# HG changeset patch
# User David Hollister <david.hollister@oracle.com>
# Date 1476302473 21600
# Node ID 61352b4e5af578ab4362137b52ec5dbb6c414f5b
# Parent  a50590d0073007cf07eaa49d948861ab58e697fd
24797203 OpenStack RBAC profiles allow reading too many files
24797238 keystone RBAC and SMF should point at Apache log files
24797256 cinder RBAC and SMF should point at Apache log files
24830959 horizon RBAC and SMF should point at Apache log files

diff -r a50590d00730 -r 61352b4e5af5 components/openstack/cinder/files/cinder-api.xml
--- a/components/openstack/cinder/files/cinder-api.xml	Wed Oct 12 08:38:46 2016 -0700
+++ b/components/openstack/cinder/files/cinder-api.xml	Wed Oct 12 14:01:13 2016 -0600
@@ -124,6 +124,13 @@
         </loctext>
       </description>
 
+      <documentation>
+        <external_logfile
+          path='/var/log/cinder/cinder_access.log'/>
+        <external_logfile
+          path='/var/log/cinder/cinder_error.log'/>
+      </documentation>
+
       <pg_pattern required='true' type='application' name='config'>
         <prop_pattern required='true' type='astring' name='access_log'>
           <description>
diff -r a50590d00730 -r 61352b4e5af5 components/openstack/cinder/files/cinder.prof_attr
--- a/components/openstack/cinder/files/cinder.prof_attr	Wed Oct 12 08:38:46 2016 -0700
+++ b/components/openstack/cinder/files/cinder.prof_attr	Wed Oct 12 14:01:13 2016 -0600
@@ -5,7 +5,9 @@
 solaris.admin.edit/etc/cinder/*.json,\
 solaris.smf.manage.cinder,\
 solaris.smf.value.cinder;\
-defaultpriv={file_dac_read}\:/var/svc/log/application-openstack-*
+defaultpriv={file_dac_search}\:/var/log/cinder,\
+{file_dac_read}\:/var/log/cinder/*,\
+{file_dac_read}\:/var/svc/log/application-openstack-cinder-*
 
 OpenStack Management:RO:::profiles=OpenStack Block Storage Management
 
diff -r a50590d00730 -r 61352b4e5af5 components/openstack/glance/files/glance.prof_attr
--- a/components/openstack/glance/files/glance.prof_attr	Wed Oct 12 08:38:46 2016 -0700
+++ b/components/openstack/glance/files/glance.prof_attr	Wed Oct 12 14:01:13 2016 -0600
@@ -6,6 +6,6 @@
 solaris.admin.edit/etc/glance/metadefs/*.json,\
 solaris.smf.manage.glance,\
 solaris.smf.value.glance;\
-defaultpriv={file_dac_read}\:/var/svc/log/application-openstack-*
+defaultpriv={file_dac_read}\:/var/svc/log/application-openstack-glance-*
 
 OpenStack Management:RO:::profiles=OpenStack Image Management
diff -r a50590d00730 -r 61352b4e5af5 components/openstack/heat/files/heat.prof_attr
--- a/components/openstack/heat/files/heat.prof_attr	Wed Oct 12 08:38:46 2016 -0700
+++ b/components/openstack/heat/files/heat.prof_attr	Wed Oct 12 14:01:13 2016 -0600
@@ -7,6 +7,6 @@
 solaris.admin.edit/etc/heat/templates/*.yaml,\
 solaris.smf.manage.heat,\
 solaris.smf.value.heat;\
-defaultpriv={file_dac_read}\:/var/svc/log/application-openstack-*
+defaultpriv={file_dac_read}\:/var/svc/log/application-openstack-heat-*
 
 OpenStack Management:RO:::profiles=OpenStack Orchestration Management
diff -r a50590d00730 -r 61352b4e5af5 components/openstack/horizon/files/horizon.prof_attr
--- a/components/openstack/horizon/files/horizon.prof_attr	Wed Oct 12 08:38:46 2016 -0700
+++ b/components/openstack/horizon/files/horizon.prof_attr	Wed Oct 12 14:01:13 2016 -0600
@@ -4,6 +4,7 @@
 solaris.admin.edit/etc/openstack_dashboard/local_settings.py,\
 solaris.smf.manage.horizon,\
 solaris.smf.value.horizon;\
-defaultpriv={file_dac_read}\:/var/log/openstack_dashboard/*
+defaultpriv={file_dac_read}\:/var/log/openstack_dashboard/*,\
+{file_dac_read}\:/var/svc/log/application-openstack-horizon*
 
 OpenStack Management:RO:::profiles=OpenStack Dashboard Management
diff -r a50590d00730 -r 61352b4e5af5 components/openstack/horizon/files/horizon.xml
--- a/components/openstack/horizon/files/horizon.xml	Wed Oct 12 08:38:46 2016 -0700
+++ b/components/openstack/horizon/files/horizon.xml	Wed Oct 12 14:01:13 2016 -0600
@@ -112,6 +112,13 @@
         </loctext>
       </description>
 
