Merge "Fix ownership and permissions of admin-openrc.sh"

2020-08-19 16:46:53 +00:00 · 2020-08-19 16:46:53 +00:00 · 393888a1cb
commit 393888a1cb
parent db6a9d61ec 16f97867a3
2 changed files with 23 additions and 2 deletions
--- a/ansible/post-deploy.yml
+++ b/ansible/post-deploy.yml
@ -1,10 +1,12 @@
 ---
 - name: Creating admin openrc file on the deploy node
  hosts: localhost
-  become: true
  tasks:
    - name: Template out admin-openrc.sh
+      become: true
      template:
        src: "roles/common/templates/admin-openrc.sh.j2"
        dest: "{{ node_config }}/admin-openrc.sh"
-      run_once: True
+        owner: "{{ ansible_user_uid }}"
+        group: "{{ ansible_user_gid }}"
+        mode: 0600
--- a/releasenotes/notes/fix-admin-openrc-ownership-mode-310d89a6f50a9640.yaml
+++ b/releasenotes/notes/fix-admin-openrc-ownership-mode-310d89a6f50a9640.yaml
@ -0,0 +1,19 @@
+---
+security:
+  - |
+    The ``admin-openrc.sh`` file generated by ``kolla-ansible post-deploy`` was
+    previously created with ``root:root`` ownership and ``644`` permissions.
+    This would allow anyone with access to the same directory to read the file,
+    including the admin credentials. The ownership of ``admin-openrc.sh`` is
+    now set to the user executing ``kolla-ansible``, and the file is assigned a
+    mode of ``600``. This change can be applied by running ``kolla-ansible
+    post-deploy``.
+fixes:
+  - |
+    The ``admin-openrc.sh`` file generated by ``kolla-ansible post-deploy`` was
+    previously created with ``root:root`` ownership and ``644`` permissions.
+    This would allow anyone with access to the same directory to read the file,
+    including the admin credentials. The ownership of ``admin-openrc.sh`` is
+    now set to the user executing ``kolla-ansible``, and the file is assigned a
+    mode of ``600``. This change can be applied by running ``kolla-ansible
+    post-deploy``.