Merge "Do not make password files world-readable"

2022-01-18 10:36:42 +00:00 · 2022-01-18 10:36:42 +00:00 · ee34a65cf7
commit ee34a65cf7
parent cddc76d68a 786f8e10eb
3 changed files with 16 additions and 0 deletions
--- a/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml
+++ b/playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml
@ -148,6 +148,9 @@
    crypt_scheme: bcrypt
    name: "{{ admin_username }}"
    password: "{{ admin_password }}"
+    owner: ironic
+    group: ironic
+    mode: 0600
  when:
    - not enable_keystone | bool

@ -157,6 +160,9 @@
    crypt_scheme: bcrypt
    name: "{{ default_username }}"
    password: "{{ default_password }}"
+    owner: ironic
+    group: ironic
+    mode: 0600
  when:
    - not noauth_mode | bool
    - not enable_keystone | bool
--- a/playbooks/roles/bifrost-ironic-install/tasks/inspector_bootstrap.yml
+++ b/playbooks/roles/bifrost-ironic-install/tasks/inspector_bootstrap.yml
@ -78,6 +78,9 @@
    crypt_scheme: bcrypt
    name: "{{ admin_username }}"
    password: "{{ admin_password }}"
+    owner: ironic
+    group: ironic
+    mode: 0600
  when:
    - not noauth_mode | bool
    - not enable_keystone | bool
@ -88,6 +91,9 @@
    crypt_scheme: bcrypt
    name: "{{ default_username }}"
    password: "{{ default_password }}"
+    owner: ironic
+    group: ironic
+    mode: 0600
  when:
    - not noauth_mode | bool
    - not enable_keystone | bool
--- a/releasenotes/notes/htpasswd-perm-7754c0be7cc676e1.yaml
+++ b/releasenotes/notes/htpasswd-perm-7754c0be7cc676e1.yaml
@ -0,0 +1,4 @@
+---
+fixes:
+  - |
+    Password files (``htpasswd``) are no longer world-readable.