tripleo

Horizon container can't read *policy.json in /etc/openstack-dashboard

Bug #1723125 reported by Martin André on 2017-10-12

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	High	Martin André

Bug Description

For some obscure reasons kolla sets the permission for the files in /etc/openstack-dashboard to horizon:horizon [1] which doesn't align with the permissions set by the openstack-horizon rpm [2].

Our recent change to the puppet-generated directory for copying in the configuration files in the container broke the workaround we had in place.

One way to fix the ownership could be at runtime with the kolla_config's perms structure.

[1] https://github.com/openstack/kolla/blob/master/docker/horizon/Dockerfile.j2#L37
[2] https://review.rdoproject.org/r/gitweb?p=openstack/horizon-distgit.git;a=blob;f=python-django-horizon.spec;h=f2c46a1187825139717c74daa1920d5bfcf77c82;hb=HEAD#l403

Tags:

OpenStack Infra (hudson-openstack) on 2017-10-12

Changed in tripleo:
assignee:	nobody → Martin André (mandre)
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-10-16: Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/511442
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=fd657aa4e68de7ad239a88525b5ae343acd3bf80
Submitter: Zuul
Branch: master

commit fd657aa4e68de7ad239a88525b5ae343acd3bf80
Author: Rhys Oxenham <email address hidden>
Date: Thu Oct 12 10:31:42 2017 +0100

Fix /etc/openstack-dashboard/ permissions for access to *policy.json

    The Kolla Dockerfile sets the permissions for /etc/openstack-dashboard/
    to horizon:horizon. We need this to be readable by the apache user
    as the horizon user is not the user in which httpd runs with. We may
    want to consider fixing this in the upstream Dockerfile instead, e.g.
    checking if we're using centos/rhel and changing the permissions that
    way. I'm not sure why it's set to horizon:horizon upstream, and I'm keen
    not to break any existing functionality that relies on the horizon based
    permissions.

Closes-Bug: #1723125
Change-Id: If5feebae38f7fdfffa60bfaedc4521f676006484

Changed in tripleo:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-10-25: Fix proposed to tripleo-heat-templates (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/515105

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-10-27: Fix included in openstack/tripleo-heat-templates 8.0.0.0b1

This issue was fixed in the openstack/tripleo-heat-templates 8.0.0.0b1 development milestone.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-11-08: Fix merged to tripleo-heat-templates (stable/pike)

Reviewed: https://review.openstack.org/515105
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=e3e0f84c49510afd6da1707bfd9460513a5aee89
Submitter: Zuul
Branch: stable/pike

commit e3e0f84c49510afd6da1707bfd9460513a5aee89
Author: Rhys Oxenham <email address hidden>
Date: Thu Oct 12 10:31:42 2017 +0100

Fix /etc/openstack-dashboard/ permissions for access to *policy.json

    Closes-Bug: #1723125
    Change-Id: If5feebae38f7fdfffa60bfaedc4521f676006484
    (cherry picked from commit fd657aa4e68de7ad239a88525b5ae343acd3bf80)