[openstack-dev] [kolla] Kolla configuration files owner and permission
lương hữu tuấn
tuantuluong at gmail.com
Tue Aug 23 13:56:11 UTC 2016
I also prefer a dedicated user ("kolla" seems the best choice) as same as
other projects in OpenStack.
Cheers,
Tuan
On Tue, Aug 23, 2016 at 3:51 PM, Paul Bourke <paul.bourke at oracle.com> wrote:
> In my experience operators prefer a dedicated user (kolla:kolla), though I
> can't see any major problem with your root:kolla approach.
>
>
> On 23/08/16 14:40, Steven Dake (stdake) wrote:
>
>>
>>
>>
>>
>>
>> On 8/23/16, 1:04 AM, "duonghq at vn.fujitsu.com" <duonghq at vn.fujitsu.com>
>> wrote:
>>
>> Hi S.Dake,
>>>
>>> Hello Kollish,
>>>>>
>>>>> I am working on bp ansible-specific-task-become so I need community
>>>>> opinion about Kolla configuration files owner and permissions.
>>>>>
>>>>> For files in "/var/lib/kolla", it's quite clear that the owner should
>>>>> be 'root' as currently.
>>>>>
>>>>> For files in "/etc/kolla": After discussion with S.Dake on IRC, he
>>>>> recommends /etc/kolla is owned by root and all files in it is 660 (writable
>>>>> by a group).
>>>>>
>>>>
>>>> Just to add a bit of clarity, the rationale for this idea is that a
>>>> group of operators could add themselves to the kolla group on all of the
>>>> nodes and use their specific ssh keys to operate OpenStack. > This is why
>>>> the group concept in unix was invented 50 odd years ago ;)
>>>>
>>>
>>> I just notice that if the directory has 660, so non-root user cannot
>>> access file in this folder. It seems conflict with group purpose.
>>> Should it be 770 for folders?
>>>
>>
>> Yes 770 for folders 660 for files seeded by the user ids and their ssh
>> keys in the host playbook that is in the review queue. Changes to the host
>> playbook in the review queue should come later for this group based model.
>>
>> The real question is what do operators prefer? Single user (non-root),
>> Multi-user (non-root), or Single user (root).
>>
>> Regards
>> -steve
>>
>>>
>>> Regards
>>>> -steve
>>>>
>>>
>>>
>>> Best regards,
>>>
>>> duonghq
>>> PODC - Fujitsu Vietnam Ltd.
>>>
>>>
>>>
>>> ____________________________________________________________
>>> ______________
>>> OpenStack Development Mailing List (not for usage questions)
>>> Unsubscribe: OpenStack-dev-request at lists.op
>>> enstack.org?subject:unsubscribe
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>> ____________________________________________________________
>> ______________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscrib
>> e
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160823/a6cf5e8f/attachment.html>
More information about the OpenStack-dev
mailing list