openstack/bifrost
Code Issues Proposed changes

Tighten permissions on keystone directories

Browse Source 
Make keystone actually run as keystone user, not as nginx/www-data.

Change-Id: I2cbc6685abe2d99c103fcf856f83c373517f007f
This commit is contained in:
Dmitry Tantsur 2022-01-14 13:03:27 +01:00
parent 5fd6251f22
commit 77f45dd387
5 changed files with 23 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
playbooks/roles/bifrost-keystone-install/tasks/bootstrap.yml
View File

@ -109,8 +109,8 @@
name: "/etc/keystone" name: "/etc/keystone"
state: directory state: directory
owner: "keystone" owner: "keystone"
group: "keystone" group: "{{ nginx_user }}"
mode: 0755 mode: 0750
- name: "Write keystone configuration from template" - name: "Write keystone configuration from template"
template: template:
@ -118,7 +118,7 @@
dest: "/etc/keystone/keystone.conf" dest: "/etc/keystone/keystone.conf"
owner: "keystone" owner: "keystone"
group: "keystone" group: "keystone"
mode: 0755 mode: 0700
- name: "Apply/Update keystone DB Schema" - name: "Apply/Update keystone DB Schema"
command: keystone-manage db_sync command: keystone-manage db_sync
@ -127,13 +127,13 @@
- name: "Setup Fernet key repositories" - name: "Setup Fernet key repositories"
command: > command: >
keystone-manage fernet_setup keystone-manage fernet_setup
--keystone-user="{{ nginx_user }}" --keystone-group="{{ nginx_user }}" --keystone-user="keystone" --keystone-group="{{ nginx_user }}"
environment: "{{ bifrost_venv_env }}" environment: "{{ bifrost_venv_env }}"
- name: "Setup Keystone Credentials" - name: "Setup Keystone Credentials"
command: > command: >
keystone-manage credential_setup keystone-manage credential_setup
--keystone-user="{{ nginx_user }}" --keystone-group="{{ nginx_user }}" --keystone-user="keystone" --keystone-group="{{ nginx_user }}"
environment: "{{ bifrost_venv_env }}" environment: "{{ bifrost_venv_env }}"
- name: "Setting external Keystone public URL" - name: "Setting external Keystone public URL"

1
playbooks/roles/bifrost-keystone-install/templates/uwsgi-keystone.ini.j2
View File

@ -4,6 +4,7 @@ master = true
processes = 2 processes = 2
threads = 2 threads = 2
no-orphans = true no-orphans = true
# The socket will be read by nginx which is running as nginx_user
chmod-socket = 660 chmod-socket = 660
virtualenv = {{ bifrost_venv_dir }} virtualenv = {{ bifrost_venv_dir }}

8
playbooks/roles/bifrost-uwsgi-install/tasks/bootstrap.yml
View File

@ -18,6 +18,14 @@
register: uwsgi_install_prefix register: uwsgi_install_prefix
environment: "{{ bifrost_venv_env }}" environment: "{{ bifrost_venv_env }}"
- name: "Ensure /run/uwsgi exists and has the right permissions"
file:
name: "/run/uwsgi"
state: directory
owner: "{{ nginx_user }}"
group: "{{ nginx_user }}" # TODO(TheJulia): Split webserver user/group.
mode: 0770 # NOTE(dtantsur): needs to be writable by group members
- name: "Ensure /etc/uwsgi exists" - name: "Ensure /etc/uwsgi exists"
file: file:
name: "/etc/uwsgi" name: "/etc/uwsgi"

5
playbooks/roles/bifrost-uwsgi-install/templates/uwsgi@.service.j2
View File

@ -5,9 +5,8 @@ Description=%i uWSGI service
ExecStart={{ uwsgi_install_prefix.stdout | default('/usr/bin') }}/uwsgi \ ExecStart={{ uwsgi_install_prefix.stdout | default('/usr/bin') }}/uwsgi \
--ini /etc/uwsgi/apps-enabled/%i.ini --ini /etc/uwsgi/apps-enabled/%i.ini
SyslogIdentifier=%i SyslogIdentifier=%i
RuntimeDirectory=uwsgi # Has to be root, otherwise uWSGI won't be able to drop privileges
User={{ nginx_user }} User=root
Group={{ nginx_user }}
Restart=on-failure Restart=on-failure
KillSignal=SIGQUIT KillSignal=SIGQUIT
Type=notify Type=notify

7
releasenotes/notes/keystone-perm-4ce28fff2edd677a.yaml Normal file
View File

@ -0,0 +1,7 @@
---
fixes:
- |
The keystone configuration is no longer world-readable.
- |
The keystone process now runs as the ``keystone`` user, not as the nginx
user.