+      <documentation>
+        <external_logfile
+          path='/var/log/openstack_dashboard/openstack_dashboard_access.log'/>
+        <external_logfile
+          path='/var/log/openstack_dashboard/openstack_dashboard_error.log'/>
+      </documentation>
+
       <pg_pattern required='true' type='application' name='config'>
         <prop_pattern required='true' type='astring' name='servername'>
           <description>
diff -r a50590d00730 -r 61352b4e5af5 components/openstack/ironic/files/ironic.prof_attr
--- a/components/openstack/ironic/files/ironic.prof_attr	Wed Oct 12 08:38:46 2016 -0700
+++ b/components/openstack/ironic/files/ironic.prof_attr	Wed Oct 12 14:01:13 2016 -0600
@@ -4,7 +4,7 @@
 solaris.admin.edit/etc/ironic/*.json,\
 solaris.smf.manage.ironic,\
 solaris.smf.value.ironic;\
-defaultpriv={file_dac_read}\:/var/svc/log/application-openstack-*
+defaultpriv={file_dac_read}\:/var/svc/log/application-openstack-ironic-*
 
 OpenStack Management:RO:::profiles=OpenStack Bare Metal Provisioning Management
 
diff -r a50590d00730 -r 61352b4e5af5 components/openstack/keystone/files/keystone.prof_attr
--- a/components/openstack/keystone/files/keystone.prof_attr	Wed Oct 12 08:38:46 2016 -0700
+++ b/components/openstack/keystone/files/keystone.prof_attr	Wed Oct 12 14:01:13 2016 -0600
@@ -6,6 +6,8 @@
 solaris.admin.edit/etc/keystone/default_catalog.templates,\
 solaris.smf.manage.keystone,\
 solaris.smf.value.keystone;\
-defaultpriv={file_dac_read}\:/var/svc/log/application-openstack-*
+defaultpriv={file_dac_read}\:/var/svc/log/application-openstack-keystone*,\
+{file_dac_search}\:/var/log/keystone,\
+{file_dac_read}\:/var/log/keystone/*
 
 OpenStack Management:RO:::profiles=OpenStack Identity Management
diff -r a50590d00730 -r 61352b4e5af5 components/openstack/keystone/files/keystone.xml
--- a/components/openstack/keystone/files/keystone.xml	Wed Oct 12 08:38:46 2016 -0700
+++ b/components/openstack/keystone/files/keystone.xml	Wed Oct 12 14:01:13 2016 -0600
@@ -123,6 +123,13 @@
         </loctext>
       </description>
 
+      <documentation>
+        <external_logfile
+          path='/var/log/keystone/keystone_access.log'/>
+        <external_logfile
+          path='/var/log/keystone/keystone_error.log'/>
+      </documentation>
+
       <pg_pattern required='true' type='application' name='config'>
         <prop_pattern required='true' type='count' name='admin_port'>
           <description>
diff -r a50590d00730 -r 61352b4e5af5 components/openstack/neutron/files/neutron.prof_attr
--- a/components/openstack/neutron/files/neutron.prof_attr	Wed Oct 12 08:38:46 2016 -0700
+++ b/components/openstack/neutron/files/neutron.prof_attr	Wed Oct 12 14:01:13 2016 -0600
@@ -6,7 +6,7 @@
 solaris.admin.edit/etc/neutron/plugins/*/*.ini,\
 solaris.smf.manage.neutron,\
 solaris.smf.value.neutron;\
-defaultpriv={file_dac_read}\:/var/svc/log/application-openstack-*
+defaultpriv={file_dac_read}\:/var/svc/log/application-openstack-neutron-*
 
 OpenStack Management:RO:::profiles=OpenStack Network Management
 
diff -r a50590d00730 -r 61352b4e5af5 components/openstack/nova/files/nova.prof_attr
--- a/components/openstack/nova/files/nova.prof_attr	Wed Oct 12 08:38:46 2016 -0700
+++ b/components/openstack/nova/files/nova.prof_attr	Wed Oct 12 14:01:13 2016 -0600
@@ -5,7 +5,7 @@
 solaris.admin.edit/etc/nova/*.json,\
 solaris.smf.manage.nova,\
 solaris.smf.value.nova;\
-defaultpriv={file_dac_read}\:/var/svc/log/application-openstack-*
+defaultpriv={file_dac_read}\:/var/svc/log/application-openstack-nova-*
 
 OpenStack Management:RO:::profiles=OpenStack Compute Management
 
diff -r a50590d00730 -r 61352b4e5af5 components/openstack/swift/files/swift.prof_attr
--- a/components/openstack/swift/files/swift.prof_attr	Wed Oct 12 08:38:46 2016 -0700
+++ b/components/openstack/swift/files/swift.prof_attr	Wed Oct 12 14:01:13 2016 -0600
@@ -4,6 +4,6 @@
 solaris.admin.edit/etc/swift/mime.types,\
 solaris.smf.manage.swift,\
 solaris.smf.value.swift;\
-defaultpriv={file_dac_read}\:/var/svc/log/application-openstack-*
+defaultpriv={file_dac_read}\:/var/svc/log/application-openstack-swift-*
 
 OpenStack Management:RO:::profiles=OpenStack Object Storage Management