Re: [openstack-dev] [kolla] Kolla configuration files owner and permission

2016-08-24 Thread lương hữu tuấn 
Oh, my bad for the write permission of nova user. That should not be like
this. Thanks Jeffrey.

Cheers,

T

On Wed, Aug 24, 2016 at 2:39 PM, Jeffrey Zhang 
wrote:

> On Wed, Aug 24, 2016 at 5:24 PM, lương hữu tuấn 
> wrote:
> > However, with config file as nova.conf or in this case e.g. kolla.conf,
> it
> > should be kolla:kolla and only owner can write as well, it means 644
> since
> > the kolla service is run under the name of kolla user, it is the same
> with
> > other services in OpenStack.
>
> there is no kolla.conf file in any containers.
>
> >
> > With the folder, e.g. /etc/kolla or /etc/nova, it should be also
> > read/write/executable with kolla user and kolla group since kolla service
> > running with kolla user should have permission to get information from
> > kolla.conf.
>
> for the nova.conf, why the nova user need to write/change the nova.conf
> file?
>
>
>
>
> --
> Regards,
> Jeffrey Zhang
> Blog: http://xcodest.me
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [kolla] Kolla configuration files owner and permission

2016-08-24 Thread Jeffrey Zhang 
On Wed, Aug 24, 2016 at 5:24 PM, lương hữu tuấn  wrote:
> However, with config file as nova.conf or in this case e.g. kolla.conf, it
> should be kolla:kolla and only owner can write as well, it means 644 since
> the kolla service is run under the name of kolla user, it is the same with
> other services in OpenStack.

there is no kolla.conf file in any containers.

>
> With the folder, e.g. /etc/kolla or /etc/nova, it should be also
> read/write/executable with kolla user and kolla group since kolla service
> running with kolla user should have permission to get information from
> kolla.conf.

for the nova.conf, why the nova user need to write/change the nova.conf file?




-- 
Regards,
Jeffrey Zhang
Blog: http://xcodest.me

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [kolla] Kolla configuration files owner and permission

2016-08-24 Thread lương hữu tuấn 
Hi Jeffrey,

You are right with the rootwrap file since it is the root wrapper of the
specific service, e.g. nova. Then we should permit it as root:root and only
the owner can write.

However, with config file as nova.conf or in this case e.g. kolla.conf, it
should be kolla:kolla and only owner can write as well, it means 644 since
the kolla service is run under the name of kolla user, it is the same with
other services in OpenStack.

With the folder, e.g. /etc/kolla or /etc/nova, it should be also
read/write/executable with kolla user and kolla group since kolla service
running with kolla user should have permission to get information from
kolla.conf.

Br,

Tuan

On Wed, Aug 24, 2016 at 3:22 AM, Jeffrey Zhang 
wrote:

> Using the same user for running service and the configuration files is
> danger. i.e. the service running user shouldn't be change the
> configuration files.
>
> a simple attack like:
> * a hacker hacked into nova-api container with nova user
> * he can change the /etc/nova/rootwrap.conf file and
> /etc/nova/rootwrap.d file, which he can get much greater authority
> with sudo
> * he also can change the /etc/nova/nova.conf file to use another
> privsep_command.helper_command to get greater authority
> [privsep_entrypoint]
> helper_command=sudo nova-rootwrap /etc/nova/rootwrap.conf
> privsep-helper --config-file /etc/nova/nova.conf
>
> So right rule should be: do not let the service running user have
> write permission to configuration files,
>
> about for the nova.conf file, i think root:root with 644 permission
> or root:nova with 640 should be enough
> for the directory file, root:root with 755 or root:nova with 750
> should be enough.
>
> On Tue, Aug 23, 2016 at 11:11 PM, Steven Dake (stdake) 
> wrote:
> >
> >
> >
> >
> >
> > On 8/23/16, 7:05 AM, "Gerard Braad"  wrote:
> >
> >>On Tue, Aug 23, 2016 at 9:56 PM, lương hữu tuấn 
> wrote:
> >>> I also prefer a dedicated user ("kolla" seems the best choice) as same
> > On Tue, Aug 23, 2016 at 3:51 PM, Paul Bourke 
> wrote:
>  In my experience operators prefer a dedicated user (kolla:kolla),
> though I
> >>
> >>kolla:kolla seems more logical and simpler to reason about.
> >>
> >
> > kolla:kolla still works with multi-user approach and permissions 660 on
> /etc/kolla files.
> >
> > Regards
> > -steve
> >
> >>
> >>--
> >>
> >>   Gerard Braad | http://gbraad.nl
> >>   [ Doing Open Source Matters ]
> >>
> >>__
> 
> >>OpenStack Development Mailing List (not for usage questions)
> >>Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:
> unsubscribe
> >>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> > 
> __
> > OpenStack Development Mailing List (not for usage questions)
> > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:
> unsubscribe
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
> --
> Regards,
> Jeffrey Zhang
> Blog: http://xcodest.me
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [kolla] Kolla configuration files owner and permission

