diff options
authorRhys Oxenham <roxenham@redhat.com>2017-10-12 10:31:42 +0100
committerRadomir Dopieralski <openstack@sheep.art.pl>2017-10-25 15:20:41 +0000
commite3e0f84c49510afd6da1707bfd9460513a5aee89 (patch)
parent9dfec11795703b43991e06ef880b52cd0b3a5eb4 (diff)
Fix /etc/openstack-dashboard/ permissions for access to *policy.json
The Kolla Dockerfile sets the permissions for /etc/openstack-dashboard/ to horizon:horizon. We need this to be readable by the apache user as the horizon user is not the user in which httpd runs with. We may want to consider fixing this in the upstream Dockerfile instead, e.g. checking if we're using centos/rhel and changing the permissions that way. I'm not sure why it's set to horizon:horizon upstream, and I'm keen not to break any existing functionality that relies on the horizon based permissions. Closes-Bug: #1723125 Change-Id: If5feebae38f7fdfffa60bfaedc4521f676006484 (cherry picked from commit fd657aa4e68de7ad239a88525b5ae343acd3bf80)
1 files changed, 6 insertions, 0 deletions
diff --git a/docker/services/horizon.yaml b/docker/services/horizon.yaml
index d6ffb6d..39169d0 100644
--- a/docker/services/horizon.yaml
+++ b/docker/services/horizon.yaml
@@ -95,6 +95,12 @@ outputs:
- path: /var/log/horizon/
owner: apache:apache
recurse: true
+ # NOTE The upstream Kolla Dockerfile sets /etc/openstack-dashboard/ ownership to
+ # horizon:horizon - the policy.json files need read permissions for the apache user
+ # FIXME We should consider whether this should be fixed in the Kolla Dockerfile instead
+ - path: /etc/openstack-dashboard/
+ owner: apache:apache
+ recurse: true
# FIXME Apache tries to write a .lock file there
- path: /usr/share/openstack-dashboard/openstack_dashboard/local/
owner: apache:apache