Elukey has uploaded a new change for review. (
https://gerrit.wikimedia.org/r/398035 )
Change subject: Restrict read permissions to the config file when SSL is enabled
......................................................................
Restrict read permissions to the config file when SSL is enabled
Change-Id: I038658b4b702c24a353c7ce03aeb9b8f77fe3714
---
M manifests/instance.pp
1 file changed, 12 insertions(+), 1 deletion(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet/varnishkafka
refs/changes/35/398035/1
diff --git a/manifests/instance.pp b/manifests/instance.pp
index f47ebab..fa598d1 100644
--- a/manifests/instance.pp
+++ b/manifests/instance.pp
@@ -131,7 +131,7 @@
$log_statistics_interval = 60,
$should_subscribe = true,
- $conf_template = 'varnishkafka/varnishkafka.conf.erb',
+ $conf_template = 'varnishkafka/varnishkafka_v4.conf.erb',
$force_protocol_version = undef,
$ssl_enabled = false,
@@ -142,8 +142,19 @@
) {
require ::varnishkafka
+ # A more restrictive set of reading permissions
+ # is deployed if SSL is configured, since the key's password
+ # will be stored in the instance config.
+ $instance_conf_mode = $ssl_enabled ? {
+ true => '0400',
+ default => '0444',
+ }
+
file { "/etc/varnishkafka/${name}.conf":
content => template($conf_template),
+ owner => 'root',
+ group => 'root',
+ mode => $instance_conf_mode,
require => Package['varnishkafka'],
}
--
To view, visit https://gerrit.wikimedia.org/r/398035
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I038658b4b702c24a353c7ce03aeb9b8f77fe3714
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet/varnishkafka
Gerrit-Branch: master
Gerrit-Owner: Elukey <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
