Incorrect policy.yaml creation parameters
Bug #2051124 reported by
Franciszek Przewoźny
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Security Guide Documentation |
New
|
Undecided
|
Unassigned | ||
puppet-keystone |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
Puppet-keystone creates policy.yaml file with its content using keystone::policy class. As function itself works correctly, file owner is hardcoded to 'root' user (https:/
To post a comment you must log in.
Keystone does not require write access to these config files. All it needs is read access.
So owner root:keystone with mode 0640 works fine.
IMO the keystone doc can be updated, to prohibit write access to these config files by the keystone, though it may be additional hardning which may not be necessary in all use cases.