OpenStack + Chef

glance configuration files with screte information are set as 644

Bug #1372330 reported by LeileiZhou on 2014-09-22

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack + Chef	Fix Released	Undecided	LeileiZhou

Bug Description

file permssion for glance-api.conf is set as 0644, how ever it contains
qpid_password=
vmware_server_password =
==================================================================
file permission for glance-cache.conf is set as 0644, however it contains secrete:
swift_store_key =
vmware_server_password =
===============================================================
file permission for glance-registry.conf is set as 0644, however it contains secrete:
connection =
===============================================================
file permission for glance-scrubber.conf is set as 0644, however it contains secrete:
# Auth settings if using Keystone
# auth_url = http://127.0.0.1:5000/v2.0/
# admin_tenant_name = %SERVICE_TENANT_NAME%
# admin_user = %SERVICE_USER%
# admin_password = %SERVICE_PASSWORD%

# Directory to use for lock files. Default to a temp directory
# (string value). This setting needs to be the same for both
# glance-scrubber and glance-api.
#lock_path=<None>
# AES key for encrypting store 'location' metadata, including
# -- if used -- Swift or S3 credentials
# Should be set to a random string of length 16, 24 or 32 bytes
#metadata_encryption_key = <16, 24 or 32 char registry metadata key>
===============================================================

Above files mode should be set as 640 instead of 644 to protect the screte from unauthorized users.

See original description

LeileiZhou (leileiz) on 2014-09-22

Changed in openstack-chef:
assignee:	nobody → LeileiZhou (leileiz)

LeileiZhou (leileiz) on 2014-09-22

description:

updated

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-22: Fix proposed to cookbook-openstack-image (master)

Fix proposed to branch: master
Review: https://review.openstack.org/123075

OpenStack Infra (hudson-openstack) on 2014-09-23

Changed in openstack-chef:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-23: Change abandoned on cookbook-openstack-image (master)

Change abandoned by LeileiZhou (<email address hidden>) on branch: master
Review: https://review.openstack.org/123075

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-23: Fix proposed to cookbook-openstack-image (master)

Fix proposed to branch: master
Review: https://review.openstack.org/123317

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-25: Fix merged to cookbook-openstack-image (master)

Reviewed: https://review.openstack.org/123317
Committed: https://git.openstack.org/cgit/stackforge/cookbook-openstack-image/commit/?id=6bb31791415a7574f4f44436e4076049df7f7a00
Submitter: Jenkins
Branch: master

commit 6bb31791415a7574f4f44436e4076049df7f7a00
Author: leileiz <email address hidden>
Date: Mon Sep 22 22:52:12 2014 -0400

Update glance configuration file permission

    Some of glance configuration files contain secrete information like
    qpid_password,db connection. To avoid unauthorized users to access it,
    change those file permission to 640.

Closes-Bug:#1372330
Change-Id: Id0dfc250ca98759c5c134f5d163d862889f35259

Changed in openstack-chef:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-08-25: Fix included in openstack/cookbook-openstack-image ocata-eol

This issue was fixed in the openstack/cookbook-openstack-image ocata-eol release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.