2016-08-23 Thread Jeffrey Zhang 
Using the same user for running service and the configuration files is
danger. i.e. the service running user shouldn't be change the
configuration files.

a simple attack like:
* a hacker hacked into nova-api container with nova user
* he can change the /etc/nova/rootwrap.conf file and
/etc/nova/rootwrap.d file, which he can get much greater authority
with sudo
* he also can change the /etc/nova/nova.conf file to use another
privsep_command.helper_command to get greater authority
[privsep_entrypoint]
helper_command=sudo nova-rootwrap /etc/nova/rootwrap.conf
privsep-helper --config-file /etc/nova/nova.conf

So right rule should be: do not let the service running user have
write permission to configuration files,

about for the nova.conf file, i think root:root with 644 permission
or root:nova with 640 should be enough
for the directory file, root:root with 755 or root:nova with 750
should be enough.

On Tue, Aug 23, 2016 at 11:11 PM, Steven Dake (stdake)  wrote:
>
>
>
>
>
> On 8/23/16, 7:05 AM, "Gerard Braad"  wrote:
>
>>On Tue, Aug 23, 2016 at 9:56 PM, lương hữu tuấn  wrote:
>>> I also prefer a dedicated user ("kolla" seems the best choice) as same > On 
>>> Tue, Aug 23, 2016 at 3:51 PM, Paul Bourke  wrote:
 In my experience operators prefer a dedicated user (kolla:kolla), though I
>>
>>kolla:kolla seems more logical and simpler to reason about.
>>
>
> kolla:kolla still works with multi-user approach and permissions 660 on 
> /etc/kolla files.
>
> Regards
> -steve
>
>>
>>--
>>
>>   Gerard Braad | http://gbraad.nl
>>   [ Doing Open Source Matters ]
>>
>>__
>>OpenStack Development Mailing List (not for usage questions)
>>Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
>>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



-- 
Regards,
Jeffrey Zhang
Blog: http://xcodest.me

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [kolla] Kolla configuration files owner and permission

2016-08-23 Thread Steven Dake (stdake) 





On 8/23/16, 7:05 AM, "Gerard Braad"  wrote:

>On Tue, Aug 23, 2016 at 9:56 PM, lương hữu tuấn  wrote:
>> I also prefer a dedicated user ("kolla" seems the best choice) as same > On 
>> Tue, Aug 23, 2016 at 3:51 PM, Paul Bourke  wrote:
>>> In my experience operators prefer a dedicated user (kolla:kolla), though I
>
>kolla:kolla seems more logical and simpler to reason about.
>

kolla:kolla still works with multi-user approach and permissions 660 on 
/etc/kolla files.

Regards
-steve

>
>-- 
>
>   Gerard Braad | http://gbraad.nl
>   [ Doing Open Source Matters ]
>
>__
>OpenStack Development Mailing List (not for usage questions)
>Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [kolla] Kolla configuration files owner and permission

2016-08-23 Thread Gerard Braad 
On Tue, Aug 23, 2016 at 9:56 PM, lương hữu tuấn  wrote:
> I also prefer a dedicated user ("kolla" seems the best choice) as same > On 
> Tue, Aug 23, 2016 at 3:51 PM, Paul Bourke  wrote:
>> In my experience operators prefer a dedicated user (kolla:kolla), though I

kolla:kolla seems more logical and simpler to reason about.


-- 

   Gerard Braad | http://gbraad.nl
   [ Doing Open Source Matters ]

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [kolla] Kolla configuration files owner and permission

2016-08-23 Thread lương hữu tuấn 
I also prefer a dedicated user ("kolla" seems the best choice) as same as
other projects in OpenStack.

