From 8e635db8f1ccc45f3c28c915bfd970c020455760 Mon Sep 17 00:00:00 2001
From: Mark Goddard <mark@stackhpc.com>
Date: Wed, 26 Sep 2018 10:08:18 +0100
Subject: [PATCH] Allow fluentd to read barbican-api.log

Barbican API uses uWSGI, which by default writes out log files using
0640 permissions and default ownership for the user. This means that the
log file in /var/log/kolla/barbican/barbican-api.log is not readable by
fluentd.

This was tested via the following command on a queens deployment:

$ docker exec -it fluentd bash
find /var/log/kolla/ -type f | while read f; do test -r $f || echo
"Cannot read $f"; done
Cannot read /var/log/kolla/barbican/barbican-api.log

Generally there are a few ways in which access is provided to log file
for fluentd:

1. Set log file ownership to $USER:kolla, permissions to 0640.
2. Set log file ownership to $USER:$USER, permissions to 0644.
3. MariaDB is a special case, and uses 0640 with the fluentd user added
to the mysql group.

Of these, 1. seems the most secure.

This change uses the --logfile-chmod argument to set the log file
permissions to 644, since it does not appear possible to specify a group
to change ownership to using --logfile-chown. We use command line
arguments since putting the option in the config file does not seem to
work. Perhaps it is an ordering issue.

Change-Id: If98ca7cd9630b5622132a00718cb09304b8285b3
Closes-Bug: #1794472
---
 ansible/roles/barbican/templates/barbican-api.json.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ansible/roles/barbican/templates/barbican-api.json.j2 b/ansible/roles/barbican/templates/barbican-api.json.j2
index 3ea4ee955e..79a3ac263b 100644
--- a/ansible/roles/barbican/templates/barbican-api.json.j2
+++ b/ansible/roles/barbican/templates/barbican-api.json.j2
@@ -1,5 +1,5 @@
 {
-    "command": "uwsgi --master --emperor /etc/barbican/vassals --logto /var/log/kolla/barbican/barbican-api.log",
+    "command": "uwsgi --master --emperor /etc/barbican/vassals --logto /var/log/kolla/barbican/barbican-api.log --logfile-chmod 644",
     "config_files": [
         {
             "source": "{{ container_config_directory }}/barbican.conf",