Setup more strict permissions for sensible data
This change sets more strict permissions for data in the: - /etc/hiera - /etc/facter - /etc/fuel/cluster Change-Id: Ie652f6d323088321ce9dae468df527457328b69e Closes-Bug: #1603182 Signed-off-by: Maksim Malchuk <mmalchuk@mirantis.com>
This commit is contained in:
parent
8c341ac13e
commit
299da38215
|
@ -16,7 +16,6 @@ $hiera_data_file = "${data_dir}/astute.yaml"
|
|||
File {
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0644',
|
||||
}
|
||||
|
||||
$hiera_config_content = inline_template('
|
||||
|
@ -40,11 +39,13 @@ $hiera_config_content = inline_template('
|
|||
file { 'hiera_data_dir' :
|
||||
ensure => 'directory',
|
||||
path => $data_dir,
|
||||
mode => '0750',
|
||||
}
|
||||
|
||||
file { 'hiera_config' :
|
||||
ensure => 'present',
|
||||
path => $hiera_main_config,
|
||||
mode => '0640',
|
||||
content => $hiera_config_content,
|
||||
}
|
||||
|
||||
|
|
|
@ -113,6 +113,7 @@
|
|||
changed($.access.user)
|
||||
requires: [upload_configuration]
|
||||
required_for: [pre_deployment_end]
|
||||
permissions: '0640'
|
||||
parameters:
|
||||
path: /etc/fuel/cluster/{CLUSTER_ID}/old_admin_user.yaml
|
||||
data:
|
||||
|
@ -133,8 +134,8 @@
|
|||
files:
|
||||
- src: /etc/fuel/cluster/{CLUSTER_ID}/old_admin_user.yaml
|
||||
dst: /etc/hiera/old_admin_user.yaml
|
||||
permissions: '0644'
|
||||
dir_permissions: '0755'
|
||||
permissions: '0640'
|
||||
dir_permissions: '0750'
|
||||
|
||||
- id: delete_old_admin_user
|
||||
version: 2.1.0
|
||||
|
|
|
@ -52,11 +52,11 @@ class osnailyfacter::globals::globals {
|
|||
}
|
||||
file { [$base_facter_dir, $facter_os_package_type_dir]:
|
||||
ensure => 'directory',
|
||||
mode => '0755',
|
||||
mode => '0750',
|
||||
}
|
||||
file { $facter_os_package_type_file :
|
||||
ensure => 'present',
|
||||
mode => '0644',
|
||||
mode => '0640',
|
||||
content => "os_package_type=${os_package_type_override}\n"
|
||||
}
|
||||
}
|
||||
|
@ -501,7 +501,7 @@ class osnailyfacter::globals::globals {
|
|||
# by other manifests with hiera function
|
||||
file { $globals_yaml_file :
|
||||
ensure => 'present',
|
||||
mode => '0644',
|
||||
mode => '0640',
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
content => template('osnailyfacter/globals_yaml.erb')
|
||||
|
|
|
@ -34,7 +34,6 @@ class osnailyfacter::hiera::hiera {
|
|||
File {
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0644',
|
||||
}
|
||||
|
||||
hiera_config { $hiera_main_config :
|
||||
|
@ -49,6 +48,7 @@ class osnailyfacter::hiera::hiera {
|
|||
|
||||
file { ['/etc/puppetlabs', '/etc/puppetlabs/code'] :
|
||||
ensure => 'directory',
|
||||
mode => '0750',
|
||||
require => Hiera_config[$hiera_main_config],
|
||||
}
|
||||
|
||||
|
@ -60,17 +60,20 @@ class osnailyfacter::hiera::hiera {
|
|||
|
||||
file { 'hiera_data_dir' :
|
||||
ensure => 'directory',
|
||||
mode => '0750',
|
||||
path => $data_dir,
|
||||
}
|
||||
|
||||
file { 'hiera_data_override_dir' :
|
||||
ensure => 'directory',
|
||||
mode => '0750',
|
||||
path => $override_dir_path,
|
||||
}
|
||||
|
||||
file { 'hiera_config' :
|
||||
ensure => 'present',
|
||||
path => $hiera_main_config,
|
||||
mode => '0640',
|
||||
}
|
||||
|
||||
file { 'hiera_data_astute' :
|
||||
|
|
|
@ -9,10 +9,10 @@ class osnailyfacter::hiera::override_configuration {
|
|||
File {
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0644',
|
||||
mode => '0750',
|
||||
ensure => 'directory',
|
||||
}
|
||||
|
||||
file { [$hiera_override_dir, $hiera_override_config_dir]: }
|
||||
file { [$hiera_data_dir, $hiera_override_dir, $hiera_override_config_dir]: }
|
||||
|
||||
}
|
||||
|
|
|
@ -34,6 +34,7 @@ class osnailyfacter::netconfig::hiera_default_route {
|
|||
if $loaded_network_scheme != $network_scheme {
|
||||
file {'/etc/hiera/override/configuration/default_route.yaml':
|
||||
ensure => file,
