Implementing stricter permissions on config files

The security guide suggests that all OpenStack service config files
should be owned by root and in the service user group with 0640 permissions.

http://docs.openstack.org/security-guide/block-storage/checklist.html#check-block-01-is-user-group-ownership-of-config-files-set-to-root-cinder

Change-Id: Ic175909c24bbc1f5a7d8e521d880e1a63afa887b

.gitignore

@@ -62,6 +62,7 @@ releasenotes/build
 
 # Test temp files
 tests/common
+tests/playbooks
 tests/*.retry
 
 # Vagrant artifacts

tasks/cinder_post_install.yml

@@ -17,9 +17,9 @@
   config_template:
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"
-    owner: "{{ item.owner|default(cinder_system_user_name) }}"
+    owner: "root"
     group: "{{ item.group|default(cinder_system_group_name) }}"
-    mode: "0644"
+    mode: "0640"
     config_overrides: "{{ item.config_overrides }}"
     config_type: "{{ item.config_type }}"
   with_items:
@@ -33,8 +33,6 @@
       config_type: "ini"
     - src: "rootwrap.conf.j2"
       dest: "/etc/cinder/rootwrap.conf"
-      owner: "root"
-      group: "root"
       config_overrides: "{{ cinder_rootwrap_conf_overrides }}"
       config_type: "ini"
     - src: "policy.json.j2"

tasks/cinder_pre_install.yml

@@ -40,7 +40,7 @@
     - { path: "/openstack", mode: "0755", owner: "root", group: "root" }
     - { path: "/var/cache/cinder", mode: "0700" }
     - { path: "/etc/cinder", mode: "0750" }
-    - { path: "/etc/cinder/rootwrap.d", owner: "root", group: "root" }
+    - { path: "/etc/cinder/rootwrap.d", owner: "root", group: "root", mode: "0750" }
     - { path: "/etc/sudoers.d", mode: "0750", owner: "root", group: "root" }
     - { path: "{{ cinder_system_home_folder }}" }