From e3e0f84c49510afd6da1707bfd9460513a5aee89 Mon Sep 17 00:00:00 2001
From: Rhys Oxenham <roxenham@redhat.com>
Date: Thu, 12 Oct 2017 10:31:42 +0100
Subject: Fix /etc/openstack-dashboard/ permissions for access to *policy.json

The Kolla Dockerfile sets the permissions for /etc/openstack-dashboard/
to horizon:horizon. We need this to be readable by the apache user
as the horizon user is not the user in which httpd runs with. We may
want to consider fixing this in the upstream Dockerfile instead, e.g.
checking if we're using centos/rhel and changing the permissions that
way. I'm not sure why it's set to horizon:horizon upstream, and I'm keen
not to break any existing functionality that relies on the horizon based
permissions.

Closes-Bug: #1723125
Change-Id: If5feebae38f7fdfffa60bfaedc4521f676006484
(cherry picked from commit fd657aa4e68de7ad239a88525b5ae343acd3bf80)
---
 docker/services/horizon.yaml | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'docker')

diff --git a/docker/services/horizon.yaml b/docker/services/horizon.yaml
index d6ffb6dc..39169d07 100644
--- a/docker/services/horizon.yaml
+++ b/docker/services/horizon.yaml
@@ -95,6 +95,12 @@ outputs:
             - path: /var/log/horizon/
               owner: apache:apache
               recurse: true
+            # NOTE The upstream Kolla Dockerfile sets /etc/openstack-dashboard/ ownership to
+            # horizon:horizon - the policy.json files need read permissions for the apache user
+            # FIXME We should consider whether this should be fixed in the Kolla Dockerfile instead
+            - path: /etc/openstack-dashboard/
+              owner: apache:apache
+              recurse: true
             # FIXME Apache tries to write a .lock file there
             - path: /usr/share/openstack-dashboard/openstack_dashboard/local/
               owner: apache:apache
-- 
cgit 1.2.3-korg