From f5c48106ecd7628819a9a68491c2b5633e94c2bc Mon Sep 17 00:00:00 2001 From: Sean Reifschneider Date: Thu, 9 May 2024 15:55:04 -0600 Subject: [PATCH] Set kafka_broker.key permissions (removes when) Fixes #1590 This patch is related to issue #1590, see that for further discussion. Permissions on the /var/ssl/private/kafka_broker.key file are publicly readable. Upon further investigation it looks to be conditional, dependent on `ssl_provided_keystore_and_truststore_remote_src`, and if that is set to false, the keystore is protected. It seems like in any case you'd want it to be protected. This looks like in 7.5.3 it is related to the setting ssl_mutual_auth_enabled and in 7.6.1 the ssl_provided_keystore_and_trustore_remote_src setting. The block in question is, in 7.6.1-post: - name: Set Truststore and Keystore File Permissions file: path: "{{item}}" owner: "{{user}}" group: "{{group}}" mode: '640' loop: - "{{keystore_path}}" - "{{truststore_path}}" when: not ( ssl_provided_keystore_and_truststore_remote_src|bool ) In reading the git history (and checking back in 6.2.15-post where the 640 permission was last changed from int to string), I'm under the impression that the "when" condition was blanket applied to the tasks in this role, when it probably shouldn't have been applied to this permission setting. In 7.5.3, this when condition was when: export_certs|bool where export_certs: "{{ssl_mutual_auth_enabled}}" --- roles/ssl/tasks/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/ssl/tasks/main.yml b/roles/ssl/tasks/main.yml index 2e6e791b3..60e7fd3e2 100644 --- a/roles/ssl/tasks/main.yml +++ b/roles/ssl/tasks/main.yml @@ -44,7 +44,6 @@ - "{{ca_cert_path}}" - "{{cert_path}}" - "{{key_path}}" - when: export_certs|bool - name: Set BCFKS Truststore and Keystore File Permissions file: