Horizon container can't read *policy.json in /etc/openstack-dashboard

Bug #1723125 reported by Martin André on 2017-10-12
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
High
Martin André

Bug Description

For some obscure reasons kolla sets the permission for the files in /etc/openstack-dashboard to horizon:horizon [1] which doesn't align with the permissions set by the openstack-horizon rpm [2].

Our recent change to the puppet-generated directory for copying in the configuration files in the container broke the workaround we had in place.

One way to fix the ownership could be at runtime with the kolla_config's perms structure.

[1] https://github.com/openstack/kolla/blob/master/docker/horizon/Dockerfile.j2#L37
[2] https://review.rdoproject.org/r/gitweb?p=openstack/horizon-distgit.git;a=blob;f=python-django-horizon.spec;h=f2c46a1187825139717c74daa1920d5bfcf77c82;hb=HEAD#l403

Changed in tripleo:
assignee: nobody → Martin André (mandre)
status: Triaged → In Progress

Reviewed: https://review.openstack.org/511442
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=fd657aa4e68de7ad239a88525b5ae343acd3bf80
Submitter: Zuul
Branch: master

commit fd657aa4e68de7ad239a88525b5ae343acd3bf80
Author: Rhys Oxenham <email address hidden>
Date: Thu Oct 12 10:31:42 2017 +0100

    Fix /etc/openstack-dashboard/ permissions for access to *policy.json

    The Kolla Dockerfile sets the permissions for /etc/openstack-dashboard/
    to horizon:horizon. We need this to be readable by the apache user
    as the horizon user is not the user in which httpd runs with. We may
    want to consider fixing this in the upstream Dockerfile instead, e.g.
    checking if we're using centos/rhel and changing the permissions that
    way. I'm not sure why it's set to horizon:horizon upstream, and I'm keen
    not to break any existing functionality that relies on the horizon based
    permissions.

    Closes-Bug: #1723125
    Change-Id: If5feebae38f7fdfffa60bfaedc4521f676006484

Changed in tripleo:
status: In Progress → Fix Released

This issue was fixed in the openstack/tripleo-heat-templates 8.0.0.0b1 development milestone.

Reviewed: https://review.openstack.org/515105
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=e3e0f84c49510afd6da1707bfd9460513a5aee89
Submitter: Zuul
Branch: stable/pike

commit e3e0f84c49510afd6da1707bfd9460513a5aee89
Author: Rhys Oxenham <email address hidden>
Date: Thu Oct 12 10:31:42 2017 +0100

    Fix /etc/openstack-dashboard/ permissions for access to *policy.json

    The Kolla Dockerfile sets the permissions for /etc/openstack-dashboard/
    to horizon:horizon. We need this to be readable by the apache user
    as the horizon user is not the user in which httpd runs with. We may
    want to consider fixing this in the upstream Dockerfile instead, e.g.
    checking if we're using centos/rhel and changing the permissions that
    way. I'm not sure why it's set to horizon:horizon upstream, and I'm keen
    not to break any existing functionality that relies on the horizon based
    permissions.

    Closes-Bug: #1723125
    Change-Id: If5feebae38f7fdfffa60bfaedc4521f676006484
    (cherry picked from commit fd657aa4e68de7ad239a88525b5ae343acd3bf80)

tags: added: in-stable-pike

This issue was fixed in the openstack/tripleo-heat-templates 7.0.4 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers