Securing /etc/nova

* /etc/nova should be 700 and owned by nova:nova, since all files are group readable.
2012-11-21 23:15:43 -08:00 · 2012-11-21 23:15:43 -08:00 · 7d176f39e6
parent 261c28a991
commit 7d176f39e6
8 changed files with 25 additions and 20 deletions
--- a/README.md
+++ b/README.md
@ -110,6 +110,8 @@ Attributes
 ==========

 * `default["nova"]["keystone_service_chef_role"]` - The name of the Chef role that sets up the Keystone Service API
+* `default["nova"]["user"]` - User nova services run as
+* `default["nova"]["group"]` - Group nova services run as
 * `default["nova"]["nova_setup_chef_role"]` - The name of the Chef role that sets up Nova
 * `default["nova"]["db"]["name"]` - Name of nova database
 * `default["nova"]["db"]["username"]` - Username for nova database access
--- a/attributes/default.rb
+++ b/attributes/default.rb
@ -29,6 +29,9 @@ default["nova"]["service_tenant_name"] = "service"
 default["nova"]["service_user"] = "nova"
 default["nova"]["service_role"] = "admin"

+default["nova"]["user"] = "nova"
+default["nova"]["group"] = "nova"
+
 # Logging stuff
 default["nova"]["syslog"]["use"] = false
 default["nova"]["syslog"]["facility"] = "LOG_LOCAL1"
--- a/recipes/api-ec2.rb
+++ b/recipes/api-ec2.rb
@ -30,9 +30,9 @@ platform_options = node["nova"]["platform"]
 node.set_unless['nova']['service_pass'] = secure_password

 directory "/var/lock/nova" do
-  owner "nova"
-  group "nova"
-  mode  00755
+  owner node["nova"]["user"]
+  group node["nova"]["group"]
+  mode  00700

  action :create
 end
--- a/recipes/api-metadata.rb
+++ b/recipes/api-metadata.rb
@ -26,11 +26,11 @@ include_recipe "nova::nova-common"
 platform_options = node["nova"]["platform"]

 directory "/var/lock/nova" do
-    owner "nova"
-    group "nova"
-    mode  00755
+  owner node["nova"]["user"]
+  group node["nova"]["group"]
+  mode  00700

-    action :create
+  action :create
 end

 package "python-keystone" do
--- a/recipes/api-os-compute.rb
+++ b/recipes/api-os-compute.rb
@ -30,9 +30,9 @@ node.set_unless['nova']['service_pass'] = secure_password
 platform_options = node["nova"]["platform"]

 directory "/var/lock/nova" do
-  owner "nova"
-  group "nova"
-  mode  00755
+  owner node["nova"]["user"]
+  group node["nova"]["group"]
+  mode  00700

  action :create
 end
--- a/recipes/api-os-volume.rb
+++ b/recipes/api-os-volume.rb
@ -26,11 +26,11 @@ include_recipe "nova::nova-common"
 platform_options = node["nova"]["platform"]

 directory "/var/lock/nova" do
-    owner "nova"
-    group "nova"
-    mode  00755
+  owner node["nova"]["user"]
+  group node["nova"]["group"]
+  mode  00700

-    action :create
+  action :create
 end

 package "python-keystone" do
--- a/recipes/nova-common.rb
+++ b/recipes/nova-common.rb
@ -36,9 +36,9 @@ platform_options["common_packages"].each do |pkg|
 end

 directory "/etc/nova" do
-  owner "nova"
-  group "nova"
-  mode  00755
+  owner node["nova"]["user"]
+  group node["nova"]["group"]
+  mode  00700

  action :create
 end
--- a/recipes/scheduler.rb
+++ b/recipes/scheduler.rb
@ -22,9 +22,9 @@ include_recipe "nova::nova-common"
 platform_options = node["nova"]["platform"]

 directory "/var/lock/nova" do
-  owner "nova"
-  group "nova"
-  mode  00755
+  owner node["nova"]["user"]
+  group node["nova"]["group"]
+  mode  00700

  action :create
 end