From 16f97867a3f7050ac42fbb921310ca884e974a11 Mon Sep 17 00:00:00 2001
From: likui <likui@yovole.com>
Date: Thu, 6 Aug 2020 14:12:44 +0800
Subject: [PATCH] Fix ownership and permissions of admin-openrc.sh

Previously the post-deploy.yml playbook was executed with become: true,
and the admin-openrc.sh file templated without an owner or mode
specified. This resulted in admin-openrc.sh being owned by root with 644
permissions.

This change creates the file without become: true, and explicitly sets
the owner to the user executing Ansible, and the mode to 600.

Co-Authored-By: Mark Goddard <mark@stackhpc.com>

Closes-Bug: #1891704

Change-Id: Iadf43383a7f2bf377d4666a55a38d92bd70711aa
---
 ansible/post-deploy.yml                       |  6 ++++--
 ...penrc-ownership-mode-310d89a6f50a9640.yaml | 19 +++++++++++++++++++
 2 files changed, 23 insertions(+), 2 deletions(-)
 create mode 100644 releasenotes/notes/fix-admin-openrc-ownership-mode-310d89a6f50a9640.yaml

diff --git a/ansible/post-deploy.yml b/ansible/post-deploy.yml
index f0bc32c882..6bf8b482c6 100644
--- a/ansible/post-deploy.yml
+++ b/ansible/post-deploy.yml
@@ -1,10 +1,12 @@
 ---
 - name: Creating admin openrc file on the deploy node
   hosts: localhost
-  become: true
   tasks:
     - name: Template out admin-openrc.sh
+      become: true
       template:
         src: "roles/common/templates/admin-openrc.sh.j2"
         dest: "{{ node_config }}/admin-openrc.sh"
-      run_once: True
+        owner: "{{ ansible_user_uid }}"
+        group: "{{ ansible_user_gid }}"
+        mode: 0600
diff --git a/releasenotes/notes/fix-admin-openrc-ownership-mode-310d89a6f50a9640.yaml b/releasenotes/notes/fix-admin-openrc-ownership-mode-310d89a6f50a9640.yaml
new file mode 100644
index 0000000000..2380130273
--- /dev/null
+++ b/releasenotes/notes/fix-admin-openrc-ownership-mode-310d89a6f50a9640.yaml
@@ -0,0 +1,19 @@
+---
+security:
+  - |
+    The ``admin-openrc.sh`` file generated by ``kolla-ansible post-deploy`` was
+    previously created with ``root:root`` ownership and ``644`` permissions.
+    This would allow anyone with access to the same directory to read the file,
+    including the admin credentials. The ownership of ``admin-openrc.sh`` is
+    now set to the user executing ``kolla-ansible``, and the file is assigned a
+    mode of ``600``. This change can be applied by running ``kolla-ansible
+    post-deploy``.
+fixes:
+  - |
+    The ``admin-openrc.sh`` file generated by ``kolla-ansible post-deploy`` was
+    previously created with ``root:root`` ownership and ``644`` permissions.
+    This would allow anyone with access to the same directory to read the file,
+    including the admin credentials. The ownership of ``admin-openrc.sh`` is
+    now set to the user executing ``kolla-ansible``, and the file is assigned a
+    mode of ``600``. This change can be applied by running ``kolla-ansible
+    post-deploy``.