[openstack-dev] [kolla] Kolla configuration files owner and permission
Steven Dake (stdake)
stdake at cisco.com
Tue Aug 23 13:40:00 UTC 2016
On 8/23/16, 1:04 AM, "duonghq at vn.fujitsu.com" <duonghq at vn.fujitsu.com> wrote:
>>> Hello Kollish,
>>> I am working on bp ansible-specific-task-become so I need community opinion about Kolla configuration files owner and permissions.
>>> For files in "/var/lib/kolla", it's quite clear that the owner should be 'root' as currently.
>>> For files in "/etc/kolla": After discussion with S.Dake on IRC, he recommends /etc/kolla is owned by root and all files in it is 660 (writable by a group).
>> Just to add a bit of clarity, the rationale for this idea is that a group of operators could add themselves to the kolla group on all of the nodes and use their specific ssh keys to operate OpenStack. > This is why the group concept in unix was invented 50 odd years ago ;)
>I just notice that if the directory has 660, so non-root user cannot access file in this folder. It seems conflict with group purpose.
>Should it be 770 for folders?
Yes 770 for folders 660 for files seeded by the user ids and their ssh keys in the host playbook that is in the review queue. Changes to the host playbook in the review queue should come later for this group based model.
The real question is what do operators prefer? Single user (non-root), Multi-user (non-root), or Single user (root).
>PODC - Fujitsu Vietnam Ltd.
>OpenStack Development Mailing List (not for usage questions)
>Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
More information about the OpenStack-dev