[SRU] local_settings.py is world readable and contains passwords

I've just confirmed this at a site with 17.02 charms, and indeed the perms on the file are -rw-r--r--

Underway, presuming comment #1 intended 18.02 and not 17.02.

I've confirmed this is not a package bug.

The postinst package script has:

  if [ -f /etc/openstack-dashboard/local_settings.py ]; then
    chown root:horizon /etc/openstack-dashboard/local_settings.py
    chmod 0640 /etc/openstack-dashboard/local_settings.py
  fi

And a xenial-pike install of openstack-dashboard has:

root@x1:~# ls -al /etc/openstack-dashboard/local_settings.py
-rw-r----- 1 root horizon 34432 Dec 1 13:16 /etc/openstack-dashboard/local_settings.py

I'll focus on the charm now.

I just completed a small deployment on xenial-pike with only mysql, keystone, and openstack-dashboard charms and after deployment completes, the permissions look ok:

ubuntu@juju-bdca29-coreycb2-2:~$ sudo ls -al /etc/openstack-dashboard/
total 40
drwxr-x--- 2 root horizon 4096 Mar 13 14:11 .
drwxr-xr-x 101 root root 4096 Mar 13 14:07 ..
-rw-r----- 1 root horizon 30995 Mar 13 14:12 local_settings.py

Attempting a larger deployment this time, and I'll use ocata for variation.

Xav/James, What release of openstack is this? Also are there any other details for reproducing?

It was on a xenial-ocata cloud.

openstack-dashboard-internal is cs:openstack-dashboard-250

$ juju ssh openstack-dashboard-internal/0 'sudo ls -l /etc/openstack-dashboard'
total 32
-rw-r--r-- 1 root root 32133 Dec 19 12:04 local_settings.py

Mid-deployment and I seem to be reproducing this on xenial-ocata.

Ok I've confirmed this is a packaging issue after all. It was fixed in pike and not backported.

This appears to affect all supported releases prior to pike.

Hello James, or anyone else affected,

Accepted horizon into ocata-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:ocata-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-ocata-needed to verification-ocata-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-ocata-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello James, or anyone else affected,

Accepted horizon into newton-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:newton-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-newton-needed to verification-newton-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-newton-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello James, or anyone else affected,

Accepted horizon into kilo-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:kilo-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-kilo-needed to verification-kilo-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-kilo-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

FWIW, using charm cs:openstack-dashboard-257 and Xenial/Mitaka:

ubuntu@juju-e9c2ed-20:~$ ls -l /etc/openstack-dashboard
total 28
-rw-r--r-- 1 root root 26770 Mar 13 05:36 local_settings.py
ubuntu@juju-e9c2ed-20:~$ sudo su - nobody -s /bin/bash
No directory, logging in with HOME=/
nobody@juju-e9c2ed-20:/$ head /etc/openstack-dashboard/local_settings.py
# -*- coding: utf-8 -*-

The difference is that in Mitaka there's not the 'PASSWORD' setting, however there is other potentially sensitive info in that file.

Installed 9.1.2-0ubuntu4 from xenial-proposed, took the package maintainer's config file, and re-ran the config-changed hook. No change, file permissions still -rw-r--r--

Xav, xenial hasn't received any updates for this bug yet. We currently have updates available for ocata-proposed, newton-proposed, and kilo-proposed.

Trusty is in the SRU unapproved queue awaiting review from the SRU team.

Xenial is blocked at the moment by https://bugs.launchpad.net/ubuntu/+source/horizon/+bug/1725421 and Shane is reporting back to me by EOD on testing results. If verification for that bug is still failing at EOD today we're going to reject that fix from xenial-proposed and push the fix for this bug (1755027) ahead of that.

The versions uploaded yesterday caused a regression resulting in permission denied to /var/lib/openstack-dashboard/secret_key. I have a tested fix that I'm working on uploading.

FYI, a charm gate regression test is proposed @:

https://review.openstack.org/#/c/552901

Hello James, or anyone else affected,

Accepted horizon into ocata-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:ocata-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-ocata-needed to verification-ocata-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-ocata-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Sorry for the churn, there's a new version of the package that is yet to be uploaded for ocata. Ocata was running the apache conf under www-data:www-data whereas all other releases run under horizon:horizon. The next version will fix this bug and include other changes needed to run under horizon:horizon.

This will also require a charm template update for ocata.

FYI: 11.0.4-0ubuntu1~cloud2.2 package from ocata/proposed was exercised via charm gate tests, and is passing: http://paste.ubuntu.com/p/ptNXFv3QJv/

The following packages have chown www-data /var/lib/openstack-dashboard/ after collecting/compressing static assets which can disable access to important files such as static assets when the openstack-dashboard apache2 conf is run under horizon:horizon.

The following releases are affected:
openstack-dashboard ocata
designate-dashboard ocata, pike
sahara-dashboard xenial, ocata, pike
murano-dashboard xenial, ocata, pike
neutron-lbaas-dashboard ocata
trove-dashboard xenial, ocata, pike

Ok can't target xenial for some reason with Launchpad atm.

Or artful.

Hello James, or anyone else affected,

Accepted designate-dashboard into ocata-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:ocata-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-ocata-needed to verification-ocata-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-ocata-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello James, or anyone else affected,

Accepted horizon into ocata-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:ocata-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-ocata-needed to verification-ocata-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-ocata-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello James, or anyone else affected,

Accepted murano-dashboard into ocata-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:ocata-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-ocata-needed to verification-ocata-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-ocata-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello James, or anyone else affected,

Accepted neutron-lbaas-dashboard into ocata-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:ocata-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-ocata-needed to verification-ocata-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-ocata-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello James, or anyone else affected,

Accepted sahara-dashboard into ocata-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:ocata-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-ocata-needed to verification-ocata-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-ocata-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello James, or anyone else affected,

Accepted trove-dashboard into ocata-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:ocata-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-ocata-needed to verification-ocata-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-ocata-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

I've uploaded designate-dashboard, murano-dashboard, trove-dashboard, and sahara-dashboard to the Artful Unapproved queue where they are awaiting review by the SRU team. Note that these changes are only updating these dashboard to use the proper user:group when performing chown on /var/lib/openstack-dashboard. This may look tengential when just looking at the Artful packages but it aligns with the changes being made for the Ocata cloud-archive (and already made in Bionic) that run openstack-dashboard under horizon:horizon instead of under www-data:www-data.

Artful Unapproved queue: https://launchpad.net/ubuntu/artful/+queue?queue_state=1&queue_text=

I've successfully verified horizon from ocata-proposed:

* sets /etc/openstack-dashboard/local_settings.py -rw-r----- 1 root horizon 30915 Mar 15 14:25 local_settings.py
* runs openstack-dashboard apache conf under horizon:horizon (both from package-only and charm install with tempate override)
* upgraded from openstack-dashboard 3:11.0.4-0ubuntu1~cloud1 in cloud-archive:ocata to openstack-dashboard 3:11.0.4-0ubuntu1~cloud2.3 in cloud-archive:ocata-proposed
* performed various tasks from dashboard (create instance, delete instance, create volume, create user, create project)
* installation of openstack-dashboard and plugin dashboards keeps owner of /var/lib/openstack-dashboard/* as horizon:horizon

Releasing to ocata-updates will need to be coordinated with the following ocata charm fixes:
https://review.openstack.org/#/c/553410
https://review.openstack.org/#/c/552971
https://review.openstack.org/#/c/552901

Since the world-readable issue doesn't affect Artful, I'd like to release Ocata as soon as we're ready, and not wait for Artful/Pike fixes to land as we would normally do.

