Improve permissions around Kolla configuration.

Make ansible_user own files so we don't need to be root. Files no longer world readable.
2017-03-16 10:55:50 +00:00 · 2017-03-16 10:55:50 +00:00 · 4652c29706
commit 4652c29706
parent d16eaf1502
8 changed files with 57 additions and 43 deletions
--- a/ansible/roles/kolla-ansible/tasks/config.yml
+++ b/ansible/roles/kolla-ansible/tasks/config.yml
@ -3,7 +3,9 @@
  file:
    path: "{{ item }}"
    state: directory
-    mode: 0755
+    owner: "{{ ansible_user }}"
+    group: "{{ ansible_user }}"
+    mode: 0750
  become: True
  with_items:
    - "{{ kolla_config_path }}"
@ -14,8 +16,7 @@
  template:
    src: "{{ item.src }}"
    dest: "{{ kolla_config_path }}/{{ item.dest }}"
-    mode: 0644
-  become: True
+    mode: 0640
  with_items:
    - { src: seed.j2, dest: inventory/seed }
    - { src: overcloud.j2, dest: inventory/overcloud }
@ -29,9 +30,9 @@
 - name: Generate Kolla passwords
  shell: >
    cp {{ kolla_ansible_install_dir }}/etc_examples/kolla/passwords.yml {{ kolla_config_path }}/passwords.yml.generated
+    && chmod 640 {{ kolla_config_path }}/passwords.yml.generated
    && {{ kolla_venv }}/bin/kolla-genpwd -p {{ kolla_config_path }}/passwords.yml.generated
    && mv {{ kolla_config_path }}/passwords.yml.generated {{ kolla_config_path }}/passwords.yml
-  become: True
  when: not kolla_passwords_stat.stat.exists

 - name: Read the Kolla passwords file
@ -44,5 +45,4 @@
  copy:
    content: "{{ passwords_result.content | b64decode | from_yaml | combine(kolla_ansible_custom_passwords) | to_nice_yaml }}"
    dest: "{{ kolla_config_path }}/passwords.yml"
-  become: True
  when: "{{ kolla_ansible_custom_passwords }}"
--- a/ansible/roles/kolla-ansible/tasks/install.yml
+++ b/ansible/roles/kolla-ansible/tasks/install.yml
@ -13,13 +13,15 @@
    - python-pip
    - python-virtualenv

- name: Ensure the latest version of pip is installed
-  pip:
-    name: "{{ item.name }}"
-    state: latest
-    virtualenv: "{{ kolla_venv }}"
-  with_items:
-    - { name: pip }
+- name: Ensure source code checkout path exists
+  file:
+    path: "{{ source_checkout_path }}"
+    state: directory
+    owner: "{{ ansible_user }}"
+    group: "{{ ansible_user }}"
+    recurse: True
+  become: True
+  when: "{{ kolla_ctl_install_type == 'source' }}"

 - name: Ensure Kolla Ansible source code checkout exists
  git:
@ -28,6 +30,14 @@
    version: "{{ kolla_ansible_source_version }}"
  when: "{{ kolla_ctl_install_type == 'source' }}"

+- name: Ensure the latest version of pip is installed
+  pip:
+    name: "{{ item.name }}"
+    state: latest
+    virtualenv: "{{ kolla_venv }}"
+  with_items:
+    - { name: pip }
+
 - name: Ensure required Python packages are installed
  pip:
    name: "{{ item.name }}"
--- a/ansible/roles/kolla-bifrost/tasks/config.yml
+++ b/ansible/roles/kolla-bifrost/tasks/config.yml
@ -3,15 +3,13 @@
  file:
    path: "{{ kolla_node_custom_config_path }}/bifrost"
    state: directory
-    mode: 0755
-  become: True
+    mode: 0750

 - name: Ensure the Kolla Bifrost configuration files exist
  template:
    src: "{{ item.src }}"
    dest: "{{ kolla_node_custom_config_path }}/bifrost/{{ item.dest }}"
-    mode: 0644
-  become: True
+    mode: 0640
  with_items:
    - { src: bifrost.yml.j2, dest: bifrost.yml }
    - { src: dib.yml.j2, dest: dib.yml }
--- a/ansible/roles/kolla-bifrost/tasks/install.yml
+++ b/ansible/roles/kolla-bifrost/tasks/install.yml
@ -12,6 +12,21 @@
    - python-pip
    - python-virtualenv

