From e544061f67157d025c4fa97a20b9f583eb5ded47 Mon Sep 17 00:00:00 2001
From: Don Penney <don.penney@windriver.com>
Date: Wed, 17 Jul 2019 11:49:42 -0400
Subject: [PATCH] Update barbican OCF scripts to enhance logging

This commit updates the barbican OCF scripts to address
logging issues:
- barbican-api is updated to set permissions on the logfile
  to restrict access
- barbican-keystone-listener and barbican-worker are updated
  to log via syslog

Depends-On: I31b29bb8ffff28cd329b383704b88cf73199bcec
Change-Id: I814d35ca3e55fbfb9e0a462f3f05ff2db6a9cca5
Partial-Bug: 1836632
Signed-off-by: Don Penney <don.penney@windriver.com>
---
 stx-ocf-scripts/centos/build_srpm.data             | 2 +-
 stx-ocf-scripts/src/ocf/barbican-api               | 2 ++
 stx-ocf-scripts/src/ocf/barbican-keystone-listener | 3 +--
 stx-ocf-scripts/src/ocf/barbican-worker            | 3 +--
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/stx-ocf-scripts/centos/build_srpm.data b/stx-ocf-scripts/centos/build_srpm.data
index 408254c1..833e4170 100644
--- a/stx-ocf-scripts/centos/build_srpm.data
+++ b/stx-ocf-scripts/centos/build_srpm.data
@@ -1,2 +1,2 @@
 SRC_DIR="$PKG_BASE/src"
-TIS_PATCH_VER=2
+TIS_PATCH_VER=3
diff --git a/stx-ocf-scripts/src/ocf/barbican-api b/stx-ocf-scripts/src/ocf/barbican-api
index 1ad992da..0ff3c759 100644
--- a/stx-ocf-scripts/src/ocf/barbican-api
+++ b/stx-ocf-scripts/src/ocf/barbican-api
@@ -249,6 +249,8 @@ barbican_api_start() {
     chown barbican:barbican /run/barbican
     /bin/python /usr/bin/gunicorn --pid $OCF_RESKEY_pid --config /etc/barbican/gunicorn-config.py \
     --paste /etc/barbican/barbican-api-paste.ini >> /var/log/barbican/barbican-api.log 2>&1 &
+    # Restrict access to logfile
+    chmod 640 /var/log/barbican/barbican-api.log
 
     # Spin waiting for the server to come up.
     while true; do
diff --git a/stx-ocf-scripts/src/ocf/barbican-keystone-listener b/stx-ocf-scripts/src/ocf/barbican-keystone-listener
index ab364b7c..4bfaffde 100644
--- a/stx-ocf-scripts/src/ocf/barbican-keystone-listener
+++ b/stx-ocf-scripts/src/ocf/barbican-keystone-listener
@@ -194,8 +194,7 @@ barbican_keystone_listener_start() {
 
     # run the actual barbican-keystone-listener daemon. Don't use ocf_run as we're sending the
     # tool's output straight to /dev/null anyway and using ocf_run would break stdout-redirection here.
-    su ${OCF_RESKEY_user} -s /bin/sh -c "${OCF_RESKEY_binary} --logfile \
-    /var/log/barbican/barbican-keystone-listener.log"' >> /dev/null 2>&1 & echo $!' > $OCF_RESKEY_pid
+    su ${OCF_RESKEY_user} -s /bin/sh -c "${OCF_RESKEY_binary}"' >> /dev/null 2>&1 & echo $!' > $OCF_RESKEY_pid
 
     # Spin waiting for the server to come up.
     while true; do
diff --git a/stx-ocf-scripts/src/ocf/barbican-worker b/stx-ocf-scripts/src/ocf/barbican-worker
index a63a9cca..575e70e6 100644
--- a/stx-ocf-scripts/src/ocf/barbican-worker
+++ b/stx-ocf-scripts/src/ocf/barbican-worker
@@ -181,8 +181,7 @@ barbican_worker_start() {
 
     # run the actual barbican-worker daemon. Don't use ocf_run as we're sending the tool's output
     # straight to /dev/null anyway and using ocf_run would break stdout-redirection here.
-    su ${OCF_RESKEY_user} -s /bin/sh -c "${OCF_RESKEY_binary} \
-    --logfile /var/log/barbican/barbican-worker.log"' >> /dev/null 2>&1 & echo $!' > $OCF_RESKEY_pid
+    su ${OCF_RESKEY_user} -s /bin/sh -c "${OCF_RESKEY_binary}"' >> /dev/null 2>&1 & echo $!' > $OCF_RESKEY_pid
 
     # Spin waiting for the server to come up.
     while true; do