octavia::certificate should more restrict access to certificate files

Bug #2049203 reported by Takashi Kajinami
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
puppet-octavia
Fix Released
High
Takashi Kajinami

Bug Description

Currently the octavia::certificate class installs the certificate files with mode 0755.
However this is inappropriate because
 - The certificate files don't need x bit
 - The certificate files, especially the private key file, should not be read by an unrelated user

Changed in puppet-octavia:
importance: Undecided → Critical
importance: Critical → High
assignee: nobody → Takashi Kajinami (kajinamit)
Changed in puppet-octavia:
status: New → In Progress
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-octavia (master)

Reviewed: https://review.opendev.org/c/openstack/puppet-octavia/+/905439
Committed: https://opendev.org/openstack/puppet-octavia/commit/76e1ac5e8c6f700025a849f10c555cdd686f822d
Submitter: "Zuul (22348)"
Branch: master

commit 76e1ac5e8c6f700025a849f10c555cdd686f822d
Author: Takashi Kajinami <email address hidden>
Date: Fri Jan 12 22:31:17 2024 +0900

    Restrict access to certificate files

    The certificate files don't need x bits. Also these files, especially
    the private key file should have very restricted access.

    Closes-Bug: #2049203
    Change-Id: I3f4cf18b70420a509ad971fea32277a7a9b59dc3

Changed in puppet-octavia:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-octavia (stable/2023.2)

Fix proposed to branch: stable/2023.2
Review: https://review.opendev.org/c/openstack/puppet-octavia/+/905460

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-octavia (stable/2023.2)

Reviewed: https://review.opendev.org/c/openstack/puppet-octavia/+/905460
Committed: https://opendev.org/openstack/puppet-octavia/commit/bb49fc5f68a7a4cf491f13748d3e1a9dcad77909
Submitter: "Zuul (22348)"
Branch: stable/2023.2

commit bb49fc5f68a7a4cf491f13748d3e1a9dcad77909
Author: Takashi Kajinami <email address hidden>
Date: Fri Jan 12 22:31:17 2024 +0900

    Restrict access to certificate files

    The certificate files don't need x bits. Also these files, especially
    the private key file should have very restricted access.

    Closes-Bug: #2049203
    Change-Id: I3f4cf18b70420a509ad971fea32277a7a9b59dc3
    (cherry picked from commit 76e1ac5e8c6f700025a849f10c555cdd686f822d)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-octavia (stable/2023.1)

Fix proposed to branch: stable/2023.1
Review: https://review.opendev.org/c/openstack/puppet-octavia/+/905721

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-octavia (stable/2023.1)

Reviewed: https://review.opendev.org/c/openstack/puppet-octavia/+/905721
Committed: https://opendev.org/openstack/puppet-octavia/commit/844cabcb007f50f09877f90d45080a11fc9c21a6
Submitter: "Zuul (22348)"
Branch: stable/2023.1

commit 844cabcb007f50f09877f90d45080a11fc9c21a6
Author: Takashi Kajinami <email address hidden>
Date: Fri Jan 12 22:31:17 2024 +0900

    Restrict access to certificate files

    The certificate files don't need x bits. Also these files, especially
    the private key file should have very restricted access.

    Closes-Bug: #2049203
    Change-Id: I3f4cf18b70420a509ad971fea32277a7a9b59dc3
    (cherry picked from commit 76e1ac5e8c6f700025a849f10c555cdd686f822d)
    (cherry picked from commit bb49fc5f68a7a4cf491f13748d3e1a9dcad77909)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-octavia (stable/zed)

Fix proposed to branch: stable/zed
Review: https://review.opendev.org/c/openstack/puppet-octavia/+/905920

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-octavia (stable/zed)

Reviewed: https://review.opendev.org/c/openstack/puppet-octavia/+/905920
Committed: https://opendev.org/openstack/puppet-octavia/commit/b268824f8690722b5f49013099ad93c10905da35
Submitter: "Zuul (22348)"
Branch: stable/zed

commit b268824f8690722b5f49013099ad93c10905da35
Author: Takashi Kajinami <email address hidden>
Date: Fri Jan 12 22:31:17 2024 +0900

    Restrict access to certificate files

    The certificate files don't need x bits. Also these files, especially
    the private key file should have very restricted access.

    Closes-Bug: #2049203
    Change-Id: I3f4cf18b70420a509ad971fea32277a7a9b59dc3
    (cherry picked from commit 76e1ac5e8c6f700025a849f10c555cdd686f822d)
    (cherry picked from commit bb49fc5f68a7a4cf491f13748d3e1a9dcad77909)
    (cherry picked from commit 844cabcb007f50f09877f90d45080a11fc9c21a6)

tags: added: in-stable-zed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-octavia 24.0.0

This issue was fixed in the openstack/puppet-octavia 24.0.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-octavia 21.0.1

This issue was fixed in the openstack/puppet-octavia 21.0.1 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.