Restricting access to fernet keys folder
Leaving access to fernet dir for owner only. This improves security and resolves 'fernet dir is world-readable' warning. Change-Id: I463a56d41697b8c4c1454758267e906665187b15
This commit is contained in:
Dmitry Klenov
parent
be6b501f26
commit
a797cce765
|
|
@ -29,11 +29,12 @@ service:
|
||||||
command: "sudo /bin/chown keystone:keystone /var/log/ccp/keystone"
|
command: "sudo /bin/chown keystone:keystone /var/log/ccp/keystone"
|
||||||
- name: chown-fernet-dir
|
- name: chown-fernet-dir
|
||||||
command: "sudo /bin/chown keystone:keystone /etc/keystone/fernet-keys"
|
command: "sudo /bin/chown keystone:keystone /etc/keystone/fernet-keys"
|
||||||
- name: remove-fernet-dir-sticky-bit
|
- name: fernet-dir-permissions
|
||||||
command: /bin/chmod -t /etc/keystone/fernet-keys
|
command: "/bin/chmod 0700 /etc/keystone/fernet-keys"
|
||||||
- name: generate-fernet-keys
|
dependencies:
|
||||||
|
- chown-fernet-dir
|
||||||
|
- name: keystone-generate-fernet-keys
|
||||||
command: "/usr/bin/python /opt/ccp/bin/fernet-manage.py fernet_setup"
|
command: "/usr/bin/python /opt/ccp/bin/fernet-manage.py fernet_setup"
|
||||||
image: keystone
|
|
||||||
type: single
|
type: single
|
||||||
files:
|
files:
|
||||||
- fernet-manage
|
- fernet-manage
|
||||||
|
|
@ -61,6 +62,7 @@ service:
|
||||||
- keystone-conf
|
- keystone-conf
|
||||||
dependencies:
|
dependencies:
|
||||||
- keystone-db-sync
|
- keystone-db-sync
|
||||||
|
- keystone-generate-fernet-keys
|
||||||
type: single
|
type: single
|
||||||
command: keystone-manage bootstrap
|
command: keystone-manage bootstrap
|
||||||
--bootstrap-password {{ openstack.user_password }}
|
--bootstrap-password {{ openstack.user_password }}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue