I don't have a direct answer about whether it should be configurable or not -- I lean towards no but without a use case to think about it in context I don't know if there is a valid reason for configurability that I'm missing. As for ansible specifying the mode, ssh could seen as a precedent here -- ssh demands that you set file permissions of private keys and .ssh directory in certain specific ways otherwise it will not use the data. group is also covered by this.
Right now, when you use vault to encrypt a file, conceptually you are importing the data into a secure data store. So details of how that data is protected and represented internally is not really the end user's concern. The end user's responsible for putting the correct data into vault and using it via variable names. Ansible is responsible for keeping that data secure when it isn't being accessed. Restrictive file permissions are one layer that can help with this (although the encryption itself is certainly the main protection vault has). I think it would be good for encrypt to change the permissions as well. It's not as essential as for edit because ansible is taking a user created file and encrypting it. So once ansible starts manipulating it the data is no longer readable because of the encryption. When you run ansible-edit, ansible creates a temporary file for you to edit. this temporary file is in clear text so file permissions are the only thing protecting the data. Could ansible edit save off the file permissions before it decrypts to a temp file and then restore the file permissions on the re-encrypted data afterwards? that's probably doable but since we generally think of the encrypted file as just a storage format for the secret data that it contains, I think it's better to consider the file created by ansible encrypt not setting the more restirctive permissions to be the bug. It would be helpful if you could state your usecase that's being impacted by the way vault works. Right now, I can tell you how vault works and how it aligns with vault conceptually. And you can tell us that the concepts conflict with how you wish you could use vault but without knowing what it is you are trying to accomplish I can't tell if vault needs to change conceptually or if there's a more-ansible-ish method of accomplishing your goals. -Toshio -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAG9juEoT57n%3DrjuR3ggaU6iAYuEZ7Furf09wWbwMHTZYVjR-fg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
