From 3991ebcd79c0c2ff669886837515ad8306886657 Mon Sep 17 00:00:00 2001 From: Mark Giles Date: Wed, 9 May 2018 14:39:05 -0400 Subject: [PATCH] Make generated private key files not world readable The kolla-ansible certificates command creates a self-signed certificate and corresponding private key. This change sets the file mode on the files that contain the private key so that they are not world readable. Change-Id: I7bfba5975af8d230e5d00c2ce801a914fbbf2d4e --- ansible/roles/certificates/tasks/generate.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/ansible/roles/certificates/tasks/generate.yml b/ansible/roles/certificates/tasks/generate.yml index d981e5a6d1..3ca4809d3f 100644 --- a/ansible/roles/certificates/tasks/generate.yml +++ b/ansible/roles/certificates/tasks/generate.yml @@ -22,6 +22,13 @@ with_items: - "{{ node_config_directory }}/certificates/private/haproxy.key" +- name: Setting permissions on key + become: true + file: + path: "{{ node_config_directory }}/certificates/private/haproxy.key" + mode: 0600 + state: file + - name: Creating Server Certificate become: true command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \ @@ -45,3 +52,4 @@ assemble: src: "{{ node_config_directory }}/certificates/private" dest: "{{ node_config_directory }}/certificates/haproxy.pem" + mode: 0600