Fix ownership and permissions of admin-openrc.sh

Previously the post-deploy.yml playbook was executed with become: true,
and the admin-openrc.sh file templated without an owner or mode
specified. This resulted in admin-openrc.sh being owned by root with 644
permissions.

This change creates the file without become: true, and explicitly sets
the owner to the user executing Ansible, and the mode to 600.

Co-Authored-By: Mark Goddard <mark@stackhpc.com>

Closes-Bug: #1891704

Change-Id: Iadf43383a7f2bf377d4666a55a38d92bd70711aa
This commit is contained in:
likui 2020-08-06 14:12:44 +08:00 committed by Radosław Piliszek
parent a90aa3e443
commit 16f97867a3
2 changed files with 23 additions and 2 deletions

View File

@ -1,10 +1,12 @@
--- ---
- name: Creating admin openrc file on the deploy node - name: Creating admin openrc file on the deploy node
hosts: localhost hosts: localhost
become: true
tasks: tasks:
- name: Template out admin-openrc.sh - name: Template out admin-openrc.sh
become: true
template: template:
src: "roles/common/templates/admin-openrc.sh.j2" src: "roles/common/templates/admin-openrc.sh.j2"
dest: "{{ node_config }}/admin-openrc.sh" dest: "{{ node_config }}/admin-openrc.sh"
run_once: True owner: "{{ ansible_user_uid }}"
group: "{{ ansible_user_gid }}"
mode: 0600

View File

@ -0,0 +1,19 @@
---
security:
- |
The ``admin-openrc.sh`` file generated by ``kolla-ansible post-deploy`` was
previously created with ``root:root`` ownership and ``644`` permissions.
This would allow anyone with access to the same directory to read the file,
including the admin credentials. The ownership of ``admin-openrc.sh`` is
now set to the user executing ``kolla-ansible``, and the file is assigned a
mode of ``600``. This change can be applied by running ``kolla-ansible
post-deploy``.
fixes:
- |
The ``admin-openrc.sh`` file generated by ``kolla-ansible post-deploy`` was
previously created with ``root:root`` ownership and ``644`` permissions.
This would allow anyone with access to the same directory to read the file,
including the admin credentials. The ownership of ``admin-openrc.sh`` is
now set to the user executing ``kolla-ansible``, and the file is assigned a
mode of ``600``. This change can be applied by running ``kolla-ansible
post-deploy``.