From: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Date: Wed, 17 Feb 2016 13:48:36 +0000 (+0200)
Subject: Make injected CA file readable by others
X-Git-Tag: opnfv-6.0.0~2179^2
X-Git-Url: https://gerrit.opnfv.org/gerrit/gitweb?a=commitdiff_plain;h=b6ee4bf4a55ab9cc1dbfd85c5dd6338fef3944ce;p=apex-tripleo-heat-templates.git

Make injected CA file readable by others

Currently the permissions for the CA file that is injected (if the
environment is set), doesn't permit users that don't belong to the group
that owns the file to read it. This is too restrictive and isn't
necessary, as the certificate should be public.

This is useful in the case where we want a service that can't read the
certificate chain (or bundle) to be able to read that CA certificate.
This is the case for the MariaDB version that is being used in CentOS
7.1 for example.

Change-Id: I6ff59326a5570670c031b448fb0ffd8dfbd8b025
---

diff --git a/puppet/extraconfig/tls/ca-inject.yaml b/puppet/extraconfig/tls/ca-inject.yaml
index 5a36e951..aab42849 100644
--- a/puppet/extraconfig/tls/ca-inject.yaml
+++ b/puppet/extraconfig/tls/ca-inject.yaml
@@ -45,7 +45,7 @@ resources:
         cat > ${cacert_path} << EOF
         ${cacert_content}
         EOF
-        chmod 0440 ${cacert_path}
+        chmod 0444 ${cacert_path}
         chown root:root ${cacert_path}
         ${update_anchor_command}
         md5sum ${cacert_path} > ${heat_outputs_path}.root_cert_md5sum