Setup more strict permissions for sensible data

This change sets more strict permissions for data in the:
 - /etc/hiera
 - /etc/facter
 - /etc/fuel/cluster

Change-Id: Ie652f6d323088321ce9dae468df527457328b69e
Closes-Bug: #1603182
Signed-off-by: Maksim Malchuk <mmalchuk@mirantis.com>

deployment/puppet/fuel/examples/hiera.pp

@@ -16,7 +16,6 @@ $hiera_data_file     = "${data_dir}/astute.yaml"
 File {
   owner => 'root',
   group => 'root',
-  mode  => '0644',
 }
 
 $hiera_config_content = inline_template('
@@ -40,11 +39,13 @@ $hiera_config_content = inline_template('
 file { 'hiera_data_dir' :
   ensure => 'directory',
   path   => $data_dir,
+  mode   => '0750',
 }
 
 file { 'hiera_config' :
   ensure  => 'present',
   path    => $hiera_main_config,
+  mode    => '0640',
   content => $hiera_config_content,
 }
 

deployment/puppet/openstack_tasks/examples/keystone/tasks.yaml

@@ -113,6 +113,7 @@
       changed($.access.user)
   requires: [upload_configuration]
   required_for: [pre_deployment_end]
+  permissions: '0640'
   parameters:
     path: /etc/fuel/cluster/{CLUSTER_ID}/old_admin_user.yaml
     data:
@@ -133,8 +134,8 @@
     files:
       - src: /etc/fuel/cluster/{CLUSTER_ID}/old_admin_user.yaml
         dst: /etc/hiera/old_admin_user.yaml
-    permissions: '0644'
-    dir_permissions: '0755'
+    permissions: '0640'
+    dir_permissions: '0750'
 
 - id: delete_old_admin_user
   version: 2.1.0

deployment/puppet/osnailyfacter/manifests/globals/globals.pp

@@ -52,11 +52,11 @@ class osnailyfacter::globals::globals {
       }
       file { [$base_facter_dir, $facter_os_package_type_dir]:
         ensure => 'directory',
-        mode   => '0755',
+        mode   => '0750',
       }
       file { $facter_os_package_type_file :
         ensure  => 'present',
-        mode    => '0644',
+        mode    => '0640',
         content => "os_package_type=${os_package_type_override}\n"
       }
     }
@@ -501,7 +501,7 @@ class osnailyfacter::globals::globals {
   # by other manifests with hiera function
   file { $globals_yaml_file :
     ensure  => 'present',
-    mode    => '0644',
+    mode    => '0640',
     owner   => 'root',
     group   => 'root',
     content => template('osnailyfacter/globals_yaml.erb')

deployment/puppet/osnailyfacter/manifests/hiera/hiera.pp

@@ -34,7 +34,6 @@ class osnailyfacter::hiera::hiera {
   File {
     owner => 'root',
     group => 'root',
-    mode  => '0644',
   }
 
   hiera_config { $hiera_main_config :
@@ -49,6 +48,7 @@ class osnailyfacter::hiera::hiera {
 
   file { ['/etc/puppetlabs', '/etc/puppetlabs/code'] :
     ensure  => 'directory',
+    mode    => '0750',
     require => Hiera_config[$hiera_main_config],
   }
 
@@ -60,17 +60,20 @@ class osnailyfacter::hiera::hiera {
 
   file { 'hiera_data_dir' :
     ensure => 'directory',
+    mode   => '0750',
     path   => $data_dir,
   }
 
   file { 'hiera_data_override_dir' :
     ensure => 'directory',
+    mode   => '0750',
     path   => $override_dir_path,
   }
 
   file { 'hiera_config' :
     ensure => 'present',
     path   => $hiera_main_config,
+    mode   => '0640',
   }
 
   file { 'hiera_data_astute' :

deployment/puppet/osnailyfacter/manifests/hiera/override_configuration.pp

@@ -9,10 +9,10 @@ class osnailyfacter::hiera::override_configuration {
   File {
     owner  => 'root',
     group  => 'root',
-    mode   => '0644',
+    mode   => '0750',
     ensure => 'directory',
   }
 
-  file { [$hiera_override_dir, $hiera_override_config_dir]: }
+  file { [$hiera_data_dir, $hiera_override_dir, $hiera_override_config_dir]: }
 
