From 8bf46a66e67c3245f72b8eea6dacf247163106bb Mon Sep 17 00:00:00 2001
From: John Fulton <fulton@redhat.com>
Date: Tue, 3 Oct 2017 00:21:57 +0000
Subject: [PATCH] Set restrictive file permissions on Ceph keyrings for
 non-containerized deployment

Pass mode parameter 0640 and user and group ownership to puppet-ceph for
Ceph openstack client keyrings during non-containerized deployment.

Author:    Keith Schincke <kschinck@redhat.com>
Co-Author:    John Fulton <fulton@redhat.com>
Change-Id: Iccb24f5c2ee639ad2bc0869a37cec305f32b9fd1
Depends-On: Ie968e6abc6969c37be0a62ac45999093120673d4
Partial-Bug: #1720787
(cherry picked from commit bdf1ade1b9de994c3098fb17cca6dd64b3d14cd5)
---
 puppet/services/ceph-base.yaml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/puppet/services/ceph-base.yaml b/puppet/services/ceph-base.yaml
index 033d3f778f..f782f64fbd 100644
--- a/puppet/services/ceph-base.yaml
+++ b/puppet/services/ceph-base.yaml
@@ -132,7 +132,9 @@ outputs:
                 cap_mon: 'allow profile bootstrap-osd'
               CEPH_CLIENT_KEY:
                 secret: {get_param: CephClientKey}
-                mode: '0644'
+                mode: '0640'
+                user: 'ceph'
+                group: 'ceph'
                 cap_mon: 'allow r'
                 cap_osd:
                   str_replace: