From: Seena Fallah Date: Sun, 19 May 2024 10:03:12 +0000 (+0200) Subject: rgw: eliminate vault token perm for group read X-Git-Tag: testing/wip-pdonnell-testing-20240726.202642-debug~14^2 X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=63508ccb96a34f7e81384ee4bdb64f66def9f909;p=ceph-ci.git rgw: eliminate vault token perm for group read Typically, the HashiCorp Vault token is refreshed by another process, such as the Vault Agent. This process needs ownership of the file to write the new token. Since Ceph primarily runs with its own user, it cannot access the token file unless it has group read permissions. This requires either assigning the correct group to the file by the Vault Agent or ensuring Ceph is part of the appropriate group. By eliminating the restriction on group read permissions, this can be achievable. Fixes: https://tracker.ceph.com/issues/66121 Signed-off-by: Seena Fallah --- diff --git a/src/rgw/rgw_kms.cc b/src/rgw/rgw_kms.cc index ea30ff868fd..a0ec644c35c 100644 --- a/src/rgw/rgw_kms.cc +++ b/src/rgw/rgw_kms.cc @@ -221,9 +221,9 @@ protected: return -ENOENT; } - if (token_st.st_mode & (S_IRWXG | S_IRWXO)) { + if (token_st.st_mode & (S_IWGRP | S_IXGRP | S_IRWXO)) { ldpp_dout(dpp, 0) << "ERROR: Vault token file '" << token_file << "' permissions are " - << "too open, it must not be accessible by other users" << dendl; + << "too open, the maximum allowed is 0740" << dendl; return -EACCES; } @@ -257,7 +257,7 @@ protected: int res; string vault_token = ""; if (RGW_SSE_KMS_VAULT_AUTH_TOKEN == kctx.auth()){ - ldpp_dout(dpp, 0) << "Loading Vault Token from filesystem" << dendl; + ldpp_dout(dpp, 20) << "Loading Vault Token from filesystem" << dendl; res = load_token_from_file(dpp, &vault_token); if (res < 0){ return res;