Cheers,

Tuan

On Tue, Aug 23, 2016 at 3:51 PM, Paul Bourke  wrote:

> In my experience operators prefer a dedicated user (kolla:kolla), though I
> can't see any major problem with your root:kolla approach.
>
>
> On 23/08/16 14:40, Steven Dake (stdake) wrote:
>
>>
>>
>>
>>
>>
>> On 8/23/16, 1:04 AM, "duon...@vn.fujitsu.com" 
>> wrote:
>>
>> Hi S.Dake,
>>>
>>> Hello Kollish,
>
> I am working on bp ansible-specific-task-become so I need community
> opinion about Kolla configuration files owner and permissions.
>
> For files in "/var/lib/kolla", it's quite clear that the owner should
> be 'root' as currently.
>
> For files in "/etc/kolla":  After discussion with S.Dake on IRC, he
> recommends /etc/kolla is owned by root and all files in it is 660 
> (writable
> by a group).
>

 Just to add a bit of clarity, the rationale for this idea is that a
 group of operators could add themselves to the kolla group on all of the
 nodes and use their specific ssh keys to operate OpenStack.  > This is why
 the group concept in unix was invented 50 odd years ago ;)

>>>
>>> I just notice that if the directory has 660, so non-root user cannot
>>> access file in this folder. It seems conflict with group purpose.
>>> Should it be 770 for folders?
>>>
>>
>> Yes 770 for folders 660 for files seeded by the user ids and their ssh
>> keys in the host playbook that is in the review queue.  Changes to the host
>> playbook in the review queue should come later for this group based model.
>>
>> The real question is what do operators prefer?  Single user (non-root),
>> Multi-user (non-root), or Single user (root).
>>
>> Regards
>> -steve
>>
>>>
>>> Regards
 -steve

>>>
>>>
>>> Best regards,
>>>
>>> duonghq
>>> PODC - Fujitsu Vietnam Ltd.
>>>
>>>
>>>
>>> 
>>> __
>>> OpenStack Development Mailing List (not for usage questions)
>>> Unsubscribe: openstack-dev-requ...@lists.op
>>> enstack.org?subject:unsubscribe
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>> 
>> __
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscrib
>> e
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [kolla] Kolla configuration files owner and permission

2016-08-23 Thread Paul Bourke 
In my experience operators prefer a dedicated user (kolla:kolla), though 
I can't see any major problem with your root:kolla approach.


On 23/08/16 14:40, Steven Dake (stdake) wrote:






On 8/23/16, 1:04 AM, "duon...@vn.fujitsu.com"  wrote:


Hi S.Dake,


Hello Kollish,

I am working on bp ansible-specific-task-become so I need community opinion 
about Kolla configuration files owner and permissions.

For files in "/var/lib/kolla", it's quite clear that the owner should be 'root' 
as currently.

For files in "/etc/kolla":  After discussion with S.Dake on IRC, he recommends 
/etc/kolla is owned by root and all files in it is 660 (writable by a group).


Just to add a bit of clarity, the rationale for this idea is that a group of 
operators could add themselves to the kolla group on all of the nodes and use 
their specific ssh keys to operate OpenStack.  > This is why the group concept 
in unix was invented 50 odd years ago ;)


I just notice that if the directory has 660, so non-root user cannot access 
file in this folder. It seems conflict with group purpose.
Should it be 770 for folders?


Yes 770 for folders 660 for files seeded by the user ids and their ssh keys in 
the host playbook that is in the review queue.  Changes to the host playbook in 
the review queue should come later for this group based model.

The real question is what do operators prefer?  Single user (non-root), 
Multi-user (non-root), or Single user (root).

Regards
-steve



Regards
-steve



Best regards,

duonghq
PODC - Fujitsu Vietnam Ltd.



__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [kolla] Kolla configuration files owner and permission

2016-08-23 Thread Steven Dake (stdake) 





On 8/23/16, 1:04 AM, "duon...@vn.fujitsu.com"  wrote:

>Hi S.Dake,
>
>>> Hello Kollish,
>>>
>>> I am working on bp ansible-specific-task-become so I need community opinion 
>>> about Kolla configuration files owner and permissions.
>>>
>>> For files in "/var/lib/kolla", it's quite clear that the owner should be 
>>> 'root' as currently.
>>>
>>> For files in "/etc/kolla":  After discussion with S.Dake on IRC, he 
>>> recommends /etc/kolla is owned by root and all files in it is 660 (writable 
>>> by a group).
>>
>> Just to add a bit of clarity, the rationale for this idea is that a group of 
>> operators could add themselves to the kolla group on all of the nodes and 
>> use their specific ssh keys to operate OpenStack.  > This is why the group 
>> concept in unix was invented 50 odd years ago ;)
>
>I just notice that if the directory has 660, so non-root user cannot access 
>file in this folder. It seems conflict with group purpose.
>Should it be 770 for folders?

Yes 770 for folders 660 for files seeded by the user ids and their ssh keys in 
the host playbook that is in the review queue.  Changes to the host playbook in 
the review queue should come later for this group based model.

The real question is what do operators prefer?  Single user (non-root), 
Multi-user (non-root), or Single user (root).

Regards
-steve
>
>> Regards
>> -steve
>
>
>Best regards,
>
>duonghq
>PODC - Fujitsu Vietnam Ltd.
>
>
>
>__
>OpenStack Development Mailing List (not for usage questions)
>Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [kolla] Kolla configuration files owner and permission

2016-08-23 Thread duon...@vn.fujitsu.com 
Hi S.Dake,

>> Hello Kollish,
>>
>> I am working on bp ansible-specific-task-become so I need community opinion 
>> about Kolla configuration files owner and permissions.
>>
>> For files in "/var/lib/kolla", it's quite clear that the owner should be 
>> 'root' as currently.
>>
>> For files in "/etc/kolla":  After discussion with S.Dake on IRC, he 
>> recommends /etc/kolla is owned by root and all files in it is 660 (writable 
>> by a group).
>
> Just to add a bit of clarity, the rationale for this idea is that a group of 
> operators could add themselves to the kolla group on all of the nodes and use 
> their specific ssh keys to operate OpenStack.  > This is why the group 
> concept in unix was invented 50 odd years ago ;)

I just notice that if the directory has 660, so non-root user cannot access 
file in this folder. It seems conflict with group purpose.
Should it be 770 for folders?

> Regards
> -steve


Best regards,

duonghq
PODC - Fujitsu Vietnam Ltd.



__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [kolla] Kolla configuration files owner and permission

2016-08-23 Thread Tuan Luong 
It indeed makes me frightened when i just stopped at the part of 
"writable by a group" of configuration files and tried myself to figure 
out what you guys discussing on IRC.

Thanks Steve for making clear about "group of operators".

Cheers,

Tuan


On 08/23/2016 07:29 AM, Steven Dake (stdake) wrote:





On 8/22/16, 7:24 PM, "duon...@vn.fujitsu.com"  wrote:


Hello Kollish,

I am working on bp ansible-specific-task-become so I need community opinion 
about Kolla configuration files owner and permissions.

For files in "/var/lib/kolla", it's quite clear that the owner should be 'root' 
as currently.

For files in "/etc/kolla":  After discussion with S.Dake on IRC, he recommends 
/etc/kolla is owned by root and all files in it is 660 (writable by a group).

Just to add a bit of clarity, the rationale for this idea is that a group of 
operators could add themselves to the kolla group on all of the nodes and use 
their specific ssh keys to operate OpenStack.  This is why the group concept in 
unix was invented 50 odd years ago ;)

Regards
-steve


Anybody has idea about this topic?

Best regards,

Ha Quang Duong (Mr.)
PODC - Fujitsu Vietnam Ltd.


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [kolla] Kolla configuration files owner and permission

2016-08-22 Thread Steven Dake (stdake) 





On 8/22/16, 7:24 PM, "duon...@vn.fujitsu.com"  wrote:

>Hello Kollish,
>
>I am working on bp ansible-specific-task-become so I need community opinion 
>about Kolla configuration files owner and permissions.
>
>For files in "/var/lib/kolla", it's quite clear that the owner should be 
>'root' as currently.
>
>For files in "/etc/kolla":  After discussion with S.Dake on IRC, he recommends 
>/etc/kolla is owned by root and all files in it is 660 (writable by a group).

Just to add a bit of clarity, the rationale for this idea is that a group of 
operators could add themselves to the kolla group on all of the nodes and use 
their specific ssh keys to operate OpenStack.  This is why the group concept in 
unix was invented 50 odd years ago ;)

Regards
-steve

>
>Anybody has idea about this topic?
>
>Best regards,
>
>Ha Quang Duong (Mr.)
>PODC - Fujitsu Vietnam Ltd.
>
>
>__
>OpenStack Development Mailing List (not for usage questions)
>Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [kolla] Kolla configuration files owner and permission

2016-08-22 Thread duon...@vn.fujitsu.com 
Hello Kollish,

I am working on bp ansible-specific-task-become so I need community opinion 
about Kolla configuration files owner and permissions.

For files in "/var/lib/kolla", it's quite clear that the owner should be 'root' 
as currently.

For files in "/etc/kolla":  After discussion with S.Dake on IRC, he recommends 
/etc/kolla is owned by root and all files in it is 660 (writable by a group).

Anybody has idea about this topic?

Best regards,

Ha Quang Duong (Mr.)
PODC - Fujitsu Vietnam Ltd.


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev