Set appropriate ownership/permission to config files

... to avoid making any config files world readable.

Also swift processes do not need write access to these files, thus
write access can be blocked.

Closes-Bug: #2068898
Change-Id: I8b11fbdb0ea0ca814b962dd72b5c1cb4cd201c24

manifests/containerreconciler.pp

@@ -138,6 +138,16 @@ class swift::containerreconciler(
     purge => $purge_config,
   }
 
+  file { '/etc/swift/container-reconciler.conf':
+    ensure  => 'file',
+    owner   => 'root',
+    group   => $::swift::params::group,
+    mode    => '0640',
+    require => Anchor['swift::config::begin'],
+    before  => Anchor['swift::config::end']
+  }
+  File['/etc/swift/container-reconciler.conf'] -> Swift_container_reconciler_config<||>
+
   # only add memcache servers if 'cache' is included in the pipeline
   if !empty(grep(any2array($pipeline), 'cache')) {
 

manifests/internal_client.pp

@@ -65,6 +65,7 @@ class swift::internal_client (
 ) inherits swift::params {
 
   include swift::deps
+  include swift::params
 
   if $pipeline[-1] != 'proxy-server' {
     fail('proxy-server must be the last element in pipeline')
@@ -74,6 +75,16 @@ class swift::internal_client (
     purge => $purge_config,
   }
 
+  file { '/etc/swift/internal-client.conf':
+    ensure  => 'file',
+    owner   => 'root',
+    group   => $::swift::params::group,
+    mode    => '0640',
+    require => Anchor['swift::config::begin'],
+    before  => Anchor['swift::config::end']
+  }
+  File['/etc/swift/internal-client.conf'] -> Swift_internal_client_config<||>
+
   swift_internal_client_config {
     'DEFAULT/user':                               value => $user;
     'pipeline:main/pipeline':                     value => join($pipeline, ' ');

manifests/keymaster.pp

@@ -84,6 +84,17 @@ class swift::keymaster(
 ) {
 
   include swift::deps
+  include swift::params
+
+  file { '/etc/swift/keymaster.conf':
+    ensure  => 'file',
+    owner   => 'root',
+    group   => $::swift::params::group,
+    mode    => '0640',
+    require => Anchor['swift::config::begin'],
+    before  => Anchor['swift::config::end']
+  }
+  File['/etc/swift/keymaster.conf'] -> Swift_keymaster_config<||>
 
   swift_keymaster_config {
     'kms_keymaster/api_class':             value => $api_class;

manifests/memcache.pp

@@ -85,11 +85,14 @@ class swift::memcache (
   }
 
   file { '/etc/swift/memcache.conf':
-    ensure => file,
-    owner  => $::swift::params::user,
-    group  => $::swift::params::group,
-    mode   => '0640',
+    ensure  => 'file',
+    owner   => 'root',
+    group   => $::swift::params::group,
+    mode    => '0640',
+    require => Anchor['swift::config::begin'],
+    before  => Anchor['swift::config::end']
   }
+  File['/etc/swift/memcache.conf'] -> Swift_memcache_config<||>
 
   swift_memcache_config {
     'memcache/memcache_servers':               value => join(any2array($memcache_servers), ',');

manifests/objectexpirer.pp

@@ -152,6 +152,16 @@ class swift::objectexpirer(
     purge => $purge_config,
   }
 
+  file { '/etc/swift/object-expirer.conf':
+    ensure  => 'file',
+    owner   => 'root',
+    group   => $::swift::params::group,
+    mode    => '0640',
+    require => Anchor['swift::config::begin'],
+    before  => Anchor['swift::config::end']
+  }
+  File['/etc/swift/object-expirer.conf'] -> Swift_object_expirer_config<||>
+
   if $pipeline[-1] != 'proxy-server' {
     fail('proxy-server must be the last element in pipeline')
   }

manifests/proxy.pp

@@ -225,11 +225,21 @@ class swift::proxy(
     purge => $purge_config,
   }
 
+  file { '/etc/swift/proxy-server.conf':
+    ensure  => 'file',
+    owner   => 'root',
+    group   => $::swift::params::group,
+    mode    => '0640',
+    require => Anchor['swift::config::begin'],
+    before  => Anchor['swift::config::end']
+  }
+  File['/etc/swift/proxy-server.conf'] -> Swift_proxy_config<||>
+
   swift_proxy_config {
     'DEFAULT/bind_port':                           value => $port;
     'DEFAULT/bind_ip':                             value => $proxy_local_net_ip;
     'DEFAULT/workers':                             value => $workers;
-    'DEFAULT/user':                                value => 'swift';
+    'DEFAULT/user':                                value => $::swift::params::user;
     'DEFAULT/log_name':                            value => $log_name;
     'DEFAULT/log_facility':                        value => $log_facility;
     'DEFAULT/log_level':                           value => $log_level;

manifests/proxy/ceilometer.pp

@@ -215,8 +215,8 @@ class swift::proxy::ceilometer(
   }
 
   file { '/etc/swift/ceilometer.conf':
-    ensure  => present,
-    owner   => $::swift::params::user,
+    ensure  => 'file',
+    owner   => 'root',
     group   => $::swift::params::group,
     mode    => '0640',
     require => Anchor['swift::config::begin'],

manifests/storage/drive_audit.pp

@@ -130,6 +130,17 @@ class swift::storage::drive_audit(
     purge => $purge_config,
   }
 
+  file { '/etc/swift/drive-audit.conf':
+    ensure  => 'file',
+    owner   => 'root',
+    group   => $::swift::params::group,
+    mode    => '0640',
+    require => Anchor['swift::config::begin'],
+    before  => Anchor['swift::config::end']
+  }
+  File['/etc/swift/drive-audit.conf'] -> Swift_drive_audit_config<||>
+
+
   swift_drive_audit_config {
     'drive-audit/log_name'    : value => $log_name;
     'drive-audit/log_facility': value => $log_facility;

manifests/storage/server.pp

@@ -407,8 +407,8 @@ define swift::storage::server(
       %>"), ',')
 
   file { $config_file_full_path:
-    ensure => present,
-    owner  => pick($owner, $::swift::params::user),
+    ensure => 'file',
+    owner  => 'root',
     group  => pick($group, $::swift::params::group),
     mode   => '0640',
     tag    => 'swift-config-file',
@@ -553,6 +553,15 @@ define swift::storage::server(
           'container-sharder/log_name'    => {'ensure' => absent},
         }
       }
+
+      file { '/etc/swift/container-sync-realms.conf':
+        ensure => 'file',
+        owner  => 'root',
+        group  => pick($group, $::swift::params::group),
+        mode   => '0640',
+        tag    => 'swift-config-file',
+      }
+      File['/etc/swift/container-sync-realms.conf'] -> Swift_container_sync_realms_config<||>
     }
     'object': {
       $type_opts = {

spec/classes/swift_containerreconciler_spec.rb

@@ -12,6 +12,13 @@ describe 'swift::containerreconciler' do
 
   shared_examples 'swift::container::reconciler' do
     context 'with defaults' do
+      it { is_expected.to contain_file('/etc/swift/container-reconciler.conf').with(
+        :ensure => 'file',
+        :owner  => 'root',
+        :group  => 'swift',
+        :mode   => '0640',
+      )}
+
       it 'configures container-reconciler.conf' do
         is_expected.to contain_swift_container_reconciler_config(
           'pipeline:main/pipeline').with_value('catch_errors proxy-logging cache proxy-server')

spec/classes/swift_internal_client_spec.rb

@@ -12,6 +12,13 @@ describe 'swift::internal_client' do
     end
 
     context 'with defaults' do
+      it { is_expected.to contain_file('/etc/swift/internal-client.conf').with(
+        :ensure => 'file',
+        :owner  => 'root',
+        :group  => 'swift',
+        :mode   => '0640',
+      )}
+
       it 'should configure default values' do
         should contain_swift_internal_client_config('DEFAULT/user').with_value('swift')
         should contain_swift_internal_client_config('pipeline:main/pipeline').with_value('catch_errors proxy-logging cache proxy-server')

spec/classes/swift_keymaster_spec.rb

@@ -9,6 +9,13 @@ describe 'swift::keymaster' do
     end
 
     context "when using default parameters" do
+      it { is_expected.to contain_file('/etc/swift/keymaster.conf').with(
+        :ensure => 'file',
+        :owner  => 'root',
+        :group  => 'swift',
+        :mode   => '0640',
+      )}
+
       it 'configures keymaster options' do
         is_expected.to contain_swift_keymaster_config('kms_keymaster/api_class').with_value('barbican')
         is_expected.to contain_swift_keymaster_config('kms_keymaster/key_id').with_value('<SERVICE DEFAULT>')

spec/classes/swift_memcache_spec.rb

@@ -4,17 +4,11 @@ describe 'swift::memcache' do
   shared_examples 'swift::memcache' do
 
     describe 'when using default parameters' do
-
-      let :file_defaults do
-        {
-          :owner   => 'swift',
-          :group   => 'swift',
-          :mode    => '0640',
-        }
-      end
-
-      it {is_expected.to contain_file('/etc/swift/memcache.conf').with(
-         {:ensure => 'file'}.merge(file_defaults)
+      it { is_expected.to contain_file('/etc/swift/memcache.conf').with(
+        :ensure => 'file',
+        :owner  => 'root',
+        :group  => 'swift',
+        :mode   => '0640',
       )}
 
       it { is_expected.to contain_swift_memcache_config(

spec/classes/swift_objectexpirer_spec.rb

@@ -12,6 +12,13 @@ describe 'swift::objectexpirer' do
 
   shared_examples 'swift::objectexpirer' do
     context 'with defaults' do
+      it { is_expected.to contain_file('/etc/swift/object-expirer.conf').with(
+        :ensure => 'file',
+        :owner  => 'root',
+        :group  => 'swift',
+        :mode   => '0640',
+      )}
+
       it 'configures object-expirer.conf' do
         is_expected.to contain_swift_object_expirer_config(
           'pipeline:main/pipeline').with_value('catch_errors proxy-logging cache proxy-server')

spec/classes/swift_proxy_ceilometer_spec.rb

@@ -34,8 +34,8 @@ describe 'swift::proxy::ceilometer' do
       )}
 
       it { is_expected.to contain_file('/etc/swift/ceilometer.conf').with(
-        :ensure => 'present',
-        :owner  => 'swift',
+        :ensure => 'file',
+        :owner  => 'root',
         :group  => 'swift',
         :mode   => '0640',
       )}

spec/classes/swift_proxy_spec.rb

@@ -46,6 +46,13 @@ describe 'swift::proxy' do
           :tag       => ['swift-service', 'swift-proxy-service'],
         )}
 
+        it { is_expected.to contain_file('/etc/swift/proxy-server.conf').with(
+          :ensure => 'file',
+          :owner  => 'root',
+          :group  => 'swift',
+          :mode   => '0640',
+        )}
+
         it { should contain_service('swift-proxy-server').that_subscribes_to('Anchor[swift::service::begin]') }
         it { should contain_service('swift-proxy-server').that_notifies('Anchor[swift::service::end]') }
         it { should contain_swift_proxy_config('DEFAULT/bind_port').with_value('8080') }

spec/classes/swift_storage_driver_audit_spec.rb

@@ -4,6 +4,13 @@ describe 'swift::storage::drive_audit' do
   shared_examples 'swift::storage::drive_audit' do
 
     context 'with defaults' do
+      it { is_expected.to contain_file('/etc/swift/drive-audit.conf').with(
+        :ensure => 'file',
+        :owner  => 'root',
+        :group  => 'swift',
+        :mode   => '0640',
+      )}
+
       it 'should configure default values' do
         should contain_swift_drive_audit_config('drive-audit/log_name').with_value('drive-audit')
         should contain_swift_drive_audit_config('drive-audit/log_facility').with_value('LOG_LOCAL2')
@@ -52,6 +59,13 @@ describe 'swift::storage::drive_audit' do
         }
       end
 
+      it { is_expected.to contain_file('/etc/swift/drive-audit.conf').with(
+        :ensure => 'file',
+        :owner  => 'root',
+        :group  => 'swift',
+        :mode   => '0640',
+      )}
+
       it 'should configure the given values' do
         should contain_swift_drive_audit_config('drive-audit/user').with_value('alt_swift')
         should contain_swift_drive_audit_config('drive-audit/device_dir').with_value('/opt/swift')

spec/defines/swift_storage_server_spec.rb

@@ -58,8 +58,8 @@ describe 'swift::storage::server' do
       )}
 
       it { is_expected.to contain_file('/etc/swift/account-server.conf').with(
-        :ensure => 'present',
-        :owner  => 'swift',
+        :ensure => 'file',
+        :owner  => 'root',
         :group  => 'swift',
         :mode   => '0640',
         :tag    => 'swift-config-file'
@@ -241,8 +241,15 @@ describe 'swift::storage::server' do
       )}
 
       it { is_expected.to contain_file('/etc/swift/container-server.conf').with(
-        :ensure => 'present',
-        :owner  => 'swift',
+        :ensure => 'file',
+        :owner  => 'root',
+        :group  => 'swift',
+        :mode   => '0640',
+        :tag    => 'swift-config-file'
+      )}
+      it { is_expected.to contain_file('/etc/swift/container-sync-realms.conf').with(
+        :ensure => 'file',
+        :owner  => 'root',
         :group  => 'swift',
         :mode   => '0640',
         :tag    => 'swift-config-file'
@@ -435,8 +442,8 @@ describe 'swift::storage::server' do
       )}
 
       it { is_expected.to contain_file('/etc/swift/object-server.conf').with(
-        :ensure => 'present',
-        :owner  => 'swift',
+        :ensure => 'file',
+        :owner  => 'root',
         :group  => 'swift',
         :mode   => '0640',
         :tag    => 'swift-config-file'