Update launch docs for salt permissions.

* launch/README: Mention adding yourself to the salt group. * modules/salt/manifests/master.pp: Loosen directory permissions minimally as needed for salt group members to be able to run the launch script without being root. Change-Id: I4e462fe2efabe2200a635c79e4b7a1314bf174a3 Reviewed-on: https://review.openstack.org/27562 Reviewed-by: Jesse Keating <jesse.keating@rackspace.com> Reviewed-by: Clark Boylan <clark.boylan@gmail.com> Reviewed-by: Monty Taylor <mordred@inaugust.com> Approved: James E. Blair <corvus@inaugust.com> Reviewed-by: James E. Blair <corvus@inaugust.com> Tested-by: Jenkins
2013-04-24 01:55:27 +00:00 · 2013-04-24 01:55:27 +00:00 · b48c3bc49b
commit b48c3bc49b
parent 45725e67ff
2 changed files with 36 additions and 7 deletions
--- a/launch/README
+++ b/launch/README
@ -3,10 +3,11 @@ Create Server

 Note that these instructions assume you're working from this
 directory on an updated local clone of the repository, and that
-your account is a member of the puppet group for access to the
-puppet keys::
+your account is a member of the puppet and salt groups for access
+to their respective keys::

  sudo adduser YOURUSER puppet
+  sudo adduser YOURUSER salt

 (Remember to log out and back into your shell if you add yourself
 to a group.)
--- a/modules/salt/manifests/master.pp
+++ b/modules/salt/manifests/master.pp
@ -36,6 +36,7 @@ class salt::master {
    home    => '/home/salt',
    shell   => '/bin/bash',
    system  => true,
+    require => Group['salt'],
  }

  file { '/home/salt':
@ -56,6 +57,33 @@ class salt::master {
    require => Package['salt-master'],
  }

+  file { '/etc/salt/pki':
+    ensure  => directory,
+    owner   => 'salt',
+    group   => 'salt',
+    mode    => '0710',
+    require => [
+      Package['salt-master'],
+      User['salt'],
+    ],
+  }
+
+  file { '/etc/salt/pki/master':
+    ensure  => directory,
+    owner   => 'salt',
+    group   => 'salt',
+    mode    => '0770',
+    require => File['/etc/salt/pki'],
+  }
+
+  file { '/etc/salt/pki/master/minions':
+    ensure  => directory,
+    owner   => 'salt',
+    group   => 'salt',
+    mode    => '0775',
+    require => File['/etc/salt/pki/master'],
+  }
+
  service { 'salt-master':
    ensure    => running,
    enable    => true,