::proxy::ceilometer is broken due to permission issues

Bug #1269482 reported by David Moreau Simard on 2014-01-15
This bug affects 3 people
Affects Status Importance Assigned to Milestone

Bug Description

When using the ceilometer middleware, swift needs access to:
- /var/log/ceilometer is 750, ceilometer:adm
- /var/log/ceilometer/swift-proxy-server.log is 644, root:root

- /etc/ceilometer is 750, ceilometer:ceilometer
- /etc/ceilometer/ceilometer.conf is 640, ceilometer:ceilometer

Adding swift to the ceilometer group does not work for ceilometer.conf because of the related bugs:

We need to find a good compromise to grant swift access to ceilometer.conf.

For the logs, there are several options - I think the cleanest would be to change the default logging for swift from /dev/log (syslog) to /var/log/swift and move the ceilometer logs to /var/log/swift.

David Moreau Simard (dmsimard) wrote :

FYI This is more complex than I initially thought since puppet-ceilometer enforces folder permissions on /etc/ceilometer and /etc/ceilometer/ceilometer.conf - patching swift::proxy::ceilometer to enforce permission on these would only result in modules fighting each other.
I'm looking at pushing a patch in swift at this time.

David Moreau Simard (dmsimard) wrote :

Submitted https://review.openstack.org/#/c/67905/ for the privilege escalation issue.

David Moreau Simard (dmsimard) wrote :

Related commits to puppet-ceilometer:

The https://review.openstack.org/#/c/67905/ review for the swift privilege escalation was merged.

Changed in puppet-swift:
status: New → Fix Committed
importance: Undecided → Critical
Mathieu Gagné (mgagne) on 2015-07-09
Changed in puppet-swift:
milestone: none → 6.0.0
Mathieu Gagné (mgagne) on 2015-07-10
Changed in puppet-swift:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers