Fix ownership and permissions of admin-openrc.sh
Previously the post-deploy.yml playbook was executed with become: true, and the admin-openrc.sh file templated without an owner or mode specified. This resulted in admin-openrc.sh being owned by root with 644 permissions. This change creates the file without become: true, and explicitly sets the owner to the user executing Ansible, and the mode to 600. Co-Authored-By: Mark Goddard <mark@stackhpc.com> Closes-Bug: #1891704 Change-Id: Iadf43383a7f2bf377d4666a55a38d92bd70711aa
This commit is contained in:
parent
a90aa3e443
commit
16f97867a3
@ -1,10 +1,12 @@
|
|||||||
---
|
---
|
||||||
- name: Creating admin openrc file on the deploy node
|
- name: Creating admin openrc file on the deploy node
|
||||||
hosts: localhost
|
hosts: localhost
|
||||||
become: true
|
|
||||||
tasks:
|
tasks:
|
||||||
- name: Template out admin-openrc.sh
|
- name: Template out admin-openrc.sh
|
||||||
|
become: true
|
||||||
template:
|
template:
|
||||||
src: "roles/common/templates/admin-openrc.sh.j2"
|
src: "roles/common/templates/admin-openrc.sh.j2"
|
||||||
dest: "{{ node_config }}/admin-openrc.sh"
|
dest: "{{ node_config }}/admin-openrc.sh"
|
||||||
run_once: True
|
owner: "{{ ansible_user_uid }}"
|
||||||
|
group: "{{ ansible_user_gid }}"
|
||||||
|
mode: 0600
|
||||||
|
@ -0,0 +1,19 @@
|
|||||||
|
---
|
||||||
|
security:
|
||||||
|
- |
|
||||||
|
The ``admin-openrc.sh`` file generated by ``kolla-ansible post-deploy`` was
|
||||||
|
previously created with ``root:root`` ownership and ``644`` permissions.
|
||||||
|
This would allow anyone with access to the same directory to read the file,
|
||||||
|
including the admin credentials. The ownership of ``admin-openrc.sh`` is
|
||||||
|
now set to the user executing ``kolla-ansible``, and the file is assigned a
|
||||||
|
mode of ``600``. This change can be applied by running ``kolla-ansible
|
||||||
|
post-deploy``.
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
The ``admin-openrc.sh`` file generated by ``kolla-ansible post-deploy`` was
|
||||||
|
previously created with ``root:root`` ownership and ``644`` permissions.
|
||||||
|
This would allow anyone with access to the same directory to read the file,
|
||||||
|
including the admin credentials. The ownership of ``admin-openrc.sh`` is
|
||||||
|
now set to the user executing ``kolla-ansible``, and the file is assigned a
|
||||||
|
mode of ``600``. This change can be applied by running ``kolla-ansible
|
||||||
|
post-deploy``.
|
Loading…
Reference in New Issue
Block a user