Hello James, or anyone else affected,

Accepted horizon into newton-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:newton-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-newton-needed to verification-newton-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-newton-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

The verification of the Stable Release Update for designate-dashboard has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package designate-dashboard - 4.0.0-0ubuntu1~cloud1
---------------

 designate-dashboard (4.0.0-0ubuntu1~cloud1) xenial-ocata; urgency=medium
 .
   * d/python-designate-dashboard.postinst: Align with openstack-dashboard
     and use chown horizon instead of www-data (LP: #1755027).

The verification of the Stable Release Update for horizon has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package horizon - 3:11.0.4-0ubuntu1~cloud2.3
---------------

 horizon (3:11.0.4-0ubuntu1~cloud2.3) xenial-ocata; urgency=medium
 .
   * d/openstack-dashboard.postinst, d/openstack-dashboard.conf: Align
     with other releases of horizon and use horizon:horizon instead of
     www-data:www-data.
   * d/openstack-dashboard.postinst: Ensure permissions are not
     world-readable for /etc/openstack-dashboard/local_settings.py
     (LP: #1755027).

The verification of the Stable Release Update for murano-dashboard has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package murano-dashboard - 1:3.2.0-0ubuntu2~cloud1
---------------

 murano-dashboard (1:3.2.0-0ubuntu2~cloud1) xenial-ocata; urgency=medium
 .
   * d/python-murano-dashboard.postinst: Align with openstack-dashboard
     and use chown horizon instead of www-data (LP: #1755027).

The verification of the Stable Release Update for neutron-lbaas-dashboard has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package neutron-lbaas-dashboard - 2.0.0-0ubuntu1.1~cloud1
---------------

 neutron-lbaas-dashboard (2.0.0-0ubuntu1.1~cloud1) xenial-ocata; urgency=medium
 .
   * d/python-neutron-lbaas-dashboard.postinst: Align with pike and other
     releases of horizon and use horizon:horizon instead of www-data:www-data
     (LP: #1755027).

The verification of the Stable Release Update for sahara-dashboard has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package sahara-dashboard - 6.0.0-0ubuntu1~cloud1
---------------

 sahara-dashboard (6.0.0-0ubuntu1~cloud1) xenial-ocata; urgency=medium
 .
   * d/python-sahara-dashboard.postinst: Align with openstack-dashboard
     and use chown horizon instead of www-data (LP: #1755027).

The verification of the Stable Release Update for trove-dashboard has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package trove-dashboard - 8.0.0-0ubuntu1~cloud1
---------------

 trove-dashboard (8.0.0-0ubuntu1~cloud1) xenial-ocata; urgency=medium
 .
   * d/python-trove-dashboard.postinst: Align with openstack-dashboard
     and use chown horizon instead of www-data (LP: #1755027).

Verified successfully on newton-proposed.

The verification of the Stable Release Update for horizon has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package horizon - 3:10.0.5-0ubuntu1~cloud3.1
---------------

 horizon (3:10.0.5-0ubuntu1~cloud3.1) xenial-newton; urgency=medium
 .
   * d/openstack-dashboard.postinst: Ensure permissions are not
     world-readable for /etc/openstack-dashboard/local_settings.py
     (LP: #1755027).

Hello James, or anyone else affected,

Accepted horizon into kilo-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:kilo-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-kilo-needed to verification-kilo-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-kilo-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello James, or anyone else affected,

Accepted trove-dashboard into artful-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/trove-dashboard/9.0.0-0ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-artful to verification-done-artful. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-artful. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello James, or anyone else affected,

Accepted designate-dashboard into artful-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/designate-dashboard/5.0.1-0ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-artful to verification-done-artful. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-artful. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello James, or anyone else affected,

Accepted murano-dashboard into artful-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/murano-dashboard/1:4.0.0-0ubuntu1.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-artful to verification-done-artful. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-artful. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

The verification of the Stable Release Update for horizon has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package horizon - 1:2015.1.4-0ubuntu4.1
---------------

 horizon (1:2015.1.4-0ubuntu4.1) trusty-kilo; urgency=medium
 .
   * d/openstack-dashboard.postinst: Ensure permissions are not
     world-readable for /etc/openstack-dashboard/local_settings.py
     (LP: #1755027).

