Incorrect policy.yaml creation parameters

Bug #2051124 reported by Franciszek Przewoźny
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Security Guide Documentation
New
Undecided
Unassigned
puppet-keystone
Won't Fix
Undecided
Unassigned

Bug Description

Puppet-keystone creates policy.yaml file with its content using keystone::policy class. As function itself works correctly, file owner is hardcoded to 'root' user (https://github.com/openstack/puppet-keystone/blob/master/manifests/policy.pp#L64) which is not compliant with Security Guide Checklist (https://docs.openstack.org/security-guide/identity/checklist.html#check-identity-01-is-user-group-ownership-of-config-files-set-to-keystone) as it requires it to be own by user and group named 'keystone'. Please check if the code, or the guide should be corrected because in current form it might be missleading.

Revision history for this message
Takashi Kajinami (kajinamit) wrote :

Keystone does not require write access to these config files. All it needs is read access.
So owner root:keystone with mode 0640 works fine.

IMO the keystone doc can be updated, to prohibit write access to these config files by the keystone, though it may be additional hardning which may not be necessary in all use cases.

Revision history for this message
Takashi Kajinami (kajinamit) wrote :

Technically we can make parameters to let users override user/group of the file, in case people is eager to implement what is documented in that guide, but IMO that brings no gain with additional complexity, so I'll close this as won't fix.

Changed in puppet-keystone:
status: New → Won't Fix
Revision history for this message
Franciszek Przewoźny (fprzewozn) wrote :

Okey, so Security Guide Documentation should be updated then.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.