<div dir="ltr">I also prefer a dedicated user ("kolla" seems the best choice) as same as other projects in OpenStack.<div><br></div><div>Cheers,</div><div><br></div><div>Tuan</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Aug 23, 2016 at 3:51 PM, Paul Bourke <span dir="ltr"><<a href="mailto:paul.bourke@oracle.com" target="_blank">paul.bourke@oracle.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">In my experience operators prefer a dedicated user (kolla:kolla), though I can't see any major problem with your root:kolla approach.<div class="HOEnZb"><div class="h5"><br>
<br>
On 23/08/16 14:40, Steven Dake (stdake) wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
<br>
<br>
<br>
<br>
On 8/23/16, 1:04 AM, "<a href="mailto:duonghq@vn.fujitsu.com" target="_blank">duonghq@vn.fujitsu.com</a>" <<a href="mailto:duonghq@vn.fujitsu.com" target="_blank">duonghq@vn.fujitsu.com</a>> wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi S.Dake,<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hello Kollish,<br>
<br>
I am working on bp ansible-specific-task-become so I need community opinion about Kolla configuration files owner and permissions.<br>
<br>
For files in "/var/lib/kolla", it's quite clear that the owner should be 'root' as currently.<br>
<br>
For files in "/etc/kolla": After discussion with S.Dake on IRC, he recommends /etc/kolla is owned by root and all files in it is 660 (writable by a group).<br>
</blockquote>
<br>
Just to add a bit of clarity, the rationale for this idea is that a group of operators could add themselves to the kolla group on all of the nodes and use their specific ssh keys to operate OpenStack. > This is why the group concept in unix was invented 50 odd years ago ;)<br>
</blockquote>
<br>
I just notice that if the directory has 660, so non-root user cannot access file in this folder. It seems conflict with group purpose.<br>
Should it be 770 for folders?<br>
</blockquote>
<br>
Yes 770 for folders 660 for files seeded by the user ids and their ssh keys in the host playbook that is in the review queue. Changes to the host playbook in the review queue should come later for this group based model.<br>
<br>
The real question is what do operators prefer? Single user (non-root), Multi-user (non-root), or Single user (root).<br>
<br>
Regards<br>
-steve<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Regards<br>
-steve<br>
</blockquote>
<br>
<br>
Best regards,<br>
<br>
duonghq<br>
PODC - Fujitsu Vietnam Ltd.<br>
<br>
<br>
<br>
______________________________<wbr>______________________________<wbr>______________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.op<wbr>enstack.org?subject:unsubscrib<wbr>e</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi<wbr>-bin/mailman/listinfo/openstac<wbr>k-dev</a><br>
</blockquote>
______________________________<wbr>______________________________<wbr>______________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.op<wbr>enstack.org?subject:unsubscrib<wbr>e</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi<wbr>-bin/mailman/listinfo/openstac<wbr>k-dev</a><br>
<br>
</blockquote>
<br>
______________________________<wbr>______________________________<wbr>______________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.op<wbr>enstack.org?subject:unsubscrib<wbr>e</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi<wbr>-bin/mailman/listinfo/openstac<wbr>k-dev</a><br>
</div></div></blockquote></div><br></div>