Set kafka_broker.key permissions (removes when) Fixes #1590 #1591
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This patch is related to issue confluentinc#1590, see that for further discussion. Permissions on the /var/ssl/private/kafka_broker.key file are publicly readable. Upon further investigation it looks to be conditional, dependent on `ssl_provided_keystore_and_truststore_remote_src`, and if that is set to false, the keystore is protected. It seems like in any case you'd want it to be protected. This looks like in 7.5.3 it is related to the setting ssl_mutual_auth_enabled and in 7.6.1 the ssl_provided_keystore_and_trustore_remote_src setting. The block in question is, in 7.6.1-post: - name: Set Truststore and Keystore File Permissions file: path: "{{item}}" owner: "{{user}}" group: "{{group}}" mode: '640' loop: - "{{keystore_path}}" - "{{truststore_path}}" when: not ( ssl_provided_keystore_and_truststore_remote_src|bool ) In reading the git history (and checking back in 6.2.15-post where the 640 permission was last changed from int to string), I'm under the impression that the "when" condition was blanket applied to the tasks in this role, when it probably shouldn't have been applied to this permission setting. In 7.5.3, this when condition was when: export_certs|bool where export_certs: "{{ssl_mutual_auth_enabled}}"
|
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This patch is related to issue #1590, see that for further discussion.
edit: I was referring to the wrong task when I originally wrote this up, updating below.
Permissions on the /var/ssl/private/kafka_broker.key file are publicly readable. Upon further investigation it looks to be conditional, dependent on
export_certsansible var, and if that is set to true, the key file is protected.export_certsis set based onkafka_broker_export_certs, which in turn is set tossl_mutual_auth_enabled.It seems like in any case you'd want the broker key to be protected.
In reading the git history (and checking back in 6.2.15-post where the 640 permission was last changed from int to string), I'm under the impression that the "when" condition was blanket applied to the tasks in this role, when it probably shouldn't have been applied to this permission setting. In 7.5.3, this when condition was when: export_certs|bool where export_certs: "{{ssl_mutual_auth_enabled}}"
Description
Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change.
Fixes # (issue)
Type of change
How Has This Been Tested?
I have not tested this.
Checklist: