From 7470cb25fdaae9a2c3570550475e0011af519e44 Mon Sep 17 00:00:00 2001
From: Corey Bryant <corey.bryant@canonical.com>
Date: Wed, 17 May 2017 19:08:02 +0000
Subject: [PATCH] Drop privileges when running commands

Drop privileges to a regular user when running commands defined
by this snap.

Change-Id: I8ada8f30506756a48a70063ac6444ee9167bfbc7
---
 snap/snap-openstack.yaml | 17 ++++++++++++++++-
 snapcraft.yaml           |  2 +-
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/snap/snap-openstack.yaml b/snap/snap-openstack.yaml
index 906f4c4..066d784 100644
--- a/snap/snap-openstack.yaml
+++ b/snap/snap-openstack.yaml
@@ -1,11 +1,20 @@
 setup:
+  users:
+    snap-glance: [snap-glance]
+  default-owner: "root:snap-glance"
   dirs:
+    - "{snap_common}/etc"
     - "{snap_common}/etc/glance/conf.d"
+    - "{snap_common}/lib"
     - "{snap_common}/lib/images"
-    - "{snap_common}/log"
     - "{snap_common}/lock"
+    - "{snap_common}/log"
   templates:
     glance-snap.conf.j2: "{snap_common}/etc/glance/conf.d/glance-snap.conf"
+  rchown:
+    "{snap_common}/lib": "snap-glance:snap-glance"
+    "{snap_common}/lock": "snap-glance:snap-glance"
+    "{snap_common}/log": "snap-glance:snap-glance"
 entry_points:
   glance-manage:
     binary: "{snap}/bin/glance-manage"
@@ -14,6 +23,8 @@ entry_points:
       - "{snap_common}/etc/glance/glance.conf"
     config-dirs:
       - "{snap_common}/etc/glance/conf.d"
+    run-as:
+      snap-glance: [snap-glance]
   glance-registry:
     binary: "{snap}/bin/glance-registry"
     config-files:
@@ -22,6 +33,8 @@ entry_points:
     config-dirs:
       - "{snap_common}/etc/glance/conf.d"
     log-file: "{snap_common}/log/glance-registry.log"
+    run-as:
+      snap-glance: [snap-glance]
   glance-api:
     binary: "{snap}/bin/glance-api"
     config-files:
@@ -30,3 +43,5 @@ entry_points:
     config-dirs:
       - "{snap_common}/etc/glance/conf.d"
     log-file: "{snap_common}/log/glance-api.log"
+    run-as:
+      snap-glance: [snap-glance]
diff --git a/snapcraft.yaml b/snapcraft.yaml
index 0bc9f86..49dece6 100644
--- a/snapcraft.yaml
+++ b/snapcraft.yaml
@@ -77,7 +77,7 @@ parts:
         - etc/glance/*.ini
         - etc/glance/*.json
     stage: [$etc]
-    snap: [$etc]
+    prime: [$etc]
   python:
     source: https://www.python.org/ftp/python/2.7.13/Python-2.7.13.tar.xz
     plugin: autotools