a/launch/README b/launch/README index 16119d7c1f..773d154691 100644 --- a/launch/README +++ b/launch/README @@ -3,10 +3,11 @@ Create Server Note that these instructions assume you're working from this directory on an updated local clone of the repository, and that -your account is a member of the puppet group for access to the -puppet keys:: +your account is a member of the puppet and salt groups for access +to their respective keys:: sudo adduser YOURUSER puppet + sudo adduser YOURUSER salt (Remember to log out and back into your shell if you add yourself to a group.) diff --git a/modules/salt/manifests/master.pp b/modules/salt/manifests/master.pp index 15fae7178f..3a4c6b7af2 100644 --- a/modules/salt/manifests/master.pp +++ b/modules/salt/manifests/master.pp @@ -31,11 +31,12 @@ class salt::master { } user { 'salt': - ensure => present, - gid => 'salt', - home => '/home/salt', - shell => '/bin/bash', - system => true, + ensure => present, + gid => 'salt', + home => '/home/salt', + shell => '/bin/bash', + system => true, + require => Group['salt'], } file { '/home/salt': @@ -56,6 +57,33 @@ class salt::master { require => Package['salt-master'], } + file { '/etc/salt/pki': + ensure => directory, + owner => 'salt', + group => 'salt', + mode => '0710', + require => [ + Package['salt-master'], + User['salt'], + ], + } + + file { '/etc/salt/pki/master': + ensure => directory, + owner => 'salt', + group => 'salt', + mode => '0770', + require => File['/etc/salt/pki'], + } + + file { '/etc/salt/pki/master/minions': + ensure => directory, + owner => 'salt', + group => 'salt', + mode => '0775', + require => File['/etc/salt/pki/master'], + } + service { 'salt-master': ensure => running, enable => true,