Hello James, or anyone else affected,

Accepted trove-dashboard into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/trove-dashboard/6.0.0-1ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello James, or anyone else affected,

Accepted murano-dashboard into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/murano-dashboard/1:2.0.0-1ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello James, or anyone else affected,

Accepted sahara-dashboard into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/sahara-dashboard/4.0.0-1ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello James, or anyone else affected,

Accepted horizon into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/horizon/2:9.1.2-0ubuntu5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello James, or anyone else affected,

Accepted horizon into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/horizon/1:2014.1.5-0ubuntu2.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello James, or anyone else affected,

Accepted sahara-dashboard into artful-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/sahara-dashboard/6.0.0-0ubuntu1.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Artful verification has completed successfully using artful-proposed with the following packages:

python-designate-dashboard: 5.0.1-0ubuntu1.1
python-murano-dashboard: 1:4.0.0-0ubuntu1.2
python-sahara-dashboard: 6.0.0-0ubuntu1.2
python-trove-dashboard: 9.0.0-0ubuntu1.1

After installing each package, permissions for /var/lib/openstack-dashboard remained as follows:
/var/lib/openstack-dashboard:
total 24
drwxr-xr-x 5 horizon horizon 4096 Mar 16 12:49 .
drwxr-xr-x 41 root root 4096 Mar 16 12:00 ..
drwxr-xr-x 3 horizon horizon 4096 Mar 16 12:49 .novaclient
-rw-r--r-- 1 horizon horizon 0 Mar 16 12:01 _var_lib_openstack-dashboard_secret_key.lock
drwxr-xr-x 2 horizon horizon 4096 Feb 2 20:24 secret-key
-rw------- 1 horizon horizon 64 Mar 16 12:01 secret_key
drwxr-xr-x 13 horizon horizon 4096 Mar 16 12:57 static

I also verified and promoted kilo yesterday, tagging appropriately.

Hello James, or anyone else affected,

Accepted horizon into mitaka-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:mitaka-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-mitaka-needed to verification-mitaka-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-mitaka-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Xenial verification has completed successfully using xenial-proposed with the following packages:

openstack-dashboard: 2:9.1.2-0ubuntu5
python-sahara-dashboard: 4.0.0-1ubuntu1.1
python-murano-dashboard: 1:2.0.0-1ubuntu1
python-trove-dashboard: 6.0.0-1ubuntu1

After installing each package, permissions for /etc/openstack-dashboard and /var/lib/openstack-dashboard remains as follows and the dashboard continues to function as expected:

/etc/openstack-dashboard:
total 36
drwxr-xr-x 2 horizon horizon 4096 Mar 16 13:26 .
drwxr-xr-x 101 root root 4096 Mar 16 13:27 ..
-rw-r----- 1 root horizon 26775 Mar 16 13:29 local_settings.py

/var/lib/openstack-dashboard:
total 12
drwx------ 2 horizon horizon 4096 Mar 16 13:26 .
drwxr-xr-x 48 root root 4096 Mar 16 13:26 ..
-rw------- 1 horizon horizon 64 Mar 16 13:26 secret_key
-rw-r--r-- 1 horizon horizon 0 Mar 16 13:26 _var_lib_openstack-dashboard_secret_key.lock

Affected packages are now in pike-proposed.

