::proxy::ceilometer is broken due to permission issues

Bug #1269482 reported by David Moreau Simard on 2014-01-15
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
puppet-swift
Critical
Unassigned

Bug Description

When using the ceilometer middleware, swift needs access to:
/var/log/ceilometer/swift-proxy-server.log
- /var/log/ceilometer is 750, ceilometer:adm
- /var/log/ceilometer/swift-proxy-server.log is 644, root:root

/etc/ceilometer/ceilometer.conf
- /etc/ceilometer is 750, ceilometer:ceilometer
- /etc/ceilometer/ceilometer.conf is 640, ceilometer:ceilometer

Adding swift to the ceilometer group does not work for ceilometer.conf because of the related bugs:
https://bugs.launchpad.net/ceilometer/+bug/1262264
https://bugs.launchpad.net/swift/+bug/1269473

We need to find a good compromise to grant swift access to ceilometer.conf.

For the logs, there are several options - I think the cleanest would be to change the default logging for swift from /dev/log (syslog) to /var/log/swift and move the ceilometer logs to /var/log/swift.

David Moreau Simard (dmsimard) wrote :

FYI This is more complex than I initially thought since puppet-ceilometer enforces folder permissions on /etc/ceilometer and /etc/ceilometer/ceilometer.conf - patching swift::proxy::ceilometer to enforce permission on these would only result in modules fighting each other.
I'm looking at pushing a patch in swift at this time.

David Moreau Simard (dmsimard) wrote :

Submitted https://review.openstack.org/#/c/67905/ for the privilege escalation issue.

David Moreau Simard (dmsimard) wrote :

Related commits to puppet-ceilometer:
https://review.openstack.org/#/c/69659/
https://review.openstack.org/#/c/73650/

The https://review.openstack.org/#/c/67905/ review for the swift privilege escalation was merged.

Changed in puppet-swift:
status: New → Fix Committed
importance: Undecided → Critical
Mathieu Gagné (mgagne) on 2015-07-09
Changed in puppet-swift:
milestone: none → 6.0.0
Mathieu Gagné (mgagne) on 2015-07-10
Changed in puppet-swift:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers