From a797cce7656e6d91c8e107c52f22b5a20fd956c6 Mon Sep 17 00:00:00 2001
From: Dmitry Klenov <dklenov@mirantis.com>
Date: Tue, 28 Feb 2017 10:43:53 +0000
Subject: [PATCH] Restricting access to fernet keys folder

Leaving access to fernet dir for owner only. This improves security
and resolves 'fernet dir is world-readable' warning.

Change-Id: I463a56d41697b8c4c1454758267e906665187b15
---
 service/keystone.yaml | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/service/keystone.yaml b/service/keystone.yaml
index a326b1e..41b501a 100644
--- a/service/keystone.yaml
+++ b/service/keystone.yaml
@@ -29,11 +29,12 @@ service:
           command: "sudo /bin/chown keystone:keystone /var/log/ccp/keystone"
         - name: chown-fernet-dir
           command: "sudo /bin/chown keystone:keystone /etc/keystone/fernet-keys"
-        - name: remove-fernet-dir-sticky-bit
-          command: /bin/chmod -t /etc/keystone/fernet-keys
-        - name: generate-fernet-keys
+        - name: fernet-dir-permissions
+          command: "/bin/chmod 0700 /etc/keystone/fernet-keys"
+          dependencies:
+            - chown-fernet-dir
+        - name: keystone-generate-fernet-keys
           command: "/usr/bin/python /opt/ccp/bin/fernet-manage.py fernet_setup"
-          image: keystone
           type: single
           files:
             - fernet-manage
@@ -61,6 +62,7 @@ service:
             - keystone-conf
           dependencies:
             - keystone-db-sync
+            - keystone-generate-fernet-keys
           type: single
           command: keystone-manage bootstrap
                    --bootstrap-password {{ openstack.user_password }}