Pike verification has completed successfully using pike-proposed with the following packages:

python-designate-dashboard: 5.0.1-0ubuntu1.1~cloud0
python-murano-dashboard: 1:4.0.0-0ubuntu1.2~cloud0
python-sahara-dashboard: 6.0.0-0ubuntu1.2~cloud0
python-trove-dashboard: 9.0.0-0ubuntu1.1~cloud0

After installing each package, permissions for /var/lib/openstack-dashboard remained as follows:
/var/lib/openstack-dashboard:

/var/lib/openstack-dashboard:
total 28
drwxr-xr-x 6 horizon horizon 4096 Mar 16 13:39 .
drwxr-xr-x 48 root root 4096 Mar 16 13:19 ..
drwxr-xr-x 3 horizon horizon 4096 Mar 16 13:39 .cinderclient
drwxr-xr-x 3 horizon horizon 4096 Mar 16 13:35 .novaclient
-rw------- 1 horizon horizon 64 Mar 16 13:19 secret_key
drwxr-xr-x 2 horizon horizon 4096 Feb 6 03:07 secret-key
drwxr-xr-x 12 horizon horizon 4096 Mar 16 13:53 static
-rw-r--r-- 1 horizon horizon 0 Mar 16 13:19 _var_lib_openstack-dashboard_secret_key.lock

Also worth nothing dashboard continues to function after each install and /etc/openstack-dashboard perms are:

/etc/openstack-dashboard:
total 40
drwxr-x--- 2 root horizon 4096 Mar 16 13:19 .
drwxr-xr-x 101 root root 4096 Mar 16 13:21 ..
-rw-r----- 1 root horizon 31002 Mar 16 13:24 local_settings.py

The verification of the Stable Release Update for designate-dashboard has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package designate-dashboard - 5.0.1-0ubuntu1.1~cloud0
---------------

 designate-dashboard (5.0.1-0ubuntu1.1~cloud0) xenial-pike; urgency=medium
 .
   * New update for the Ubuntu Cloud Archive.
 .
 designate-dashboard (5.0.1-0ubuntu1.1) artful; urgency=medium
 .
   * d/python-designate-dashboard.postinst: Align with openstack-dashboard
     and use chown horizon instead of www-data (LP: #1755027).

The verification of the Stable Release Update for murano-dashboard has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package murano-dashboard - 1:4.0.0-0ubuntu1.2~cloud0
---------------

 murano-dashboard (1:4.0.0-0ubuntu1.2~cloud0) xenial-pike; urgency=medium
 .
   * New update for the Ubuntu Cloud Archive.
 .
 murano-dashboard (1:4.0.0-0ubuntu1.2) artful; urgency=medium
 .
   * d/python-murano-dashboard.postinst: Align with openstack-dashboard
     and use chown horizon instead of www-data (LP: #1755027).

The verification of the Stable Release Update for sahara-dashboard has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package sahara-dashboard - 6.0.0-0ubuntu1.2~cloud0
---------------

 sahara-dashboard (6.0.0-0ubuntu1.2~cloud0) xenial-pike; urgency=medium
 .
   * New update for the Ubuntu Cloud Archive.
 .
 sahara-dashboard (6.0.0-0ubuntu1.2) artful; urgency=medium
 .
   * d/gbp.conf: Create stable/pike branch.
   * d/python-sahara-dashboard.postinst: Align with openstack-dashboard
     and use chown horizon instead of www-data (LP: #1755027).
   * d/p/fix-neutron-related-openstack_dashboard-imports.patch: Cherry-picked
     patch from upstream to fix AttributeError's such as "AttributeError:
     'module' object has no attribute 'floating_ip_pools_list'" (LP: #1756189).

The verification of the Stable Release Update for trove-dashboard has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package trove-dashboard - 9.0.0-0ubuntu1.1~cloud0
---------------

 trove-dashboard (9.0.0-0ubuntu1.1~cloud0) xenial-pike; urgency=medium
 .
   * New update for the Ubuntu Cloud Archive.
 .
 trove-dashboard (9.0.0-0ubuntu1.1) artful; urgency=medium
 .
   * d/gbp.conf: Create stable/pike branch.
   * d/python-trove-dashboard.postinst: Align with openstack-dashboard
     and use chown horizon instead of www-data (LP: #1755027).