 }

deployment/puppet/osnailyfacter/manifests/netconfig/hiera_default_route.pp

@@ -34,6 +34,7 @@ class osnailyfacter::netconfig::hiera_default_route {
   if $loaded_network_scheme != $network_scheme {
     file {'/etc/hiera/override/configuration/default_route.yaml':
       ensure  => file,
+      mode    => '0640',
       content => inline_template('# Created by puppet, please do not edit
 network_scheme:
   endpoints:

deployment/puppet/osnailyfacter/modular/astute/tasks.yaml

@@ -48,6 +48,7 @@
   requires: [override_configuration]
   required_for: [pre_deployment_start]
   refresh_on: ['*']
+  permissions: '0640'
   parameters:
     path: /etc/fuel/cluster/{CLUSTER_ID}/astute.yaml
     timeout: 180
@@ -370,6 +371,7 @@
     yaql_exp: &deleted_nodes 'changed($.network_metadata.nodes)'
   requires: [upload_configuration]
   required_for: [pre_deployment_end]
+  permissions: '0640'
   parameters:
     path: /etc/fuel/cluster/{CLUSTER_ID}/deleted_nodes.yaml
     data:
@@ -390,8 +392,8 @@
     files:
       - src: /etc/fuel/cluster/{CLUSTER_ID}/deleted_nodes.yaml
         dst: /etc/hiera/deleted_nodes.yaml
-    permissions: '0644'
-    dir_permissions: '0755'
+    permissions: '0640'
+    dir_permissions: '0750'
 
 - id: purge_service_entries
   version: 2.1.0

tests/noop/spec/hosts/globals/globals_spec.rb

@@ -18,7 +18,7 @@ manifest = 'globals/globals.pp'
 describe manifest do
 
   shared_examples 'catalog' do
-    it { is_expected.to contain_file '/etc/hiera/globals.yaml' }
+    it { is_expected.to contain_file('/etc/hiera/globals.yaml').with('mode' => '0640') }
 
     it 'should save the globals yaml file', :if => ENV['SPEC_UPDATE_GLOBALS'] do
       globals_yaml_content = Noop.resource_parameter_value self, 'file', '/etc/hiera/globals.yaml', 'content'

tests/noop/spec/hosts/hiera/hiera_spec.rb

@@ -21,11 +21,13 @@ describe manifest do
     it 'should setup hiera' do
       should contain_file('hiera_data_dir').with(
         'ensure' => 'directory',
-        'path'   => '/etc/hiera'
+        'path'   => '/etc/hiera',
+        'mode'   => '0750',
       )
       should contain_file('hiera_config').with(
         'ensure' => 'present',
-        'path'   => '/etc/hiera.yaml'
+        'path'   => '/etc/hiera.yaml',
+        'mode'   => '0640',
       )
 
       # ensure deeper merge_behavior is being set
@@ -35,11 +37,11 @@ describe manifest do
 
       # ensure hiera_config is taking plugin overrides from the astute.yaml
       should contain_hiera_config('/etc/hiera.yaml').with(
-                 'ensure' => 'present',
-                 'metadata_yaml_file' => '/etc/astute.yaml',
-                 'override_dir' => 'plugins',
-                 'data_dir' => '/etc/hiera',
-             )
+        'ensure' => 'present',
+        'metadata_yaml_file' => '/etc/astute.yaml',
+        'override_dir' => 'plugins',
+        'data_dir' => '/etc/hiera',
+      )
 
       # check symlinks
       should contain_file('hiera_data_astute').with(

tests/noop/spec/hosts/hiera/override_configuration_spec.rb

@@ -22,7 +22,8 @@ describe manifest do
       ['/etc/hiera/override', '/etc/hiera/override/configuration'].each do |f|
         should contain_file(f).with(
           'ensure' => 'directory',
-          'path'   => f
+          'path'   => f,
+          'mode'   => '0750',
         )
       end
     end

tests/noop/spec/hosts/master/hiera_spec.rb

@@ -10,11 +10,14 @@ describe manifest do
     it 'should setup hiera' do
       should contain_file('hiera_data_dir').with(
         'ensure' => 'directory',
-        'path'   => '/etc/hiera'
+        'path'   => '/etc/hiera',
+        'mode'   => '0750',
+
       )
       should contain_file('hiera_config').with(
         'ensure' => 'present',
-        'path'   => '/etc/hiera.yaml'
+        'path'   => '/etc/hiera.yaml',
+        'mode'   => '0640',
       )
 
       # check symlinks

tests/noop/spec/hosts/netconfig/hiera_default_route_spec.rb

@@ -35,7 +35,7 @@ describe manifest do
         'ensure' => 'absent',
       )}
     elsif in_group_with_vip
-      it { should contain_file('/etc/hiera/override/configuration/default_route.yaml').with_content(
+      it { should contain_file('/etc/hiera/override/configuration/default_route.yaml').with('mode'=>'0640').with_content(
         /gateway: "#{mgmt_vrouter_vip}"/
       )}
     else