|
||||
mode => '0640',
|
||||
content => inline_template('# Created by puppet, please do not edit
|
||||
network_scheme:
|
||||
endpoints:
|
||||
|
|
|
@ -48,6 +48,7 @@
|
|||
requires: [override_configuration]
|
||||
required_for: [pre_deployment_start]
|
||||
refresh_on: ['*']
|
||||
permissions: '0640'
|
||||
parameters:
|
||||
path: /etc/fuel/cluster/{CLUSTER_ID}/astute.yaml
|
||||
timeout: 180
|
||||
|
@ -370,6 +371,7 @@
|
|||
yaql_exp: &deleted_nodes 'changed($.network_metadata.nodes)'
|
||||
requires: [upload_configuration]
|
||||
required_for: [pre_deployment_end]
|
||||
permissions: '0640'
|
||||
parameters:
|
||||
path: /etc/fuel/cluster/{CLUSTER_ID}/deleted_nodes.yaml
|
||||
data:
|
||||
|
@ -390,8 +392,8 @@
|
|||
files:
|
||||
- src: /etc/fuel/cluster/{CLUSTER_ID}/deleted_nodes.yaml
|
||||
dst: /etc/hiera/deleted_nodes.yaml
|
||||
permissions: '0644'
|
||||
dir_permissions: '0755'
|
||||
permissions: '0640'
|
||||
dir_permissions: '0750'
|
||||
|
||||
- id: purge_service_entries
|
||||
version: 2.1.0
|
||||
|
|
|
@ -18,7 +18,7 @@ manifest = 'globals/globals.pp'
|
|||
describe manifest do
|
||||
|
||||
shared_examples 'catalog' do
|
||||
it { is_expected.to contain_file '/etc/hiera/globals.yaml' }
|
||||
it { is_expected.to contain_file('/etc/hiera/globals.yaml').with('mode' => '0640') }
|
||||
|
||||
it 'should save the globals yaml file', :if => ENV['SPEC_UPDATE_GLOBALS'] do
|
||||
globals_yaml_content = Noop.resource_parameter_value self, 'file', '/etc/hiera/globals.yaml', 'content'
|
||||
|
|
|
@ -21,11 +21,13 @@ describe manifest do
|
|||
it 'should setup hiera' do
|
||||
should contain_file('hiera_data_dir').with(
|
||||
'ensure' => 'directory',
|
||||
'path' => '/etc/hiera'
|
||||
'path' => '/etc/hiera',
|
||||
'mode' => '0750',
|
||||
)
|
||||
should contain_file('hiera_config').with(
|
||||
'ensure' => 'present',
|
||||
'path' => '/etc/hiera.yaml'
|
||||
'path' => '/etc/hiera.yaml',
|
||||
'mode' => '0640',
|
||||
)
|
||||
|
||||
# ensure deeper merge_behavior is being set
|
||||
|
@ -35,11 +37,11 @@ describe manifest do
|
|||
|
||||
# ensure hiera_config is taking plugin overrides from the astute.yaml
|
||||
should contain_hiera_config('/etc/hiera.yaml').with(
|
||||
'ensure' => 'present',
|
||||
'metadata_yaml_file' => '/etc/astute.yaml',
|
||||
'override_dir' => 'plugins',
|
||||
'data_dir' => '/etc/hiera',
|
||||
)
|
||||
'ensure' => 'present',
|
||||
'metadata_yaml_file' => '/etc/astute.yaml',
|
||||
'override_dir' => 'plugins',
|
||||
'data_dir' => '/etc/hiera',
|
||||
)
|
||||
|
||||
# check symlinks
|
||||
should contain_file('hiera_data_astute').with(
|
||||
|
|
|
@ -22,7 +22,8 @@ describe manifest do
|
|||
['/etc/hiera/override', '/etc/hiera/override/configuration'].each do |f|
|
||||
should contain_file(f).with(
|
||||
'ensure' => 'directory',
|
||||
'path' => f
|
||||
'path' => f,
|
||||
'mode' => '0750',
|
||||
)
|
||||
end
|
||||
end
|
||||
|
|
|
@ -10,11 +10,14 @@ describe manifest do
|
|||
it 'should setup hiera' do
|
||||
should contain_file('hiera_data_dir').with(
|
||||
'ensure' => 'directory',
|
||||
'path' => '/etc/hiera'
|
||||
'path' => '/etc/hiera',
|
||||
'mode' => '0750',
|
||||
|
||||
)
|
||||
should contain_file('hiera_config').with(
|
||||
'ensure' => 'present',
|
||||
'path' => '/etc/hiera.yaml'
|
||||
'path' => '/etc/hiera.yaml',
|
||||
'mode' => '0640',
|
||||
)
|
||||
|
||||
# check symlinks
|
||||
|
|
|
@ -35,7 +35,7 @@ describe manifest do
|
|||
'ensure' => 'absent',
|
||||
)}
|
||||
elsif in_group_with_vip
|
||||
it { should contain_file('/etc/hiera/override/configuration/default_route.yaml').with_content(
|
||||
it { should contain_file('/etc/hiera/override/configuration/default_route.yaml').with('mode'=>'0640').with_content(
|
||||
/gateway: "#{mgmt_vrouter_vip}"/
|
||||
)}
|
||||
else
|
||||
|
|
Loading…
Reference in New Issue