Trusty verification has completed successfully using trusty-proposed with the following package:
openstack-dashboard: 1:2014.1.5-0ubuntu2.2

After installation, permissions for /etc/openstack-dashboard are:

/etc/openstack-dashboard:
total 28
drwxr-xr-x 2 horizon horizon 4096 Mar 16 14:13 .
drwxr-xr-x 94 root root 4096 Mar 16 14:13 ..
-rw-r----- 1 root horizon 15180 Mar 16 14:16 local_settings.py
-rw-r--r-- 1 root root 333 Jul 29 2015 ubuntu_theme.py

And dashboard functions as expected.

Mitaka verification has completed successfully using mtiaka-proposed with the following package:
openstack-dashboard: 2:9.1.2-0ubuntu5~cloud0

After installation, permissions for /etc/openstack-dashboard are:

ubuntu@juju-1ece6c-coreycb2-21:~$ ls -al /etc/openstack-dashboard
total 64
drwxr-xr-x 2 horizon horizon 4096 Mar 16 15:08 .
drwxr-xr-x 96 root root 4096 Mar 16 14:10 ..
-rw-r----- 1 root horizon 26766 Mar 16 14:16 local_settings.py

And dashboard functions as expected.

The verification of the Stable Release Update for horizon has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package horizon - 2:9.1.2-0ubuntu5~cloud0
---------------

 horizon (2:9.1.2-0ubuntu5~cloud0) trusty-mitaka; urgency=medium
 .
   * New update for the Ubuntu Cloud Archive.
 .
 horizon (2:9.1.2-0ubuntu5) xenial; urgency=medium
 .
   [ Seyeong Kim ]
   * Hide unused consistency groups tab (LP: #1582725)
     - d/p/hide-unused-consistency-groups.patch: Pick some policies from
       upstream commit 388708b251b0487bb22fb3ebb8fcb36ee4ffdc4f to hide
       unused consistency groups tab.
 .
   [ Corey Bryant ]
   * d/openstack-dashboard.postinst: Ensure permissions are not
     world-readable for /etc/openstack-dashboard/local_settings.py
     (LP: #1755027).
 .
   [ Shane Peters ]
   * d/p/let-nova-to-pick-availability-zone.patch:
     In the Angular Launch Instance, if there is more than one
     availability zone default to the option for the Nova scheduler to pick.
     This is regression from the legacy Launch Instance feature (LP: #1613900).

This bug was fixed in the package murano-dashboard - 1:4.0.0-0ubuntu1.2

---------------
murano-dashboard (1:4.0.0-0ubuntu1.2) artful; urgency=medium

  * d/python-murano-dashboard.postinst: Align with openstack-dashboard
    and use chown horizon instead of www-data (LP: #1755027).

 -- Corey Bryant <email address hidden> Wed, 14 Mar 2018 21:15:35 -0400

This bug was fixed in the package trove-dashboard - 9.0.0-0ubuntu1.1

---------------
trove-dashboard (9.0.0-0ubuntu1.1) artful; urgency=medium

  * d/gbp.conf: Create stable/pike branch.
  * d/python-trove-dashboard.postinst: Align with openstack-dashboard
    and use chown horizon instead of www-data (LP: #1755027).

 -- Corey Bryant <email address hidden> Wed, 14 Mar 2018 21:25:42 -0400

This bug was fixed in the package designate-dashboard - 5.0.1-0ubuntu1.1

---------------
designate-dashboard (5.0.1-0ubuntu1.1) artful; urgency=medium

  * d/python-designate-dashboard.postinst: Align with openstack-dashboard
    and use chown horizon instead of www-data (LP: #1755027).