+- name: Ensure source code checkout path exists
+  file:
+    path: "{{ source_checkout_path }}"
+    state: directory
+    owner: "{{ ansible_user }}"
+    group: "{{ ansible_user }}"
+    recurse: True
+  become: True
+
+- name: Ensure Bifrost source code checkout exists
+  git:
+    repo: "{{ kolla_bifrost_source_url }}"
+    dest: "{{ source_checkout_path }}/bifrost"
+    version: "{{ kolla_bifrost_source_version }}"
+
 - name: Ensure the latest version of pip is installed
  pip:
    name: "{{ item.name }}"
@ -20,18 +35,6 @@
  with_items:
    - { name: pip }

- name: Ensure source code checkout path exists
-  file:
-    path: "{{ source_checkout_path }}"
-    state: directory
-    recurse: True
-
- name: Ensure Bifrost source code checkout exists
-  git:
-    repo: "{{ kolla_bifrost_source_url }}"
-    dest: "{{ source_checkout_path }}/bifrost"
-    version: "{{ kolla_bifrost_source_version }}"
-
 - name: Ensure required Python packages are installed
  pip:
    name: "{{ item.name }}"
--- a/ansible/roles/kolla-build/tasks/main.yml
+++ b/ansible/roles/kolla-build/tasks/main.yml
@ -4,7 +4,6 @@
    src: "{{ item.src }}"
    dest: "{{ kolla_config_path }}/{{ item.dest }}"
    mode: 0644
-  become: True
  with_items:
    - { src: kolla-build.conf.j2, dest: kolla-build.conf }
    - { src: template-override.j2.j2, dest: template-override.j2 }
--- a/ansible/roles/kolla-openstack/tasks/config.yml
+++ b/ansible/roles/kolla-openstack/tasks/config.yml
@ -3,8 +3,7 @@
  file:
    path: "{{ kolla_node_custom_config_path }}/{{ item.name }}"
    state: directory
-    mode: 0755
-  become: True
+    mode: 0750
  with_items:
    - { name: ironic, enabled: "{{ kolla_enable_ironic }}" }
    - { name: swift, enabled: "{{ kolla_enable_swift }}" }
@ -14,8 +13,7 @@
  template:
    src: "{{ item.src }}"
    dest: "{{ kolla_node_custom_config_path }}/{{ item.dest }}"
-    mode: 0644
-  become: True
+    mode: 0640
  with_items:
    - { src: glance.conf.j2, dest: glance.conf, enabled: "{{ kolla_enable_glance }}" }
    - { src: ironic.conf.j2, dest: ironic.conf, enabled: "{{ kolla_enable_ironic }}" }
@ -28,7 +26,7 @@
  get_url:
    url: "{{ item.url }}"
    dest: "{{ kolla_node_custom_config_path }}/ironic/{{ item.dest }}"
-  become: True
+    mode: 0640
  with_items:
    - { url: "{{ kolla_inspector_ipa_kernel_upstream_url }}", dest: "ironic-agent.kernel" }
    - { url: "{{ kolla_inspector_ipa_ramdisk_upstream_url }}", dest: "ironic-agent.initramfs" }
--- a/ansible/roles/kolla/tasks/config.yml
+++ b/ansible/roles/kolla/tasks/config.yml
@ -3,7 +3,9 @@
  file:
    path: "{{ item }}"
    state: directory
-    mode: 0755
+    owner: "{{ ansible_user }}"
+    group: "{{ ansible_user }}"
+    mode: 0750
  become: True
  with_items:
    - "{{ kolla_config_path }}"
--- a/ansible/roles/kolla/tasks/install.yml
+++ b/ansible/roles/kolla/tasks/install.yml
@ -12,19 +12,15 @@
    - python-pip
    - python-virtualenv

- name: Ensure the latest version of pip is installed
-  pip:
-    name: "{{ item.name }}"
-    state: latest
-    virtualenv: "{{ kolla_venv }}"
-  with_items:
-    - { name: pip }
-
 - name: Ensure source code checkout path exists
  file:
    path: "{{ source_checkout_path }}"
    state: directory
+    owner: "{{ ansible_user }}"
+    group: "{{ ansible_user }}"
    recurse: True
+  become: True
+  when: "{{ kolla_ctl_install_type == 'source' }}"

 - name: Ensure Kolla source code checkout exists
  git:
@ -33,6 +29,14 @@
    version: "{{ kolla_source_version }}"
  when: "{{ kolla_ctl_install_type == 'source' }}"

+- name: Ensure the latest version of pip is installed
+  pip:
+    name: "{{ item.name }}"
+    state: latest
+    virtualenv: "{{ kolla_venv }}"
+  with_items:
+    - { name: pip }
+
 - name: Ensure required Python packages are installed
  pip:
    name: "{{ item.name }}"