 -- Corey Bryant <email address hidden> Wed, 14 Mar 2018 21:18:33 -0400

This bug was fixed in the package sahara-dashboard - 6.0.0-0ubuntu1.2

---------------
sahara-dashboard (6.0.0-0ubuntu1.2) artful; urgency=medium

  * d/gbp.conf: Create stable/pike branch.
  * d/python-sahara-dashboard.postinst: Align with openstack-dashboard
    and use chown horizon instead of www-data (LP: #1755027).
  * d/p/fix-neutron-related-openstack_dashboard-imports.patch: Cherry-picked
    patch from upstream to fix AttributeError's such as "AttributeError:
    'module' object has no attribute 'floating_ip_pools_list'" (LP: #1756189).

 -- Corey Bryant <email address hidden> Wed, 14 Mar 2018 21:20:49 -0400

This bug was fixed in the package murano-dashboard - 1:2.0.0-1ubuntu1

---------------
murano-dashboard (1:2.0.0-1ubuntu1) xenial; urgency=medium

  * d/python-murano-dashboard.postinst: Align with openstack-dashboard
    and use chown horizon instead of www-data (LP: #1755027).

 -- Corey Bryant <email address hidden> Thu, 15 Mar 2018 09:20:46 -0400

This bug was fixed in the package trove-dashboard - 6.0.0-1ubuntu1

---------------
trove-dashboard (6.0.0-1ubuntu1) xenial; urgency=medium

  * d/python-trove-dashboard.postinst: Align with openstack-dashboard
    and use chown horizon instead of www-data (LP: #1755027).

 -- Corey Bryant <email address hidden> Thu, 15 Mar 2018 09:27:44 -0400

This bug was fixed in the package sahara-dashboard - 4.0.0-1ubuntu1.1

---------------
sahara-dashboard (4.0.0-1ubuntu1.1) xenial; urgency=medium

  * d/python-sahara-dashboard.postinst: Align with openstack-dashboard
    and use chown horizon instead of www-data (LP: #1755027).

 -- Corey Bryant <email address hidden> Thu, 15 Mar 2018 09:24:45 -0400

This bug was fixed in the package horizon - 2:9.1.2-0ubuntu5

---------------
horizon (2:9.1.2-0ubuntu5) xenial; urgency=medium

  [ Seyeong Kim ]
  * Hide unused consistency groups tab (LP: #1582725)
    - d/p/hide-unused-consistency-groups.patch: Pick some policies from
      upstream commit 388708b251b0487bb22fb3ebb8fcb36ee4ffdc4f to hide
      unused consistency groups tab.

  [ Corey Bryant ]
  * d/openstack-dashboard.postinst: Ensure permissions are not
    world-readable for /etc/openstack-dashboard/local_settings.py
    (LP: #1755027).

  [ Shane Peters ]
  * d/p/let-nova-to-pick-availability-zone.patch:
    In the Angular Launch Instance, if there is more than one
    availability zone default to the option for the Nova scheduler to pick.
    This is regression from the legacy Launch Instance feature (LP: #1613900).

 -- Corey Bryant <email address hidden> Thu, 15 Mar 2018 13:57:14 -0400

This bug was fixed in the package horizon - 1:2014.1.5-0ubuntu2.2

---------------
horizon (1:2014.1.5-0ubuntu2.2) trusty; urgency=medium

  * d/openstack-dashboard.postinst: Ensure permissions are not
    world-readable for /etc/openstack-dashboard/local_settings.py
    (LP: #1755027).

 -- Corey Bryant <email address hidden> Wed, 14 Mar 2018 08:55:44 -0400

Reviewed: https://review.openstack.org/552901
Committed: https://git.openstack.org/cgit/openstack/charm-openstack-dashboard/commit/?id=eb9e0b839110c6949b16b3dcd5ec705093bdeb35
Submitter: Zuul
Branch: master

commit eb9e0b839110c6949b16b3dcd5ec705093bdeb35
Author: Ryan Beisner <email address hidden>
Date: Wed Mar 14 13:18:12 2018 +0000

    Add regression test coverage for conf file permissions

    Change-Id: I8e7f986035935a742b4acb320f71887e23989dbb
    Partial-bug: #1755027